Britain’s hopes of enabling online voting in general elections by 2020 have faced a dose of reality after a security vulnerability in an Australian system was exposed. The iVote system was introduced for the New South Wales (NSW) State Election in 2011 for voters who are more than 20 kilometres from a polling station, and has also been used in subsequent state by-elections. But its use in NSW’s state election this month has faced intense scrutiny after researchers discovered a major security hole that could allow a hacker to read and manipulate votes. With 66,000 online votes already cast by the time Vanessa Teague and J. Alex Halderman, of the University of Melbourne and University of Michigan respectively, disclosed their revelation, the legitimacy of the entire election has been called into doubt.
One of the servers used to serve the voting website has “very poor security” and is vulnerable to a range of cyber attacks, including the recently discovered FREAK attack, the researchers found. They reported the vulnerability to CERT Australia on Friday, resulting in the Electoral Commission fixing the flaw the following day.
‘Unfortunately, the system had already been operating insecurely for almost a week, exposing tens of thousands of votes to potential manipulation,’ the researchers wrote. ‘The vulnerability to the FREAK attack illustrates once again why internet voting is hard to do securely.
‘The system has been in development for years, but FREAK was announced only a couple of weeks before the election. Perhaps there wasn’t time to thoroughly retest the iVote system for exposure.’