ABSTRACT
Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election observation, code review, and adversarial testing. Adopting a threat model that considers the advanced threats faced by a national election system---including dishonest insiders and state-sponsored attacks---we find that the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections. In experimental attacks on a reproduction of the system, we demonstrate how such attackers could target the election servers or voters' clients to alter election results or undermine the legitimacy of the system. Our findings illustrate the practical obstacles to Internet voting in the modern world, and they carry lessons for Estonia, for other countries considering adopting such systems, and for the security research community.
- B. Adida. Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX Security Symposium, Aug. 2008. Google ScholarDigital Library
- A. Ansper, A. Buldas, M. Oruaas, J. Priisalu, A. Veldre, J. Willemson, and K. Virunurm. E-voting concept security: analysis and measures. Technical Report EH-02-01, Estonian National Electoral Committee, 2003.Google Scholar
- A. W. Appel. Security seals on voting machines: A case study. ACM Trans. Inf. Syst. Secur., 14(2):18:1--18:29, Sept. 2011. Google ScholarDigital Library
- J. Applebaum, J. Horchet, and C. Stöcker. Shopping for spy gear: Catalog advertises NSA toolbox. Der Spiegel, Dec. 2013. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-backdoors-for-numerous-devices-a-940994.html.Google Scholar
- J. Benaloh, M. Byrne, P. T. Kortum, N. McBurnett, O. Pereira, P. B. Stark, and D. S. Wallach. STAR-Vote: A secure, transparent, auditable, and reliable voting system. CoRR, abs/1211.1904, 2012.Google Scholar
- J. Bretschneider, S. Flaherty, S. Goodman, M. Halvorson, R. Johnston, M. Lindeman, R. L. Rivest, P. Smith, and P. B. Stark. Risk-limiting post-election audits: Why and how, Oct. 2012. http://www.stat.berkeley.edu/~stark/Preprints/RLAwhitepaper12.pdf.Google Scholar
- J. A. Calandrino, J. A. Halderman, and E. W. Felten. Machine-assisted election auditing. In Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), 2007. Google ScholarDigital Library
- D. Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38--47, Jan 2004. Google ScholarDigital Library
- D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. Rivest, P. Y. A. Ryan, E. Shen, A. Sherman, and P. Vora. Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security, 4(4):611--627, Dec. 2009. Google ScholarDigital Library
- M. Clayton. Ukraine election narrowly avoided "wanton destruction" from hackers. Christian Science Monitor, June 2014. http://www.csmonitor.com/World/ Security-Watch/Cyber-Conflict-Monitor/2014/0617/Ukraine-election-narrowly-avoided-wantondestruction-from-hackers-video.Google Scholar
- Cybernetica AS. Internet voting solution, 2013. Accessed: May 13, 2014, http://cyber.ee/uploads/2013/03/cyber_ivoting_NEW2_A4_web.pdf.Google Scholar
- D. Danchev. Study finds the average price for renting a botnet. ZDNet, May 2010. http://www.zdnet.com/blog/security/study-finds-theaverage-price-for-renting-a-botnet/6528.Google Scholar
- Estonian Certification Authority. Avaleht. In Estonian. http://www.id.ee/.Google Scholar
- Estonian Certification Authority. Kasulik tugiinfomobiil-id kohta. In Estonian. http://mobiil.id.ee/kasulik-tugiinfo/.Google Scholar
- Estonian Certification Authority. Mis on ID-tarkvara? In Estonian. https://installer.id.ee/.Google Scholar
- Estonian Information System's Authority. Public key infrastructure PKI, May 2012. https://www.ria.ee/public-key-infrastructure/.Google Scholar
- Estonian Internet Voting Committee. Dokumendid, 2013. In Estonian. Accessed: March 2014, http://vvk.ee/valijale/e-haaletamine/e-dokumendid/.Google Scholar
- Estonian Internet Voting Committee. Ehk videos, 2013. In Estonian. Accessed: March 2014, https://www.youtube.com/channel/UCTv2y5BPOo-ZSVdTg0CDIbQ/videos.Google Scholar
- Estonian Internet Voting Committee. Statistics about Internet voting in Estonia, May 2014. http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics.Google Scholar
- Estonian Internet Voting Committee. Using ID-card and mobil-ID, May 2014. https://www.valimised.ee/eng/kkk.Google Scholar
- Estonian Ministry of Foreign Affairs. Estonia today, 2012. http://www.euc.illinois.edu/estonia/documents/E-Estonia.pdf.Google Scholar
- Estonian National Electoral Committee. Kohaliku omavalitsuse volikogu valimised 2013. In Estonian. http://www.vvk.ee/kohalikud-valimised-2013/.Google Scholar
- Estonian National Electoral Committee. Vabariigi valimiskomisjon. In Estonian. Accessed: October 2013, http://www.vvk.ee/.Google Scholar
- Estonian National Electoral Committee. Elektroonilise hääletamise süsteemi üldkirjeldus, 2013. In Estonian. http://vvk.ee/public/dok/elektroonilise-haaletamisesysteemi-yldkirjeldus-EH-03-03--1_2013.pdf.Google Scholar
- Estonian National Electoral Committee. Valimised: Android Apps on Google Play, Oct. 2013. In Estonian. Accessed: May 13, 2014, https://play.google.com/store/apps/details?id=ee.vvk.ivotingverification.Google Scholar
- Estonian National Electoral Committee. Comment on the article published in The Guardian, May 2014. http://vvk.ee/valimiste-korraldamine/vvk-uudised/vabariigi-valimiskomisjoni-vastulause-the-guardianisilmunud-artiklile/.Google Scholar
- Estonian National Electoral Committee. Valimised on the App Store on iTunes, Apr. 2014. In Estonian. Accessed: May 15, 2014, https://itunes.apple.com/ee/app/valimised/id871129256.Google Scholar
- Estonian National Electoral Committee. Valimised: Windows Phone'i rakenduste+mängude pood (Eesti), Apr. 2014. In Estonian. Accessed: May 15, 2014, https://www.windowsphone.com/et-ee/store/app/valimised/11c10268--343f-461a-9c73--630940d8234b.Google Scholar
- Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. Android based vote verification application for Estonian i-voting system, Sept. 2013. https://github.com/vvk-ehk/ivotingverification.Google Scholar
- Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. e-hääletamise tarkvara, Sept. 2013. Accessed: March 2014, https://github.com/vvk-ehk/evalimine.Google Scholar
- Estonian Public Broadcasting. Center Party petitions European human rights court over e-voting, Sept. 2013. Accessed: May 14, 2014, http://news.err.ee/v/politics/4ee0c8a2-b9c2--4d28--8ae4-061e7d9386a4.Google Scholar
- J. Fleming. EU nations developing cyber "capabilities" to infiltrate government, private targets. EurActiv, Dec. 2013. http://www.euractiv.com/infosociety/eu-nations-lack-common-approach-news-532294.Google Scholar
- A. Greenberg. Shopping for zero-days: A price list for hackers? secret software exploits. Forbes, Mar. 2012. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackerssecret-software-exploits/.Google Scholar
- The Heartbleed bug, Apr. 2014. http://heartbleed.com/.Google Scholar
- S. Heiberg, P. Laud, and J. Willemson. The application of i-voting for Estonian parliamentary elections of 2011. In VOTE-ID, pages 208--223, 2011. Google ScholarDigital Library
- G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005. Google ScholarDigital Library
- ICT Export Cluster. e-estonia.com: The digital society, Aug. 2014. http://e-estonia.com/.Google Scholar
- R. Johnston. The real deal on seals: Improving tamper detection. Security Management, 41:93--100, Sept. 1997.Google Scholar
- R. Johnston. Some comments on choosing seals and on PSA label seals. In Proceedings of the 7th Security Seals Symposium, 2006. http://www.ne.anl.gov/capabilities/vat/pdfs/choosing-seals-and-using-PSA-seals-2006.pdf.Google Scholar
- R. Johnston. Insecurity of New Jersey's seal protocols for voting machines, Oct. 2010. http://www.cs.princeton.edu/~appel/voting/Johnston-AnalysisOfNJSeals.pdf.Google Scholar
- R. Johnston and A. R. Garcia. Vulnerability assessment of security seals. Journal of Security Administration, 20:15--27, 1997.Google Scholar
- D. W. Jones and B. Simons. Broken Ballots: Will Your Vote Count? Stanford University Center for the Study of Language and Information, 2012.Google Scholar
- E. Kain. Report: NSA intercepting laptops ordered online, installing spyware. Forbes, Dec. 2013. Accessed: May 14, 2014, http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-orderedonline-installing-spyware/.Google Scholar
- J. Kitcat. Source availability and e-voting: An advocate recants. Commun. ACM, 47(10):65--67, Oct. 2004. Google ScholarDigital Library
- B. Laxton, K. Wang, and S. Savage. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pages 469--478, 2008. Google ScholarDigital Library
- M. Lindeman and P. B. Stark. A gentle introduction to risk-limiting audits. IEEE Security & Privacy, 10(5):42--49, 2012. Google ScholarDigital Library
- H. Lipmaa. Paper-voted (and why I did so). Blog post, Mar. 2011. http://helger.wordpress.com/2011/03/05/ paper-voted-and-why-i-did-so/.Google Scholar
- H. Lipmaa. A simple cast-as-intended e-voting protocol by using secure smart cards, May 2014. http://eprint.iacr.org/2014/348.Google Scholar
- Mandiant. APT1: Exposing one of China's cyber espionage units, Feb. 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.Google Scholar
- N. Mediati. How to remotely install apps on your smartphone. TechHive, Nov. 2013. http://www.techhive.com/article/2067005/how-toremotely-install-apps-on-your-smartphone.html.Google Scholar
- U. Oja. Paavo Pihelgas: Elektroonilise hääletamise vaatlemine on lihtsalt võimatu, Mar. 2011. In Estonian. http://forte.delfi.ee/news/digi/paavo-pihelgas-elektroonilise-haaletamise-vaatlemineon-lihtsalt-voimatu.d?id=41933409.Google Scholar
- F. Paget. Hacking summit names nations with cyberwarfare capabilities. McAfee Blog Central, Oct. 2013. http://blogs.mcafee.com/mcafee-labs/hackingsummit-names-nations-with-cyberwarfare-capabilities.Google Scholar
- A. Parsovs. Practical issues with TLS client certificate authentication, Feb. 2014. https://www.internetsociety.org/sites/default/files/12_4_1.pdf.Google Scholar
- B. Plumer. Estonia gets to vote online. Why can't America? Wonkblog. The Washington Post, Nov. 2012. http://www.washingtonpost.com/blogs/wonkblog/wp/2012/11/06/estonians-get-to-vote-online-why-cant-america/.Google Scholar
- ptrace(2): process trace. Linux Programmer's Manual.Google Scholar
- T. Raidma and J. Kase. Kohaliku omavalitsuse volikogu valimiste e-hääletamise protseduuride hindamise löpparuanne, Jan. 2014. In Estonian. http://vvk.ee/public/KOV13/lopparuanne_2013.ddoc.Google Scholar
- D. G. Robinson and J. A. Halderman. Ethical issues in e-voting security analysis. In Proceedings of the 2nd Workshop on Ethics in Computer Security Research (WECSR), March 2011. Google ScholarDigital Library
- rsyslog: The rocket-fast system for log processing, Apr. 2014. http://www.rsyslog.com/.Google Scholar
- P. Y. A. Ryan, D. Bismark, J. Heather, S. Schneider, and Z. Xia. Prêt à voter: A voter-verifiable voting system. Trans. Info. For. Sec., 4(4):662--673, Dec. 2009. Google ScholarDigital Library
- D. E. Sanger. Obama order sped up wave of cyberattacks against Iran. The New York Times, June 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacksagainst-iran.html.Google Scholar
- B. Simons. Report on the Estonian Internet voting system. Verified Voting Blog, Sept. 2011. https://www.verifiedvoting.org/report-on-the-estonian-internet-voting-system-2/.Google Scholar
- P. B. Stark. Super-simple simultaneous single-ballot risk-limiting audits. In Proceedings of the USENIXElectronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE), Aug. 2010. Google ScholarDigital Library
- K. Thompson. Reflections on trusting trust. Commun. ACM, 27(8):761--763, Aug. 1984. Google ScholarDigital Library
- I. Traynor. Russia accused of unleashing cyberwar to disable Estonia. The Guardian, May 2007. http://www.theguardian.com/world/2007/may/17/topstories3.russia.Google Scholar
- I. Traynor. GCHQ: EU surveillance hearing is told of huge cyber-attack on Belgian firm. The Guardian, Oct. 2013. http://www.theguardian.com/uk-news/2013/oct/03/gchq-eu-surveillance-cyber-attack-belgian.Google Scholar
- S. Wolchok, E. Wustrow, J. A. Halderman, H. K. Prasad, A. Kankipati, S. K. Sakhamuri, V. Yagati, and R. Gonggrijp. Security analysis of India's electronic voting machines. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pages 1--14, 2010. Google ScholarDigital Library
- S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman. Attacking the Washington, D.C. Internet voting system. In Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Feb. 2012.Google ScholarCross Ref
Index Terms
- Security Analysis of the Estonian Internet Voting System
Recommendations
Internet Voting in Estonia
EGOSE '14: Proceedings of the 2014 Conference on Electronic Governance and Open Society: Challenges in EurasiaInternet voting has become a reality in Estonia differently from all other countries in the world. In the last seven elections increasingly larger share of votes has been submitted online. This research highlights key characteristics of internet voting ...
Security in large-scale internet elections: a retrospective analysis of elections in Estonia, the Netherlands, and Switzerland
Special issue on electronic votingRemote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the ...
Internet voting: structural governance principles for election cyber security in democratic nations
GTIP '10: Proceedings of the 2010 Workshop on Governance of Technology, Information and PoliciesIn Europe, the U.S., and Asia, political and market forces seek expanded use of the Internet for voting and election administrative functions. Governmental responses have differed, but commonly governments omit qualified computer security experts from ...
Comments