E-voting vendor Scytl criticises researchers that found vulnerability

Scytl, the Spanish vendor behind Swiss and NSW e-voting software, has taken a swipe at researchers that uncovered a vulnerability in its source code allowing undetectable vote manipulation.

The vendor went into damage control overnight, claiming the attacks uncovered by Australian and international researchers were “highly unlikely – not to say impossible – to perform”, while at the same time noting it had decided to update its code.

Scytl, together with Swiss Post, opened its source code to public scrutiny in late February in what it called a “public hacker test” of the e-voting system.

Cryptography and privacy researchers Sarah Jamie Lewis, Oliver Pereira and Australia’s-own Vanessa Teague used the test to find a vulnerability they said could allow undetectable vote manipulation.

The researchers said the problem was “entirely consistent with a naive implementation of a complex cryptographic protocol by well-intentioned people who lacked a full understanding of its security assumptions and other important details.”

Scytl overnight took a swipe at the intentions of some researchers participating in the public intrusion test.

“The objective of this program is indeed to identify any potential vulnerabilities in a transparent manner,” it said.

“These findings should not be used to create controversy or adverse reactions towards online voting, but instead to foster a constructive dialogue with experts and, together, enhance the security of our electoral system.”

Sarah Jamie Lewis responded to Scytl’s barb and likelihood finding via Twitter.

“The thing about fostering constructive dialogue is that you can't criticise researchers for raising concerns about your project and then pretend this was all part of the plan when they find something,” she said.

“This is one of those cases where people really need to demand an independent, transparent audit and assessment.

“Not that I don't trust Scytl's findings - but there is obviously an inherent conflict of interest in them deciding the risk of something as big as election compromise.”

She added she is for - not against e-voting - with the proviso that the systems stand up to the “highest standards and scrutiny.”

“The problem, as I see it, is people who don't welcome that scrutiny,” she said.

Earlier this week, the NSW Electoral Commission said the defect found in the Swiss government’s e-voting system was also present in the state’s iVote system. It said Scytl would have a fix this week.