If you’re one of the 66,000 people from New South Wales who voted in the state election using iVote between Monday March 16 and midday on Saturday March 21, your vote could have been exposed or changed without you knowing.
How do we know that? Because we uncovered a security flaw in the popular iVote system that would have let us do exactly that, if we’d chosen to. That’s despite repeated assurances from the New South Wales Electoral Commission that:
People’s vote is completely secret. It’s fully encrypted and safeguarded, it can’t be tampered with
As we’ve been able to show, that’s not true.
A screenshot demonstrating how a security flaw could have allowed two online security experts to intercept and change votes using the NSW iVote system.
We should stress that rather than do anything illegal or disrupt the March 28 state election result, we tested this security weakness only on our own practice vote at the iVote practice server. After checking that the same weakness affected the real voting server, we alerted the authorities late last week. We also waited until we could see the problem had been fixed before talking publicly about it.
Less than a week to expose iVote’s vulnerability
The problem we found was that the voting server had loaded some code from a third-party site vulnerable to the FREAK attack, a major security flaw that left Apple and Google devices vulnerable to hacking (you can read a recent Washington Post article explaining the FREAK flaw).
How did that global security problem affect iVote? For a longer, more technical explanation of what we did and found, read more here.
The shorter version is that with less than a week of concerted effort, the two of us discovered that the FREAK flaw allowed us — or potentially anyone with the right technical knowledge — to intercept a NSW voter’s internet traffic, and insert different code into vulnerable web browsers. Many, but not all, browsers have been appropriately patched over the last week — this site lets you check whether yours is still vulnerable.
We demonstrated that we could make the voter’s web browser display what the voter wanted, but secretly send a different vote to the iVote voting server.
Real hackers rarely leave such obvious clues — but online security experts testing the NSW iVote system used this Ned Kelly symbol.
The iVote system does include a vote verification process for people who choose to vote online or by phone, where they can subsequently call an automated interactive phone line to double-check what vote the system holds for them.
However, that verification system could have errors or security vulnerabilities; we can’t tell you with any certainty either way, since there’s no publicly-available source code or system details.
Given the supposedly “fully encrypted and safeguarded” iVote system proved so vulnerable to attack, we certainly would not recommend people take any chances by voting online in the NSW election.
The NSW online vote is globally significant
The 2015 NSW election is Australia’s biggest-ever test of electronic voting, which has largely been limited to small trials in the past. The official predictions have been that 200,000 to 250,000 people would vote using iVote in this election.
And this NSW election already ranks as one of the world’s biggest online votes to date, on track to exceed the 70,090 Norwegians who voted electronically in 2013, and perhaps even beat the 176,491 people who voted online in the 2015 Estonian election.
In just its first week, even apart from our discovery things haven’t run smoothly.
Early voting using iVote opened at 8am on Monday March 16, and it will close at 6pm on election night, Saturday March 28.
On Tuesday March 17, the NSW Electoral Commission suspended voting for six hours after it turned out that two minor parties had been left off the “above the line” section of the NSW upper house online ballot paper. That problem, blamed on human error, was fixed — but not before 19,000 votes had already been cast.
Serious human errors do sometimes happen in elections, and they can affect paper ballots too.
NSW vs Washington DC’s approach
Less than a fortnight ago, one of us (Dr Teague) wrote in The Conversation about the potential privacy and vote tampering problems with iVote. That article reflected concerns expressed in a letter to the NSW Electoral Commission in 2013. Yet the commission has never responded meaningfully to those concerns, and also chose not to publicly comment on the FREAK security flaw that we exposed.
However, that’s not the approach taken by electoral authorities elsewhere wanting to deliver trustworthy election results.
For example, in 2010, the Washington D.C. Board of Elections and Ethics invited a team of experts from University of Michigan (led by Professor Halderman) to try to hack the district’s new online voting system.
Within 48 hours, the University of Michigan team had broken in, taken over the election server, added fictional movie and TV characters as candidates (including for mayor and the member of congress), changed every vote, and revealed almost every secret ballot.
The election officials didn’t realise their system had been hacked for nearly two business days. When they did, it was only because the hacking team left behind a musical “calling card”, changing the Thank You page that appeared at the end of the voting process so that it played the University of Michigan fight song.
A final note for NSW voters
We hope there are no more exploitable security problems in iVote and that the rest of the NSW election runs more smoothly.
But since we’ve had no opportunity to inspect the server side code or systems, there’s no way to be sure. When you’re working on the internet, new vulnerabilities emerge all the time.
That’s why, if you want to be sure your vote counts in the NSW election, we recommend you stick with an old-fashioned paper ballot.
* You can view a short TV news clip confirming that about 66,000 votes were cast with iVote before this security flaw was fixed, via ABC News NSW (play from 12:18).Vanessa Teague is Research Fellow in the Department of Computing and Information Systems at University of Melbourne. J. Alex Halderman is Director, University of Michigan Center for Computer Security and Society and Morris Wellman Faculty Development Assistant Professor of Computer Science and Engineering at University of Michigan.