The Swiss Federal Chancellery (SFC) on Tuesday said security researchers have found an fascinating flaw in the Swiss Post's e-voting system as part of an ongoing penetration test.
Said flaw, if successfully exploited by miscreants, would prevent officials from detecting unauthorized changes to citizens' electronically-cast votes.
Swiss authorities released the source code of their computer-based voting system and began a public audit of their blueprints on February 25, 2019, to identify vulnerabilities and fix them. The test is scheduled to run until March 24, 2019.
The flaw in the sVote protocol, developed by technology provider Scytl, has to do with universal verifiability, the mathematical proofs that prevent vote manipulation.
"While the flaw does not allow the system to be penetrated, the researchers were able to demonstrate that the system does not generate conclusive mathematical proofs to identify whether any manipulation has taken place," the SFC said. "This means that it is not possible to detect whether the votes have been tampered with."
Researchers Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague, from the Open Privacy Research Society, Catholic University of Leuven, and the University of Melbourne respectively, describe the issue in a research paper published in conjunction with the SFC announcement.
They explain that the Swiss Post voting technology provides a mechanism – a mixnet – to shuffle electronically-submitted votes for the sake of privacy. The shuffling process encrypts the vote data, and is supposed to prove that the vote sets before and after shuffling are the same. But it fails to do so.
"We show that the mixnet specification and code recently made available for analysis does not meet the assumptions of a sound shuffle proof and hence does not provide universal or complete verifiability," the researchers explain.
They note that other researchers, Thomas Haines of the Norwegian University of Science and Technology and Rolf Haenni of Bern University of Applied Sciences, independently identified this flaw.
That may be because the problem was identified in 2017. According to Swiss Post, Scytl, which is responsible for the source code, failed to fully fix the bug.
"Swiss Post regrets this and has asked Scytl to make the correction in full immediately, which they have done," the organization said in a statement. "The modified source code will be applied with the next regular release."
Scytl in a statement said it has received 67 reports from hackers participating in the penetration test, one of which is the mixnet flaw. "The code has already been updated by using the random verifiable mechanism that was already implemented in the voting system but had not been activated," the company said.
The missing audit mechanism hasn't been an issue in Swiss elections because the system has never been used in actual voting, according to Swiss Post. The cantons of Thurgau, Neuchâtel, Fribourg and Basel-Stadt currently use a different e-voting system.
Switzerland intends to consider the results of its test when it wraps up later this month and present a report, at which point the SFC will determine whether further changes to the new e-voting system are necessary. ®