14 DAY TRIAL // Security experts have analyzed the electronic voting system used by Estonia and have found a number of vulnerabilities that could be leveraged to influence elections. The warning has been issued just days before the European Parliament elections.
In Estonia, as many as a quarter of all voters use the Internet to cast their ballots. This means that a cyberattack on the system could have serious consequences.
Harri Hursti, a security researcher from Finland, and a team from the University of Michigan have identified several problems after analyzing the publicly available source code, documents and software. For instance, they’ve found that the security architecture used by Estonia for the e-voting system is out of date.
Furthermore, those involved in maintaining the electronic voting system don’t focus too much on security practices, not even basic ones. They’re downloading software over unsecured connections, and they’re typing passwords without being concerned that they’re being filmed.
The vulnerabilities present in the system could be exploited for server-side attacks in which malware can be used to rig the vote count, and client-side attacks in which a bot overwrites the voter’s choice.
“Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct,” experts warned.
“Critical steps occur off camera, and potentially vulnerable portions of the software are not available for public inspection.”
Given enough resources, a foreign power such as Russia, could alter the outcome without being detected, researchers warn. This wouldn’t be the first time Russia targets Estonia in cyberspace. In 2007, a massive denial-of-service (DOS) attack launched by Russia severely disrupted Estonia’s critical infrastructure.
“While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute,” experts noted in their report.
“In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.”
The researchers provided Estonian authorities with the results of their work on May 10, five days before the elections.
However, Estonia’s National Election Committee contests these findings, arguing that the system has been already used in six elections without any incident. Despite being warned, the country is confident in its system and refuses to suspend online balloting.
Check out a video on the security of the Estonian e-voting system:
