Estonian electronic voting system vulnerable to attacks, researchers say

International research team finds insecure operational procedures and fundamental weaknesses in Estonian Internet voting system

The electronic voting system that has been used in Estonia since 2005 cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, according to an international team of security and Internet voting researchers.

The analysis performed by the team's members, some of whom acted as observers during 2013 local elections in Estonia, revealed that sophisticated attackers, like those employed by nation states, could easily compromise the integrity of the country's Internet voting system and influence the election outcome, often without a trace.

The team chose to analyze the Estonian system because Estonia has one of the highest rates of Internet voting participation in the world -- over 21 percent of the total number of votes during the last local election were cast through the electronic voting system.

During their observation of the local elections and by later watching the procedural videos released by the Estonian election authority, the researchers identified a large number of poor security practices that ranged from election officials inputting sensitive passwords and PINs while being filmed to system administrators downloading critical applications over insecure connections and using personal computers to deploy servers and build the client software distributed to voters.

The researchers also used open-source code released by the Estonian government to replicate the electronic voting system in their laboratory and then devised several practical server-side and client-side attacks against it.

To use the Estonian system, voters insert their electronic national ID card into a card reader attached to their computers and use the PINs associated with their ID cards to cast their votes through a special application. The researchers developed malware that can record the PIN numbers and later change the votes while the ID cards are attached to voters' computer for different operations.

The malware can be deployed in different ways, including through online exploits, through existing infections or through man-in-the-middle attacks during the download process. Attackers could also maliciously alter the voting software itself during the build process, if it's created on a personal computer instead of in a controlled environment, the researchers said Monday during a press conference about their findings in Tallinn, Estonia.

The system uses a vote confirmation procedure based on QR codes than need to be scanned by users with their mobile phones after casting their votes. However, a compromised voting application can potentially alter votes and QR codes in real time, meaning this additional verification system can't protect users from sophisticated attackers, the researchers said.

Such false verification attacks have been used in the real world against online banking users, so they're not just theoretical and could easily be applied to Internet voting, they said.

To compromise the electronic voting servers, attackers could either exploit vulnerabilities over the Internet or could target the people responsible for deploying the servers by first infecting their computers and then altering the server software. Because of the lack of security checks and control, a malicious insider could also carry out such attacks, the researchers said.

The research team included J. Alex Halderman, a computer science professor at the University of Michigan who studied electronic voting systems in different countries around the world; Maggie MacAlpine, an advisor on post-election audits in the U.S.; Harri Hursti, a Finnish independent security researcher known for previously demonstrating a successful attack against a Diebold voting machine; Jason Kitcat, who previously led an investigation into electronic voting in the UK for the Open Rights Group, a digital rights organization; and Travis Finkenauer and Drew Springall, two PhD students at the University of Michigan.

"There are so many attack vectors by which you could dirty the machines used to set up the elections that we believe this to be a very credible and viable attack; and we have photographic evidence on our website showing a personal computer with links to poker sites being used to set up the critical election systems [in Estonia]," Kitcat said.

The Estonian election officials should improve their operational procedures, but "we've also shown fundamental flaws in the architecture of the system, which means that we can steal votes remotely from voters' computers and those flaws cannot be fixed quickly or easily," he said.

The researchers said they notified the Estonian National Electoral Committee, as well as political parties, academics and media organizations in Estonia of their findings at the same time on Saturday. The research was presented in greater detail Monday during a press conference and a full report will be made available on a website that also contains other supporting material, including videos and photos.

The Estonian National Electoral Committee declined to comment until it reviews the full report.

The researchers believe the Estonian Internet voting system should be discontinued before the upcoming European Parliament elections on May 25. More generally they believe that building a secure and accurate electronic voting system is not possible with the current technology when taking sophisticated attackers like nation states into consideration.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionGovernment use of ITe-votingsecurityAccess control and authenticationgovernmentExploits / vulnerabilitiesdata protectionfraud

More about European ParliamentQR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place