The online voting system used by NSW was vulnerable to a flaw that potentially allowed undetectable voter fraud to take place in the 2019 state election, despite reassurances from the NSW Electoral Commission that the system was unaffected.
That's the key take away in a new report [pdf] from renowned cryptographic researcher Dr Vanessa Teague that says iVote is susceptible to a previously identified flaw in its verification process that could allow the verification of votes to be tricked, resulting in an incorrect count.
It's a technical argument, but an important one as security agencies across the Five Eyes intelligence community double down on foreign cyber interference in electoral processes that ranges from classic online disinformation and denial of service to deep system compromises.
Teague, an associate professor at Melbourne University’s School of Computing and Information Systems, said the verification flaw could cast a level of doubt over the more than 234,000 votes that were cast using the system at the April election.
But the NSWEC is convinced "there is no indication of any interference with the iVote system at the recent state election or at any other election".
The flaw was first uncovered in the Swiss Government’s e-voting system – which like iVote used software from Spanish vendor Scytl – in March after the code was opened to public intrusion testing.
Teague, along with other intentionally respected cryptography and privacy researchers Sarah Jamie Lewis and Oliver Pereira, revealed the defect could allow vote manipulation to take place unbeknown to the authorities.
The problem centred around the way the country's sVote system run by Swiss Post verified votes using a sequence of shuffle proofs, which could allow malicious actors to change votes without being detected.
While NSWEC confirmed the flaw, which was related to the Scytl mixnet, was also present in iVote when the findings were released, it stressed the “issue does not affect the use of iVote”.
This, according to the electoral body, was because the machine that runs the mixnet for iVote is not physically connected to any other computer systems.
“In order for this weakness to be an issue, a person would need to gain access to the physical machine. They would need all the right credentials and the right code to alter the software,” the Commission said at the time.
But Teague’s new report disputes the NSWEC assessment, which she said was “incorrect”.
“iVote's decryption and verification processes are slightly different from those of the Swiss Post system, but the same attack can still be performed after a slight modification,” Teague said.
“This would allow a corrupted iVote process to produce a ‘proof’ that it had dealt with votes correctly, while actually changing valid votes into invalid ones that would not be counted.”
Teague said the issue could be easily fixed by adopting the same software patches that were applied to the Swiss government’s system, which the NSWEC said would be deployed for iVote.
Scytl pledged it would update its source code shortly after the vulnerability was uncovered, but not before taking a swipe at the researchers for finding the flaw.
But in responding to Teague's research, the NSWEC's director of election innovation Mark Radcliffe revealed the agency was only now "implementing an improved version of the proof"after it was provided by Scytl last month to address the issue.
He did stress, however, that faking a proof in the manner suggested by Teague would have required an expert accessing the physical machine used to perform the decryption.
"We are confident that could not have happened during the 2019 State election” he said, adding that a number of other controls would have also needed to be bypassed.
"The NSWEC had in place a number of robust procedures and compliance tests to provide assurance about the integrity of the iVote process.
"These other measures included strict controls to manage the risks of insider attacks.”
Teague said she came to the conclusion by analysing the “protocol description” and not the source code itself, which was released by the NSWEC in July.
“Since the error affects the verification process, it is the specification rather than the current implementation that defines the system’s security anyway—if iVote had independent verification, it would be based on an independent implementation of the verification spec, not on running Scytl’s code,” the report states.
She also directly addresses assurances by the NSWEC that because the machine used for the mixnet was not connected to any other system, the iVote sytstem was unaffected.
“It has been suggested that the decryption proof flaw is mitigated because the mix server signs its output, which is the input to the decryption proof,” Teague said.
“If the verification spec were amended (and I believe it has been) to check that signature, then this slightly strengthens the attacker model—the mix server and the decryption service would have to collude to produce a fake proof.
“However, it does not solve the problem—I believe that the mixer and decryption service are both running Scytl software and both administered by the NSWEC, so the assumption that they cannot be simultaneously compromised by the same entity does not seem justified.
“In any case, it does not address the possibility of vote substitution before or after these components.”
Teague, who has long called for iVote’s source code to be made publically available for testing before elections, believe the findings are just another reason why the code should be made available.
“Although finding out now is better than never finding out at all, it would have been much better for the integrity of the New South Wales election if these issues had been identified and corrected before the system was entrusted with more than 200,000 votes,” she said.
“If the source code and documentation had been made openly available for analysis before the election, as the Swiss Post system was, these errors might have been accurately understood and mitigated in time.”
