NSW Electoral Commission scrambles to patch iVote flaw

The analytics service used by the New South Wales electronic voting system, iVote, left voters vulnerable to having their ballots changed, according to security researchers.

The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters and those living in rural areas who have difficulty reaching polling places, but the government is expanding the use of the iVote system as part of the election on March 28, and has taken approximately 66,000 votes since early polling opened last week.

Researchers Vanessa Teague from the Department of Computing and Information Systems at the University of Melbourne, and J Alex Halderman from the University of Michigan Centre for Computer Security, found that while the voting website uses a safe SSL configuration, it includes JavaScript from an external server that is used to track site visitors. This, they said, would leave the iVote site open to a range of attacks, including FREAK.

Apple and Google were forced to patch their own browsers after it was found that the FREAK flaw could force browsers to use a weaker encryption cipher, leaving it vulnerable to man-in-the-middle attacks that can intercept and manipulate traffic.

The researchers discovered that the FREAK attack could be used to change how a person votes using iVote, without the voter ever being aware.

The flaw was notified to CERT Australia on Friday, and the researchers said that iVote disabled the analytics code on Saturday. However, given that the polls have been open since March 16, many voters could have had their vote compromised.

Up until polling day, voters can log in and change their vote on the iVote system.

The researchers stated that given the main gateway to the iVote site runs plain HTTP, it is still vulnerable to the ssl_strip attack.

A spokesperson for the NSW Electoral Commission had not responded to requests for comment at the time of writing, but NSWEC CIO Ian Brightwell told the ABC that the system is safe.

"We are confident, however, that the system is yielding the outcome that we actually initially set out to yield, and that is that the verification process is not telling us any faults are in the system."

In 2014, Brightwell told ZDNet that the use of two servers for voting verification improved the security of the voting system.

"That means if you're going to tamper with the vote, you must tamper with both votes, because that's the only way you won't be detected when we do a comparison downstream," Brightwell said.

"If you tamper with both votes, then the vote that is sent to the verification server won't be the same as the vote you submitted, so the person who verifies their vote will say they didn't vote that way.

"In that case, we will delete their vote and give them another vote."

NSWEC has so far resisted calls to make the code of the iVote system open.

"Just providing source code on the internet for people to review isn't actually going to get you much of an outcome, because the only people who can truly review that source code, build the system, and test it are people with significant skills, and, quite frankly, quite a bit of time on their hands," he said.

"We'd be delighted to have those people to do that exact task. What we're not so delighted with is people who are somewhat less skilled and knowledgeable actually asking lots of questions and taking up time of very valuable resources with no obvious benefit.

"So we're kind of reluctant to make it publicly available in the sense of available to anyone."

Last week, the iVote system needed to be taken offline and updated after it was revealed that two parties were left off the above-the-line section of the ballot form.