Moscow's blockchain voting system cracked a month before election

French researcher nets $15,000 prize for finding bugs in Moscow's Ethereum-based voting system.
Written by Catalin Cimpanu, Contributor
Moscow, Russia

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election.

Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election.

Moscow blockchain voting system encryption broken in 20 minutes

Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes.

"It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month.

"Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added.

What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further.

"Without having read the protocol, it is hard to tell precisely the consequences, because, although we believe that this weak encryption scheme is used to encrypt the ballots, it is unclear how easy it is for an attacker to have the correspondence between the ballots and the voters," the French researcher said.

"In the worst case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote."

A first-of-its-kind system

Moscow's blockchain voting system is a first of its kind. It was developed in-house by the Moscow Department of Information Technology, and works as a "smart contract" on top of the Ethereum blockchain platform.

The voting system is set to go live on September 8, and will run for 12 hours, in sync with the official voting session.

Once deployed on election day (September 8), it will allow Moscow residents to vote in the election via the internet, via their phones or home computers, and have their votes cryptographically recorded on the public Ethereum blockchain.

This internet and blockchain-based voting system isn't limited just to people traveling abroad or people with disabilities. Everyone who registers in advance can use it, meaning it has the potential to attract people who'd normally skip election days.

When deployed next month, Moscow's internet voting system would become the first blockchain-based system used in a legally binding election, and not just in limited tests.

Moscow officials promise a fix

The French academic was able to test Moscow's upcoming blockchain-based voting system because officials published its source code on GitHub in July, and asked security researchers to take their best shots.

Following Gaudry's discovery, the Moscow Department of Information Technology promised to fix the reported issue -- the use of a weak private key.

"We absolutely agree that 256x3 private key length is not secure enough," a spokesperson said in an online response. "This implementation was used only in a trial period. In few days the key's length will be changed to 1024."

Gaudry, who discovered that Moscow officials modified the ElGamal encryption scheme to use three weaker private keys instead of one, couldn't explain why the IT department chose this route.

"This is a mystery," the French researcher said. "The only possible explanation we can think of is that the designers thought this would compensate for the too small key sizes of the primes involved. But 3 primes of 256 bits are really not the same as one prime of 768 bits."

However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead.

This design decision also baffled Chris Roberts, Chief Security Strategist at Attivo Networks.

"Why on this planet would the developers of the platform choose a weak length in the first place is obviously a question. Is it lack of knowledge and understanding? Or simply looking to maximize speed and efficiency or something else," Roberts said.

"The US system COULD learn a lot from Mother Russia"

"There is a good side to this," he added. "The fact that Moscow allowed others to look at the code, research it and then help them secure it."

Furthermore, Moscow officials also approved a monetary reward for Gaudry, who according to Russian news site Meduza, stands to make one million Russian ruble, which is just over $15,000.

According to a previous report from July, Gaudry's reward is near the top prize the Moscow local government promised bug hunters when it put the code on GitHub, which was 1.5 million Russian ruble ($22,500).

"The US system COULD learn a lot from Mother Russia on this one," Roberts said, referring to the plethora of growing pains the US has been going through recently while trying to secure its electronic voting machines.

These growing pains mostly come from voting machine vendors, who are refusing to engage with the cyber-security community, something the Moscow government had no problem doing.

This closed-source nature around electronic voting machines and election systems used in the US is the reason why Microsoft recently announced plans to open-source on GitHub a new technology for securing electronic voting machines.

Photos: Retro computer games that Eastern Europe played as Iron Curtain fell

Related cybersecurity coverage:

Editorial standards