Security Analysis of the Estonian Internet Voting System

Authors:
Drew Springall

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Travis Finkenauer

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Zakir Durumeric

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Jason Kitcat

Open Rights Group, Brighton & Hove, United Kingdom

Open Rights Group, Brighton & Hove, United Kingdom
View Profile

,
Harri Hursti

Unaffiliated, Unaffiliated, USA

Unaffiliated, Unaffiliated, USA
View Profile

,
Margaret MacAlpine

Unaffiliated, Unaffiliated, USA

Unaffiliated, Unaffiliated, USA
View Profile

,
J. Alex Halderman

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 703–715https://doi.org/10.1145/2660267.2660315

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 703–715

ABSTRACT

Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election observation, code review, and adversarial testing. Adopting a threat model that considers the advanced threats faced by a national election system---including dishonest insiders and state-sponsored attacks---we find that the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections. In experimental attacks on a reproduction of the system, we demonstrate how such attackers could target the election servers or voters' clients to alter election results or undermine the legitimacy of the system. Our findings illustrate the practical obstacles to Internet voting in the modern world, and they carry lessons for Estonia, for other countries considering adopting such systems, and for the security research community.

References

B. Adida. Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX Security Symposium, Aug. 2008. Google ScholarDigital Library
A. Ansper, A. Buldas, M. Oruaas, J. Priisalu, A. Veldre, J. Willemson, and K. Virunurm. E-voting concept security: analysis and measures. Technical Report EH-02-01, Estonian National Electoral Committee, 2003.Google Scholar
A. W. Appel. Security seals on voting machines: A case study. ACM Trans. Inf. Syst. Secur., 14(2):18:1--18:29, Sept. 2011. Google ScholarDigital Library
J. Applebaum, J. Horchet, and C. Stöcker. Shopping for spy gear: Catalog advertises NSA toolbox. Der Spiegel, Dec. 2013. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-backdoors-for-numerous-devices-a-940994.html.Google Scholar
J. Benaloh, M. Byrne, P. T. Kortum, N. McBurnett, O. Pereira, P. B. Stark, and D. S. Wallach. STAR-Vote: A secure, transparent, auditable, and reliable voting system. CoRR, abs/1211.1904, 2012.Google Scholar
J. Bretschneider, S. Flaherty, S. Goodman, M. Halvorson, R. Johnston, M. Lindeman, R. L. Rivest, P. Smith, and P. B. Stark. Risk-limiting post-election audits: Why and how, Oct. 2012. http://www.stat.berkeley.edu/~stark/Preprints/RLAwhitepaper12.pdf.Google Scholar
J. A. Calandrino, J. A. Halderman, and E. W. Felten. Machine-assisted election auditing. In Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), 2007. Google ScholarDigital Library
D. Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38--47, Jan 2004. Google ScholarDigital Library
D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. Rivest, P. Y. A. Ryan, E. Shen, A. Sherman, and P. Vora. Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security, 4(4):611--627, Dec. 2009. Google ScholarDigital Library
M. Clayton. Ukraine election narrowly avoided "wanton destruction" from hackers. Christian Science Monitor, June 2014. http://www.csmonitor.com/World/ Security-Watch/Cyber-Conflict-Monitor/2014/0617/Ukraine-election-narrowly-avoided-wantondestruction-from-hackers-video.Google Scholar
Cybernetica AS. Internet voting solution, 2013. Accessed: May 13, 2014, http://cyber.ee/uploads/2013/03/cyber_ivoting_NEW2_A4_web.pdf.Google Scholar
D. Danchev. Study finds the average price for renting a botnet. ZDNet, May 2010. http://www.zdnet.com/blog/security/study-finds-theaverage-price-for-renting-a-botnet/6528.Google Scholar
Estonian Certification Authority. Avaleht. In Estonian. http://www.id.ee/.Google Scholar
Estonian Certification Authority. Kasulik tugiinfomobiil-id kohta. In Estonian. http://mobiil.id.ee/kasulik-tugiinfo/.Google Scholar
Estonian Certification Authority. Mis on ID-tarkvara? In Estonian. https://installer.id.ee/.Google Scholar
Estonian Information System's Authority. Public key infrastructure PKI, May 2012. https://www.ria.ee/public-key-infrastructure/.Google Scholar
Estonian Internet Voting Committee. Dokumendid, 2013. In Estonian. Accessed: March 2014, http://vvk.ee/valijale/e-haaletamine/e-dokumendid/.Google Scholar
Estonian Internet Voting Committee. Ehk videos, 2013. In Estonian. Accessed: March 2014, https://www.youtube.com/channel/UCTv2y5BPOo-ZSVdTg0CDIbQ/videos.Google Scholar
Estonian Internet Voting Committee. Statistics about Internet voting in Estonia, May 2014. http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics.Google Scholar
Estonian Internet Voting Committee. Using ID-card and mobil-ID, May 2014. https://www.valimised.ee/eng/kkk.Google Scholar
Estonian Ministry of Foreign Affairs. Estonia today, 2012. http://www.euc.illinois.edu/estonia/documents/E-Estonia.pdf.Google Scholar
Estonian National Electoral Committee. Kohaliku omavalitsuse volikogu valimised 2013. In Estonian. http://www.vvk.ee/kohalikud-valimised-2013/.Google Scholar
Estonian National Electoral Committee. Vabariigi valimiskomisjon. In Estonian. Accessed: October 2013, http://www.vvk.ee/.Google Scholar
Estonian National Electoral Committee. Elektroonilise hääletamise süsteemi üldkirjeldus, 2013. In Estonian. http://vvk.ee/public/dok/elektroonilise-haaletamisesysteemi-yldkirjeldus-EH-03-03--1_2013.pdf.Google Scholar
Estonian National Electoral Committee. Valimised: Android Apps on Google Play, Oct. 2013. In Estonian. Accessed: May 13, 2014, https://play.google.com/store/apps/details?id=ee.vvk.ivotingverification.Google Scholar
Estonian National Electoral Committee. Comment on the article published in The Guardian, May 2014. http://vvk.ee/valimiste-korraldamine/vvk-uudised/vabariigi-valimiskomisjoni-vastulause-the-guardianisilmunud-artiklile/.Google Scholar
Estonian National Electoral Committee. Valimised on the App Store on iTunes, Apr. 2014. In Estonian. Accessed: May 15, 2014, https://itunes.apple.com/ee/app/valimised/id871129256.Google Scholar
Estonian National Electoral Committee. Valimised: Windows Phone'i rakenduste+mängude pood (Eesti), Apr. 2014. In Estonian. Accessed: May 15, 2014, https://www.windowsphone.com/et-ee/store/app/valimised/11c10268--343f-461a-9c73--630940d8234b.Google Scholar
Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. Android based vote verification application for Estonian i-voting system, Sept. 2013. https://github.com/vvk-ehk/ivotingverification.Google Scholar
Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. e-hääletamise tarkvara, Sept. 2013. Accessed: March 2014, https://github.com/vvk-ehk/evalimine.Google Scholar
Estonian Public Broadcasting. Center Party petitions European human rights court over e-voting, Sept. 2013. Accessed: May 14, 2014, http://news.err.ee/v/politics/4ee0c8a2-b9c2--4d28--8ae4-061e7d9386a4.Google Scholar
J. Fleming. EU nations developing cyber "capabilities" to infiltrate government, private targets. EurActiv, Dec. 2013. http://www.euractiv.com/infosociety/eu-nations-lack-common-approach-news-532294.Google Scholar
A. Greenberg. Shopping for zero-days: A price list for hackers? secret software exploits. Forbes, Mar. 2012. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackerssecret-software-exploits/.Google Scholar
The Heartbleed bug, Apr. 2014. http://heartbleed.com/.Google Scholar
S. Heiberg, P. Laud, and J. Willemson. The application of i-voting for Estonian parliamentary elections of 2011. In VOTE-ID, pages 208--223, 2011. Google ScholarDigital Library
G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005. Google ScholarDigital Library
ICT Export Cluster. e-estonia.com: The digital society, Aug. 2014. http://e-estonia.com/.Google Scholar
R. Johnston. The real deal on seals: Improving tamper detection. Security Management, 41:93--100, Sept. 1997.Google Scholar
R. Johnston. Some comments on choosing seals and on PSA label seals. In Proceedings of the 7th Security Seals Symposium, 2006. http://www.ne.anl.gov/capabilities/vat/pdfs/choosing-seals-and-using-PSA-seals-2006.pdf.Google Scholar
R. Johnston. Insecurity of New Jersey's seal protocols for voting machines, Oct. 2010. http://www.cs.princeton.edu/~appel/voting/Johnston-AnalysisOfNJSeals.pdf.Google Scholar
R. Johnston and A. R. Garcia. Vulnerability assessment of security seals. Journal of Security Administration, 20:15--27, 1997.Google Scholar
D. W. Jones and B. Simons. Broken Ballots: Will Your Vote Count? Stanford University Center for the Study of Language and Information, 2012.Google Scholar
E. Kain. Report: NSA intercepting laptops ordered online, installing spyware. Forbes, Dec. 2013. Accessed: May 14, 2014, http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-orderedonline-installing-spyware/.Google Scholar
J. Kitcat. Source availability and e-voting: An advocate recants. Commun. ACM, 47(10):65--67, Oct. 2004. Google ScholarDigital Library
B. Laxton, K. Wang, and S. Savage. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pages 469--478, 2008. Google ScholarDigital Library
M. Lindeman and P. B. Stark. A gentle introduction to risk-limiting audits. IEEE Security & Privacy, 10(5):42--49, 2012. Google ScholarDigital Library
H. Lipmaa. Paper-voted (and why I did so). Blog post, Mar. 2011. http://helger.wordpress.com/2011/03/05/ paper-voted-and-why-i-did-so/.Google Scholar
H. Lipmaa. A simple cast-as-intended e-voting protocol by using secure smart cards, May 2014. http://eprint.iacr.org/2014/348.Google Scholar
Mandiant. APT1: Exposing one of China's cyber espionage units, Feb. 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.Google Scholar
N. Mediati. How to remotely install apps on your smartphone. TechHive, Nov. 2013. http://www.techhive.com/article/2067005/how-toremotely-install-apps-on-your-smartphone.html.Google Scholar
U. Oja. Paavo Pihelgas: Elektroonilise hääletamise vaatlemine on lihtsalt võimatu, Mar. 2011. In Estonian. http://forte.delfi.ee/news/digi/paavo-pihelgas-elektroonilise-haaletamise-vaatlemineon-lihtsalt-voimatu.d?id=41933409.Google Scholar
F. Paget. Hacking summit names nations with cyberwarfare capabilities. McAfee Blog Central, Oct. 2013. http://blogs.mcafee.com/mcafee-labs/hackingsummit-names-nations-with-cyberwarfare-capabilities.Google Scholar
A. Parsovs. Practical issues with TLS client certificate authentication, Feb. 2014. https://www.internetsociety.org/sites/default/files/12_4_1.pdf.Google Scholar
B. Plumer. Estonia gets to vote online. Why can't America? Wonkblog. The Washington Post, Nov. 2012. http://www.washingtonpost.com/blogs/wonkblog/wp/2012/11/06/estonians-get-to-vote-online-why-cant-america/.Google Scholar
ptrace(2): process trace. Linux Programmer's Manual.Google Scholar
T. Raidma and J. Kase. Kohaliku omavalitsuse volikogu valimiste e-hääletamise protseduuride hindamise löpparuanne, Jan. 2014. In Estonian. http://vvk.ee/public/KOV13/lopparuanne_2013.ddoc.Google Scholar
D. G. Robinson and J. A. Halderman. Ethical issues in e-voting security analysis. In Proceedings of the 2nd Workshop on Ethics in Computer Security Research (WECSR), March 2011. Google ScholarDigital Library
rsyslog: The rocket-fast system for log processing, Apr. 2014. http://www.rsyslog.com/.Google Scholar
P. Y. A. Ryan, D. Bismark, J. Heather, S. Schneider, and Z. Xia. Prêt à voter: A voter-verifiable voting system. Trans. Info. For. Sec., 4(4):662--673, Dec. 2009. Google ScholarDigital Library
D. E. Sanger. Obama order sped up wave of cyberattacks against Iran. The New York Times, June 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacksagainst-iran.html.Google Scholar
B. Simons. Report on the Estonian Internet voting system. Verified Voting Blog, Sept. 2011. https://www.verifiedvoting.org/report-on-the-estonian-internet-voting-system-2/.Google Scholar
P. B. Stark. Super-simple simultaneous single-ballot risk-limiting audits. In Proceedings of the USENIXElectronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE), Aug. 2010. Google ScholarDigital Library
K. Thompson. Reflections on trusting trust. Commun. ACM, 27(8):761--763, Aug. 1984. Google ScholarDigital Library
I. Traynor. Russia accused of unleashing cyberwar to disable Estonia. The Guardian, May 2007. http://www.theguardian.com/world/2007/may/17/topstories3.russia.Google Scholar
I. Traynor. GCHQ: EU surveillance hearing is told of huge cyber-attack on Belgian firm. The Guardian, Oct. 2013. http://www.theguardian.com/uk-news/2013/oct/03/gchq-eu-surveillance-cyber-attack-belgian.Google Scholar
S. Wolchok, E. Wustrow, J. A. Halderman, H. K. Prasad, A. Kankipati, S. K. Sakhamuri, V. Yagati, and R. Gonggrijp. Security analysis of India's electronic voting machines. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pages 1--14, 2010. Google ScholarDigital Library
S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman. Attacking the Washington, D.C. Internet voting system. In Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Feb. 2012.Google ScholarCross Ref

Index Terms

Security Analysis of the Estonian Internet Voting System
1. Social and professional topics
  1. Computing / technology policy

Recommendations

Internet Voting in Estonia
EGOSE '14: Proceedings of the 2014 Conference on Electronic Governance and Open Society: Challenges in Eurasia

Internet voting has become a reality in Estonia differently from all other countries in the world. In the last seven elections increasingly larger share of votes has been submitted online. This research highlights key characteristics of internet voting ...
Read More
Security in large-scale internet elections: a retrospective analysis of elections in Estonia, the Netherlands, and Switzerland
Special issue on electronic voting

Remote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the ...
Read More
Internet voting: structural governance principles for election cyber security in democratic nations
GTIP '10: Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies

In Europe, the U.S., and Asia, political and market forces seek expanded use of the Internet for voting and election administrative functions. Governmental responses have differed, but commonly governments omit qualified computer security experts from ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Check for updates
Author Tags
attacks
case studies
estonia
internet voting
security
security analysis
voting
vulnerabilities
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 136
  Total Citations
  View Citations
- 7,164
  Total Downloads
- Downloads (Last 12 months)1,155
- Downloads (Last 6 weeks)199
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Security Analysis of the Estonian Internet Voting System

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Internet Voting in Estonia

Security in large-scale internet elections: a retrospective analysis of elections in Estonia, the Netherlands, and Switzerland

Internet voting: structural governance principles for election cyber security in democratic nations