NSW iVote IT chief plays down FREAK risk

The revelation that NSW’s online voting system contains a serious vulnerability just days before the state government election has been largely overblown, according to the state electoral commission’s IT chief.

Over the weekend, two university researchers revealed iVote's voting server had loaded code from a third-party website vulnerable to the recently discovered FREAK attack.

The FREAK flaw in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols allows attackers to intercept HTTPS connections between vulnerable clients and servers.

Attackers could then force the site to downgrade to weak cryptography, which could be easily cracked in order to decrypt web traffic, allowing attackers to steal passwords and other sensitive information.

The flaw in iVote - arising from a vulnerable third-party server hosting the Piwik web analytics tool in use by the NSW Electoral Commission - meant attackers could intercept a NSW voter's web traffic and change and read votes.

Following publication of the flaw, the NSWEC terminated its connection to the server so “the public could retain confidence in the iVote system”.

However, NSWEC CIO Ian Brightwell argued the chance of a successful, en masse man-in-the-middle attack was too remote to be considered a viable risk.

“For that particular risk to have eventuated into an attack, you had to have five different conditions occur,” Brightwell told iTnews.

“One was to do with FREAK - you’d have to access the keys and break into the SSL - and you’d also have to get into the middle of the traffic, through a browser that hadn’t been patched, and on it goes. To actually break that key is not a trivial task.

“We removed [the connection to the server] because we felt the public was going to react poorly to this, and also that it was going to take a lot to explain it was low risk.”

He admitted it had been a “bad decision” to host the Piwik web analytics tool on a third-party server, but said hosting it internally had not been an option at the time of launch.

Piwik gave the NSWEC anonymised web analytics to prove the commission’s browser environment was working as intended. It replaced server-based web logs the NSWEC had previously been using.

“It probably was an unnecessary risk. At the time it seemed like a good idea, but I accept that it may not have been,” Brightwell said.

“We didn’t actually intend to do it that way [externally hosted] initially, we actually had it internally embedded into the core voting system, but that wasn’t available at the time we launched.

“There’s no doubt that the actual existence of FREAK on the server to some extent reduced the security posture of that server, and that’s one of the reasons we decided to pull it.”

Brightwell did, however, argue that the issue didn't constitute a crisis, and translated as a “relatively low risk” despite the researchers’ findings.

“It’s easy enough to [test the attack] if you sit in a local area network and direct yourself to an internal proxy, but in practical terms to intercept the traffic en masse you’d have to somehow sit in between that particular server and the client’s voting,” he said.

“And the only way you can do that effectively is to poison DNS somewhere, then start to get that traffic coming through you.”

He said the iVote phone-based verification system had been designed to help mitigate against any tampering of online votes.

“If you look at the overall risk profile of that system, we’d already accepted the risk that the client browser could be attacked and that votes could be tampered with. So we offered a way for people to verify their votes,” Brightwell told iTnews.

“Not everybody uses that option, but if a reasonable proportion do, you’ll have reasonably high certainty that there hasn’t been an attack en masse.”

The NSWEC is planning to continue using the Piwik software, albeit located within its own data centre, following a more detailed assessment of the tool.

He said the commission had received a small number of calls from people concerned about vote tampering, but “nothing substantive to indicate we have problems”.

“We tell them to have another go, and they don’t come back.”

NSW citizens have been able to cast votes through the iVote system since March 16 ahead of this Saturday's state election. The platform is open to those who live more than 20km from a polling booth, blind and disabled citizens, and those interstate or overseas on election day.

The NSWEC has forecast more than 100,000 voters will use iVote for the 2015 election, compared to the 46,800 who used it in 2011.

Around 66,000 people have already registered their vote through iVote for the 2015 state election.