Western Australia's Web votes have security worries, say 'white hat' mathematicians

iVote's proxy issues certs – and decrypts data – in America

1 Reg comments Got Tips?

The Western Australian government is pushing back against concerns about the security of its implementation of the iVote electoral system.

iVote is an electronic system already used in another Australian State, New South Wales, primarily as an accessibility tool because it lets the vision-impaired and others with disabilities vote without assistance.

Perhaps in response to last year's Census debacle, Western Australia has decided to put in place denial-of-service (DoS) protection, and that's attracted the attention of a group of veteran electronic vote-watchers.

Writing at the University of Melbourne's Pursuit publication, the group notes that the DoS proxy is not in Australia: it's provided by Imperva's Incapsula DoS protection service.

That raises several issues, the academics (Dr Chris Culnane and Dr Vanessa Teague of the University of Melbourne, Dr Yuval Yarom and Mark Eldridge of the University of Adelaide, and Dr Aleksander Essex of Western University in Canada) note.

First: the TLS certificate iVote uses to secure its communications is signed not by the WA government, but by Incapsula; and second, that means Incapsula is decrypting votes on their way from a voter to the State's Electoral Commission.

While it would be fatal to Incapsula's business if it weren't trustworthy, the academics are worried about votes existing in decrypted form anywhere but the Electoral Commission, because a suborned employee, someone wandering around Incapsula's systems without authorisation, or US government agencies also stand as “possible eavesdroppers”.

The Western Australian Electoral Commission has issued a “calm down”, telling The West Australian votes have two layers of encryption: one when the vote is cast, and a second for transit (the TLS session that uses the Incapsula certificate).

That's true, white-hat mathematician Dr Vanessa Teague told The Register, adding that the Javascript-based in-browser encryption of votes looks “pretty good” to the group.

However, problems remain, and for these, a little explanation is required.

First, iVote has processes designed to separate the voter's identity from the vote they cast. It does so by using different servers for voter registration and vote-casting.

To register, a voter provides their name and a proof of identity, such as a Medicare number or passport number. From those details, the system generates a pseudonymous user ID and a login PIN.

To guarantee voter anonymity, the server processing votes only knows user IDs and PINs: it knows a registered voter is logging in, but not a voter's identity.

Dr Teague pointed out to The Register that since both registrations and votes pass through the Incapsula proxy, it introduces a location from which an attacker could de-anonymise a voter (for legal reasons, this would be untestable against a live system).

As noted in the Pursuit article: “If you register and vote from the same web browser, a ‘cookie’ stored on your system by Incapsula allows it to link both interactions.”

Second, although the Javascript encryption of the vote is well-designed, because it's passing through the Incapsula proxy the code itself is potentially visible to third parties. This raises a potential man in the middle attack to reveal votes.

The Register has asked the Western Australian Electoral Commission to comment. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

America was getting on top of its electronic voting machine security – then suddenly... A wild pandemic appears

Black Hat 'We need to prepare for a number of scenarios that may not come to fruition' says Prof Blaze

US voting hardware maker's shock discovery: Security improves when you actually work with the community

Black Hat ES&S takes the bold step of not ignoring vulnerability reports

Facebook pays for exploit to catch a predator, voting software security under the microscope...

Roundup ... and more in this rapid-fire summary of infosec news

Days after President Trump suggests pausing election over security, US House passes $500m for states to shore up election security

Chances of it getting enacted in time for November – slim to almost nil

Microsoft to bravely defend US democracy for a slack handful of voters in Fulton, Wisconsin

ElectionGuard guards real-life election

Google Australia says government pulled pin on content-for-cash talks, hands in its homework anyway

And fires back with 'we do for free what meatspace distributors charge for' argument

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

And is willing to fine them hundreds of millions if they don't play nice

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

Biting the hand that feeds IT © 1998–2020