Second flaw found in Swiss election system could change ‘valid votes into nonsense,’ researchers say
Researchers have uncovered a second security flaw in the electronic voting system employed by the Swiss government.
The vulnerability involves a problem with the implementation of a cryptographic protocol used to generate decryption proofs, a weakness that could be leveraged “to change valid votes into nonsense that could not be counted,” researchers Sarah Jamie Lewis, Olivier Pereira and Vanessa Teague wrote in a paper published Monday.
This disclosure comes weeks after the same team of researchers announced they had uncovered a flaw in the e-voting system that could allow hackers to replace legitimate votes with fraudulent ones. Swiss Post, the country’s national postal service, which developed the system along with Spanish technology maker Scytl, said earlier this month that first vulnerability had been resolved.
Researchers said at the time that the vulnerability demonstrated what can go wrong when governments shift to electronic voting with no alternative plan. The security and integrity of electronic voting systems vary by country, and the vulnerabilities outlined in this research are specific to Switzerland, but other areas of the world increasingly are moving toward a voting infrastructure where it could soon be impossible to verify whether vote tampering has occurred. Christopher Krebs, head of the U.S. Cybersecurity and Infrastructure Agency told Congress last month election officials must have the ability to audit election results.
“If you don’t know what’s happening and you can’t check back at what’s happening in the system, you don’t have security,” he said.
In the paper published Monday, Lewis, Pereira and Teague said the second flaw is a weakness in the decryption proof known as the Fiat-Shamir heuristic. The vulnerability “allows a cheating authority to produce a proof of proper decryption, which passes verification, but declares something other than the true plaintext.”
Researchers, to examine the ramifications of the issue, wrote that they exhibited “an exploit in which a malicious authority … modifies selected votes during the (partial) decryption procedure and forges decryption proofs that are indistinguishable from valid ones, and would therefore pass verification.”
While such malicious activity would leave evidence “that something went wrong,” the research cited its mere possibility as evidence that the voting system does not offer “complete verifiability,” as its creators have suggested.
SwissPost has not yet confirmed the research team’s latest analysis, according to the paper.
“We are a small team of researchers investigating this code base for the first time,” they wrote. “In a few weeks, and while spending a small fraction of our time on this investigation, we have found critical breaks of both the main components of the proof that there is no server-side fraud – the complete verifiability property. We only inspected a small fraction of this voting system, and we therefore have no reason to believe that it does not contain other critical issues.”
Australia’s New South Wales Electoral Commission, which uses the same voting system, said in a statement it is not affected by the second vulnerability.