​NSW iVote vulnerability 'overstated'

Researchers' claims that the New South Wales online iVote system was vulnerable to a FREAK attack have been overstated, according to the state's Electoral Commission, which has questioned the researchers' motives.

The New South Wales Electoral Commission (NSWEC) has questioned a report by security researchers that its online iVote system was vulnerable to a FREAK attack, saying that the researchers' claims have been overstated.

Over the weekend, it emerged that researchers Vanessa Teague from the University of Melbourne's Department of Computing and Information Systems, and J Alex Halderman from the University of Michigan Centre for Computer Security, had found that although the Electoral Commission's online voting website used a safe SSL configuration, it included JavaScript from an external server used to track site visitors.

This, they said in their research findings, would have left the iVote site open to a range of attacks, including FREAK. The findings were made public just a week out from the NSW election.

The commission removed the externally hosted analytics tool soon after the researchers' claims were made public. However, the Electoral Commission said that it has now had time to investigate the claims made by the researchers, and found that while a vulnerability was present, it would have been extremely difficult to exploit.

"The commission has now had time to review the claims made by Dr Teague and Dr Halderman, and has received advice from our information security auditors," the NSWEC said in a statement released late Wednesday. "The commission's principal security advisers CSC Cyber Security ANZ noted that Dr Teague and Dr Halderman's claims about the vulnerabilities in iVote are overstated.

"The proposed FREAK attack requires a high level of technical expertise and a number of pre-conditions to be successful, and as such is not considered a real threat to iVote. We have been advised that the likelihood of someone intercepting votes online using this approach is as real as a malicious postman replacing a postal vote," it said.

Meanwhile, the NSW Electoral Commission's CIO Ian Brightwell has questioned the researchers' motivation for releasing their findings only a week prior to the state election.

"Vanessa and Alex ... they represent themselves as these benevolent researchers running around the countryside to help, and to a certain extent they are -- they're very capable and competent in that area -- but they also are both members of an anti-internet voting lobbying group in the US called Verify Voting," Brightwell told ZDNet earlier this week.

Verify Voting, which bills itself as a non-governmental organisation working toward "accuracy, integrity, and verifiability of elections", and claims a mission of "safeguarding elections in the digital age", lists both Halderman and Teague among its advisors.

Additionally, the Electoral Commission claims that it did not receive the researchers' findings until after it had been distributed to local media outlets and Australia's Computer Emergency Response Team.

"The commission takes the security of all its systems, including iVote, very seriously," the NSWEC said in its statement. "While we welcome constructive comment, we are disappointed with the fact that Dr Teague and Dr Halderman ... did not provide their report to the commission prior to releasing it to the media."

The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters and those living in rural areas who have difficulty reaching polling places, but the government is expanding the use of the iVote system as part of the election on March 28, and has taken more than 66,000 votes since early polling opened last week.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All