Researchers Identify Security Risks in Estonia’s Online Voting System

Ahead of European Parliamentary elections on May 25, an international team of independent experts has identified major risks in the security of Estonia’s Internet voting system and recommended its immediate withdrawal.

The Internet voting system used in Estonia cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, according to an international team of security and Internet voting researchers that includes U-M Prof. J. Alex Halderman, Independent Security Researcher Harri Hursti, UK Open Rights Group Advisory Council member Jason Kitcat, Post-Election Audit Advisor Maggie MacAlpine, and U-M CSE graduate student researchers Travis Finkenauer and Drew Springall.

The analysis performed by the team members, some of whom acted as observers during 2013 local elections in Estonia, revealed that sophisticated attackers could easily compromise the integrity of the country’s Internet voting system and influence an election’s outcome, quite possibly without a trace. The researchers recommend that the system should immediately be discontinued.

The research team members, including one from the UK’s Open Rights Group, were officially accredited to observe the Estonian Internet voting system during the October 2013 municipal elections. These observations – and subsequent security analysis and laboratory testing – revealed a series of alarming problems. Operational security is lax and inconsistent, transparency measures are insufficient to prove an honest count, and the software design is highly vulnerable to attack from foreign powers.

Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the May 2014 European Parliamentary elections. In recent polls, 20-25% of voters cast their ballots online.

Hursti, who observed operations in the election data center during October 2013, said there were numerous security lapses. “We didn’t see a polished, fully documented procedural approach of maintaining the back-end systems for these online elections,” he said. Videos published by election officials show the officials downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing the election software for distribution to the public on insecure personal computers. “These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system,” Hursti said.

Prof. Halderman pointed to fundamental weaknesses in the I-voting system’s design. “Estonia’s Internet voting system blindly trusts the election servers and the voters’ computers,” Halderman said. “Either of these would be an attractive target for state-level attackers, such as Russia.” Recent reports about state-sponsored hacking of American companies by China, and of European telecoms by the NSA, demonstrate that these dangers are a reality, Halderman explained.

To experimentally confirm these risks, Halderman and his Ph.D. students recreated the Estonian “I-voting system” in their laboratory based on the published software used in 2013. They successfully simulated multiple modes of attack that could be carried out by a foreign power. “Although the Estonian system contains a number of security safeguards, these are insufficient to protect against the attacks we tried,” said Halderman.

In one attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials – but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result.

“There is no doubt that the Estonian I-voting system is vulnerable to state-level attackers, and it could also be compromised by dishonest election officials,” said Halderman. These attackers could change votes, compromise the secret ballot, disrupt voting, or cast doubt on the legitimacy of the election process.

The team recently arrived at these results and were so alarmed that they decided to urgently make their findings public ahead of the upcoming European elections, explained Jason Kitcat from the Open Rights Group. “I was shocked at what we found,” explained Kitcat. “We never thought we’d see as many problems and vulnerabilities as we did. We feel duty-bound to make the public aware of those problems.”

While some of the problems can be corrected in the short term through changes to the system, others stem from fundamental weaknesses that cannot be fixed. With the growing risk of state-level cyberattacks, the team unanimously recommends discontinuing Internet voting until there are fundamental advances in computer security.

“With today’s security technology, no country in the world is able to provide a secure Internet voting system,” said Hursti. “I would recommend that Estonia return to a paper ballot only system.”

Maggie MacAlpine, a Post-Election Audit Advisor said, “While Estonia has an excellent e-government system, which they should continue to develop, they should take the Internet voting element of that off-line. Estonia has a well organized paper voting system which they should revert back to.”

The researchers’ full report, and videos explaining the key findings, have been published at https://estoniaevoting.org.