Windows 11 launch Biden infrastructure plan Google delays Chrome's cookie-blocking plan Mario Golf: Super Rush John McAfee dies Best Prime Day deals still available

Critical iVote security flaws expose risk of online voting fraud

Security experts have revealed "critical vulnerabilities" in the NSW Electoral Commission's iVote online voting system a week before the state election, which they say have exposed thousands of votes to fraud.

Security experts say the NSW Electoral Commission's iVote system has been compromised. Screenshot by Claire Reilly/CNET

With less than a week to go until the NSW state election, two security experts have uncovered "critical vulnerabilities" with the NSW Electoral Commission's online voting portal. While the Commission has moved to fix the issue, the academics say the security flaw has exposed "tens of thousands of votes to potential manipulation".

Introduced in 2011, the iVote system allows Australians with disabilities and vision impairments, as well as those living in remote areas of the country, to cast a secret ballot online.

Vanessa Teague from the University of Melbourne and J. Alex Halderman from the University of Michigan highlighted security issues with the system on a Princeton University blog yesterday, revealing how iVote servers are prone to the recently discovered "FREAK attack".

Uncovered by researchers earlier this month, the decade-old FREAK attack flaw had both Apple and Google scrambling to secure their Safari and Android browsers after they were found to be vulnerable to hackers. It was later revealed that Microsoft Windows was also susceptible to FREAK, leaving communications between computers and seemingly secure websites open to interception.

In revealing the iVote issues, Teague and Halderman said the electronic voting system utilised an external server with "very poor security" that left it vulnerable to a range of SSL attacks, including FREAK. According to the security experts, a hacker could "exploit the FREAK attack to manipulate the voter's connection to [the external server]...and inject malicious JavaScript into the iVote site".

"We discovered a major security hole allowing a man-in-the middle attacker to read and manipulate votes," they wrote. "We also believe there are ways to circumvent the verification mechanism."

When using the iVote site, registered voters are given an 8-digit iVote ID number and asked to choose a 6-digit PIN. Once they have logged on to iVote with these credentials to cast their vote, they receive a 12-digit receipt number which they can then use to verify their vote on a telephone verification line as an optional final step.

However, because of the "critical vulnerabilities" on the iVote site, Teague and Halderman argued that these secure identifiers are open to third parties, meaning votes can be read, manipulated or altered. The researchers studied code and design documents behind iVote and built a proof of concept that demonstrated how the site's flaws "could be used by an attacker to steal votes".

"In our demonstration, the malicious network injects code that stealthily substitutes a different vote of the attacker's choosing," they wrote. "We also show how the attacker can steal the voter's secret PIN and receipt number and send them, together with the voter's secret ballot choices, to a remote monitoring server."

The security experts also wrote about issues with vote verification, saying there were a number of points of weakness in the iVote system that could be exploited by hackers. Because voters are instructed to verify their votes by a website that is itself vulnerable, they could be directed to an incorrect phone verification line, or the instructions to verify might not be displayed at all.

"An unverifiable Internet voting system may seem to be secure but actually be subject to undetectable electoral fraud," they wrote. "In a way, iVote is worse: a system that seems to be verifiable but possibly isn't."

Teague and Halderman reported the vulnerability to CERT Australia on Friday March 20 at 2:00 p.m., and confirmed that the Electoral Commission updated its iVote portal to disable code from the insecure external server. However, they argue that because the system had been operating insecurely for almost a week, votes were still potentially compromised.

The academics have argued that iVote's vulnerability "illustrates once again why Internet Voting is hard to do securely."

"NSW should cut its losses and back away from voting online at least until there are fundamental advances in computer security. In the meantime, there's another week of voting left -- who knows what else could go wrong?"

It's not the first time iVote has made headlines in the lead up to the March 28 election. The system was "paused" for six hours last week when it emerged that two political parties had been mistakenly left out of the 'above-the-line' section of the Upper House ballot paper.

The Electoral Commission said the 19,000 votes that had been cast up until that point were still valid, but that voters were able to log back into the system to check or change their vote.

The NSW Electoral Commission has been contacted for comment.