The NSW Electoral Commission (NSWEC) has claimed it is not impacted by the security issues that were disclosed about the Swiss e-voting system overnight, thanks to using an air-gapped machine, even though the flaw exists in its iVote system.
"The identification of this issue does not affect the use of iVote for the NSW State election," the NSW Electoral Commission said in a statement.
As described by security researchers Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague, the flaw is found in the mixnet component that shuffles votes in an effort to remove the ability to link votes to individual electors.
"The implementation of the commitment scheme in the SwissPost-Scytl mixnet uses a trapdoor commitment scheme, which allows anyone who knows the trapdoor values to generate a shuffle-proof transcript that passes verification but actually alters votes," the researchers said.
"This allows undetectable vote manipulation by an authority who implemented or administered a mix server."
However, the NSWEC claims it is unaffected because its mixnet is not connected to any systems, and is "securely housed" at the NSWEC.
"In order for this weakness to be an issue, a person would need to gain access to the physical machine. They would need all the right credentials and the right code to alter the software," a spokesperson for NSWEC said.
"Our processes reduce this risk as we specifically separate the duties of people on the team and control access to the machine to reduce the potential for an insider attack."
The electoral commission said Scytl is still delivering a patch for the flaw, and that it is confident in the security of iVote.
"iVote is an important voting channel to ensure equal access to democracy, particularly for people with disability and remote voters, and we will continue working to strengthen its operation," the spokesperson said.
On Twitter, Lewis pointed out the high level of auditing the system was subjected to.
"I also think it's very important that everyone who might find themselves in a nation implementing electronic voting is aware of how many audits, and public puffery the Swiss election system has gone through. It is very important you understand how well audited this system was," the researcher said.
Two other researchers also discovered the mixnet flaw.
Once again, the findings appeared close to a week out from polling day.
"The commission has now had time to review the claims made by Dr Teague and Dr Halderman, and has received advice from our information security auditors," the NSWEC said at the time. "The commission's principal security advisers CSC Cyber Security ANZ noted that Dr Teague and Dr Halderman's claims about the vulnerabilities in iVote are overstated.
"The proposed FREAK attack requires a high level of technical expertise and a number of pre-conditions to be successful, and as such is not considered a real threat to iVote. We have been advised that the likelihood of someone intercepting votes online using this approach is as real as a malicious postman replacing a postal vote."
The similarities between the incidents do not end there, with Scytl questioning the motivation of the researchers, as the NSWEC did four years ago.
The iVote system has been subsequently used in elections in Western Australia.
The NSW Electoral Commission's CIO Ian Brightwell has said that human error was at the core of an electronic ballot problem on the NSW iVote system that may have the potential to see some of the results from last month's state election thrown into question.