In 2013, a team of independent researchers were accredited as observers during the October 2013 municipal elections in Estonia. Starting from their observations during these elections, they took a closer look at the Internet voting system implemented in Estonia and, in May 2014, released a report on electronic voting in Estonia. All the findings have been published on the estoniaevoting.org website.

1. The team

For anybody that has read the previous two articles in this series, many of the names and affiliations of the researchers involved in this study will sound familiar. The members of the team of researchers were:

1. J. Alex Halderman, University of Michigan – he is an assistant professor at the University of Michigan and an expert on electronic voting security. He has helped demonstrate the first voting machine virus, he took part in California's “top-to-bottom” electronic voting security audit, he lead the first independent review of the electronic voting system in India, he hacked into the Washington D.C.'s electronic voting pilot and, more recently, found an exploitable security breach in the iVote Internet voting system used in New South Wales.

2. Harri Hursti, independent security researcher – he is a Finnish security researcher well known for his work in various electronic voting studies around the world and famous for demonstrating a memory card hack against the Diebold voting machines.

3. Jason Kitcat, Open Rights Group – he is the Leader of Brighton & Hove City Council, the UK’s first Green-led principal authority. His background is in technology and online businesses such as Netmums and the Open Knowledge Foundation. He is a prominent digital rights campaigner, have helped found the Open Rights Group and served as its electronic voting coordinator. He led a team of 25 election observers monitoring electronic voting during the 2007 elections in the UK, the resulting report helped set the agenda for electoral modernisation with electronic voting no longer a government priority. He also wrote GNU.FREE, the Free Software Foundation's electronic voting software before concluding that Internet voting was too risky to be used for elections of any importance.

4. Margaret MacAlpine, post-election audit advisor – she is an independent advisor on post-election audits in the United States. Her most notable advisory role was the California Post-Election Risk-Limiting Audit Pilot Program of 2011-2012. Before that, she audited elections for several counties in Florida and Connecticut.

5. Drew Springall, University of Michigan – he is a PhD student ant the University of Michigan, his research being focused on security and privacy.

6. Travis Finkenauer, University of Michigan – he is a PhD student ant the University of Michigan, his research being focused on security and privacy.

7. Zakir Durumeric, University of Michigan – he is a PhD student ant the University of Michigan, his research being focused on security and privacy.

2. The Estonian electronic voting system

Estonia is the only country in the world that uses nation-wide Internet voting. During the last elections held, the March 2015 parliamentary elections, 30.5% of the participating voters used the Internet voting system. As a side note, the statistics from the Estonian elections confirm what other studies have concluded before, which is that electronic voting does not increase voter turnout.

During an election, the Internet voting system is available for 7 days as one of the used methods of advance voting, then there is a 3 day period in which the advanced voting ballots are centralized and then, finally, there is the actual elections day.

One of the cornerstones of the Estonian Internet voting system is the digital nation ID cards. These are smartcards with the ability to perform cryptographic functions. They are commonly used for authenticating to websites, especially for banking and e-goverment services. Each ID card has two asymmetric key pairs: one for authentication and one for digital signature.

The voters use their ID cards to authenticate to the Internet voting system and to sign their ballots using the Internet voting client software provided by the electoral authorities for Windows, Mac and Linux.

The voting server infrastructure consists of four servers:

1. The Vote Forwarding Server (VFS), which is the only publicly available server. It accepts secured incoming connections from the voting clients, checks voter eligibility and forwards the ballots to the backend part of the voting server infrastructure which is not accessible from the Internet.

2. The Vote Storage Server (VSS), which stores the encrypted votes during the voting period. It receives the ballots from the VFS. The received ballots are encrypted twice: first, the ballot is encrypted with the public key of the vote counting server (VCS) and then the encrypted ballot is digitally signed by the voter using his digital signature from his ID card. The VSS verifies the voter's digital signature and, if no problem is found, strips the signature from the ballot and stores just the anonymous encrypted ballot.

3. The Log Server, which is an internal monitoring device that collects statistics from the VFS and VSS.

4. The Vote Counting server (VCS), which tabulates the results. The VCS is never connected to any network. It is used only during the final stage of the election, when the encrypted votes from the VSS are written to a DVD and transferred that way to the VCS in order to be counted. The VCS has a hardware security module (HSM) that contains the private key necessary to decrypt the ballots. The VCS uses the HSM to decrypt the ballots and to tabulate the final results.

The source code of the VFS, VSS and VCS is published on GitHub a few weeks before elections. However, the source code of the log server and of the client is not published. Moreover, the whole server infrastructure is not designed for end-to-end verifiability. This means that, in practice, it functions as a black box which needs to be trusted that it performs as intended.

The server infrastructure is configured in a public ceremony one week before elections.

3. Observations from the Estonian 2013 elections

The first part of the analysis of the Estonian Internet voting system was the observation of the 2013 elections. Halderman, Hursti, Kitcat and MacAlpine traveled to Estonia as accredited observers and witnessed the operation of the voting servers. Then, they met with elections officials and developers of the electronic voting system. Finally, they reviewed the published source code, the written procedures and almost 20 hours of official video recorded during the configuration, administration and counting process. As a result, a number of problems were identified, ranging from inadequate procedural controls, lapses in operational security, insufficient transparency and vulnerabilities in the published code.

3.1. Inadequate procedural controls and lapses in operational security

Here is a quote straight from the executive summary of the report: “Observation of the way the I-voting system was operated by election staff highlighted a lack of adequate procedures for both daily operations and handling anomalies. This creates opportunities for attacks and errors to occur and makes it difficult for auditors to determine whether correct actions were taken.

Close inspection of videos published by election officials reveals numerous lapses in the most basic security practices. They appear to show the workers downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing election software for distribution to the public on insecure personal computers, among other examples. These actions indicate a dangerously inadequate level of professionalism in security administration that leaves the whole system open to attack and manipulation.”

3.2 Insufficient transparency

Again from the executive summary: “Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct. Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection. (Though making source code openly available is not sufficient to protect the software from flaws and attacks.) Many potential vulnerabilities and forms of attack would be impossible to detect based on the information provided to the public. So while the researchers applaud attempts at transparency, ultimately too much of how the I-voting system operates is invisible for it to be able to convince skeptical voters or candidates in the outcomes.

To illustrate this point, the team filmed themselves carrying out exactly the same procedural steps that real election officials show in nearly 24 hours of videos from the 2013 elections. However, due to the presence of malware injected by the team before the recordings started, their count produces a dishonest result.”

3.3 Vulnerabilities in the published code

The published portions of the Internet voting server software used in Estonia contains, roughly, 17000 lines of code. It is understood that volunteers from the security community in Estonia have already analyzed it, which is a testament to the benefits of publishing source code. However, even then, the researchers managed to find a number of vulnerabilities which could have been exploited to disrupt the correct functioning of the voting servers.

4. Experimental testing of the security of the Estonian electronic voting system

The second part of the analysis was accomplished in the lab. The research team recreated in their lab the server infrastructure used during elections in Estonia using the server source code published on GitHub by the Estonian elections authority. The log server software and other pieces of software which were not published had to be replicated to keep the functionality of the system intact. The hardware security module (HSM) used by the vote counting server (VCS) had to be simulated in software. Because the public encryption key of the VCS is hardcoded into the client software, the client software had to be patched to replace the public key.

The attacks devised and tested during this experimental testing phase were not based on any possible vulnerabilities of the HSM given that a simulated HSM was used.

4.1. Threat Model

After creating this mock server infrastructure, the researchers attempted to compromise it allowing themselves the resources and capabilities of a sophisticated but realistic attacker. This could mean a foreign state, a well-funded criminal organization or a dishonest election insider.

Since Estonia introduced its Internet voting system, cyberwarfare has become a well documented fact, a few quick examples being Chinese espionage against U.S. companies, the U.S. sabotage of Iran's nuclear centrifuges or the U.K. attacks against European telecommunications companies. An increasing number of countries possess offensive computer security capabilities and investment in these capabilities is growing at an alarming rate through any available means. Under these circumstances, an attacker has to be assumed to have the ability to obtain detailed knowledge about the voting system from various sources such as published source code, reverse engineering or anything else for that matter. Also, it is safe to assume that such an attacker would have easy access to sufficient human and technical resources to organize and execute a successful attack in a short time frame. When it comes to client-side attacks, it is safe to assume that a resourceful attacker can easily gain access to existing botnets either by buying it or by developing this capability by itself. The 2014 annual PandaLabs report states that the global infection rate with any kind of malware was over 30% of all computers (30.42% to be precise). Under these circumstances the integrity of the client machine is far from guaranteed. Finally, even if we assume that an attacker would not be able to gain access to existing malware on client computers, there is always the burgeoning market of zero-day exploits.

Taking all of this into account, it becomes clear that the threat model under which the Estonian voting system has been implemented is woefully inadequate.

4.2. Attacks

Starting from this threat model, the researchers were able to create a number of realistic attacks both on the client-side and on the server-side of the Estonian Internet voting system.

4.2.1. Client-side attacks

A realistic attack and a number of variations around it has been implemented. The basic attack is based on a malware that infects the client computer and runs alongside the Internet voting client software. The attack is based on a feature of the Internet voting system which allows the voter to cast a ballot as many times as he wants during the 7-day advance voting period. The malware attaches to the Internet voting client process and captures the PINs of the ID card of the voter. At that point, as long as the ID card in inserted into the computer, the malware can cast a replacement vote at anytime. Given that the ID card is regularly used for authenticating online for banking or other purposes, it is safe to assume that the ID card will be inserted in the voter's computer at some time after he cast his vote during the 7-day voting period. The malware will then be able to cast a replacement vote without the voter ever knowing about it.

A variant of this attack avoids casting a replacement vote, which could be suspicious if a large number of replacement votes are cast during an election. In order to do this, it has to defeat the vote verification feature of the voting system, which means that the malware has to infect not only the voter's computer, but his phone as well. However, because nowadays it is quite common for people to regularly synchronize their phones with their computers, this attack becomes feasible.

4.2.2. Server-side attacks

Without going into too many details, here is another quote from the executive summary: “The e-voting system places complete trust in the server that counts the votes at the end of the election process. Votes are decrypted and counted entirely within the unobservable “black box” of the counting server. This creates an opportunity for an attacker who compromises this server to modify the results of the vote counting.

The researchers demonstrated that they can infect the counting server with vote-stealing malware. In this attack, a state-level attacker or a dishonest election official inserts a stealthy form of infectious code onto a computer used in the pre-election setup process. The infection spreads via software DVDs used to install the operating systems on all the election servers. This code ensures that the basic checks used to ensure the integrity of the software would still appear to pass, despite the software having been modified. The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes, thus silently changing the results of the election to their preferred outcome.”

5. Conclusion

Taking all of this into account, it becomes obvious that the Internet voting system used by Estonia can be compromised because of design choices founded on an obsolete threat model, inherent implementation vulnerabilities, all of which is exacerbated by weak operational management.

The recommendation of the researchers is that “While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.”