Security Analysis of the Estonian Internet Voting System | Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
- ️Sun Dec 03 2023
Abstract
Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election observation, code review, and adversarial testing. Adopting a threat model that considers the advanced threats faced by a national election system---including dishonest insiders and state-sponsored attacks---we find that the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections. In experimental attacks on a reproduction of the system, we demonstrate how such attackers could target the election servers or voters' clients to alter election results or undermine the legitimacy of the system. Our findings illustrate the practical obstacles to Internet voting in the modern world, and they carry lessons for Estonia, for other countries considering adopting such systems, and for the security research community.
References
[1]
B. Adida. Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX Security Symposium, Aug. 2008.
[2]
A. Ansper, A. Buldas, M. Oruaas, J. Priisalu, A. Veldre, J. Willemson, and K. Virunurm. E-voting concept security: analysis and measures. Technical Report EH-02-01, Estonian National Electoral Committee, 2003.
[3]
A. W. Appel. Security seals on voting machines: A case study. ACM Trans. Inf. Syst. Secur., 14(2):18:1--18:29, Sept. 2011.
[4]
J. Applebaum, J. Horchet, and C. Stöcker. Shopping for spy gear: Catalog advertises NSA toolbox. Der Spiegel, Dec. 2013. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-backdoors-for-numerous-devices-a-940994.html.
[5]
J. Benaloh, M. Byrne, P. T. Kortum, N. McBurnett, O. Pereira, P. B. Stark, and D. S. Wallach. STAR-Vote: A secure, transparent, auditable, and reliable voting system. CoRR, abs/1211.1904, 2012.
[6]
J. Bretschneider, S. Flaherty, S. Goodman, M. Halvorson, R. Johnston, M. Lindeman, R. L. Rivest, P. Smith, and P. B. Stark. Risk-limiting post-election audits: Why and how, Oct. 2012. http://www.stat.berkeley.edu/~stark/Preprints/RLAwhitepaper12.pdf.
[7]
J. A. Calandrino, J. A. Halderman, and E. W. Felten. Machine-assisted election auditing. In Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), 2007.
[8]
D. Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38--47, Jan 2004.
[9]
D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. Rivest, P. Y. A. Ryan, E. Shen, A. Sherman, and P. Vora. Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security, 4(4):611--627, Dec. 2009.
[10]
M. Clayton. Ukraine election narrowly avoided "wanton destruction" from hackers. Christian Science Monitor, June 2014. http://www.csmonitor.com/World/ Security-Watch/Cyber-Conflict-Monitor/2014/0617/Ukraine-election-narrowly-avoided-wantondestruction-from-hackers-video.
[11]
Cybernetica AS. Internet voting solution, 2013. Accessed: May 13, 2014, http://cyber.ee/uploads/2013/03/cyber_ivoting_NEW2_A4_web.pdf.
[12]
D. Danchev. Study finds the average price for renting a botnet. ZDNet, May 2010. http://www.zdnet.com/blog/security/study-finds-theaverage-price-for-renting-a-botnet/6528.
[13]
Estonian Certification Authority. Avaleht. In Estonian. http://www.id.ee/.
[14]
Estonian Certification Authority. Kasulik tugiinfomobiil-id kohta. In Estonian. http://mobiil.id.ee/kasulik-tugiinfo/.
[15]
Estonian Certification Authority. Mis on ID-tarkvara? In Estonian. https://installer.id.ee/.
[16]
Estonian Information System's Authority. Public key infrastructure PKI, May 2012. https://www.ria.ee/public-key-infrastructure/.
[17]
Estonian Internet Voting Committee. Dokumendid, 2013. In Estonian. Accessed: March 2014, http://vvk.ee/valijale/e-haaletamine/e-dokumendid/.
[18]
Estonian Internet Voting Committee. Ehk videos, 2013. In Estonian. Accessed: March 2014, https://www.youtube.com/channel/UCTv2y5BPOo-ZSVdTg0CDIbQ/videos.
[19]
Estonian Internet Voting Committee. Statistics about Internet voting in Estonia, May 2014. http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics.
[20]
Estonian Internet Voting Committee. Using ID-card and mobil-ID, May 2014. https://www.valimised.ee/eng/kkk.
[21]
Estonian Ministry of Foreign Affairs. Estonia today, 2012. http://www.euc.illinois.edu/estonia/documents/E-Estonia.pdf.
[22]
Estonian National Electoral Committee. Kohaliku omavalitsuse volikogu valimised 2013. In Estonian. http://www.vvk.ee/kohalikud-valimised-2013/.
[23]
Estonian National Electoral Committee. Vabariigi valimiskomisjon. In Estonian. Accessed: October 2013, http://www.vvk.ee/.
[24]
Estonian National Electoral Committee. Elektroonilise hääletamise süsteemi üldkirjeldus, 2013. In Estonian. http://vvk.ee/public/dok/elektroonilise-haaletamisesysteemi-yldkirjeldus-EH-03-03--1_2013.pdf.
[25]
Estonian National Electoral Committee. Valimised: Android Apps on Google Play, Oct. 2013. In Estonian. Accessed: May 13, 2014, https://play.google.com/store/apps/details?id=ee.vvk.ivotingverification.
[26]
Estonian National Electoral Committee. Comment on the article published in The Guardian, May 2014. http://vvk.ee/valimiste-korraldamine/vvk-uudised/vabariigi-valimiskomisjoni-vastulause-the-guardianisilmunud-artiklile/.
[27]
Estonian National Electoral Committee. Valimised on the App Store on iTunes, Apr. 2014. In Estonian. Accessed: May 15, 2014, https://itunes.apple.com/ee/app/valimised/id871129256.
[28]
Estonian National Electoral Committee. Valimised: Windows Phone'i rakenduste+mängude pood (Eesti), Apr. 2014. In Estonian. Accessed: May 15, 2014, https://www.windowsphone.com/et-ee/store/app/valimised/11c10268--343f-461a-9c73--630940d8234b.
[29]
Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. Android based vote verification application for Estonian i-voting system, Sept. 2013. https://github.com/vvk-ehk/ivotingverification.
[30]
Estonian National Electoral Committee, Estonian Internet Voting Committee, and Cybernetica AS. e-hääletamise tarkvara, Sept. 2013. Accessed: March 2014, https://github.com/vvk-ehk/evalimine.
[31]
Estonian Public Broadcasting. Center Party petitions European human rights court over e-voting, Sept. 2013. Accessed: May 14, 2014, http://news.err.ee/v/politics/4ee0c8a2-b9c2--4d28--8ae4-061e7d9386a4.
[32]
J. Fleming. EU nations developing cyber "capabilities" to infiltrate government, private targets. EurActiv, Dec. 2013. http://www.euractiv.com/infosociety/eu-nations-lack-common-approach-news-532294.
[33]
A. Greenberg. Shopping for zero-days: A price list for hackers? secret software exploits. Forbes, Mar. 2012. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackerssecret-software-exploits/.
[34]
The Heartbleed bug, Apr. 2014. http://heartbleed.com/.
[35]
S. Heiberg, P. Laud, and J. Willemson. The application of i-voting for Estonian parliamentary elections of 2011. In VOTE-ID, pages 208--223, 2011.
[36]
G. Hoglund and J. Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005.
[37]
ICT Export Cluster. e-estonia.com: The digital society, Aug. 2014. http://e-estonia.com/.
[38]
R. Johnston. The real deal on seals: Improving tamper detection. Security Management, 41:93--100, Sept. 1997.
[39]
R. Johnston. Some comments on choosing seals and on PSA label seals. In Proceedings of the 7th Security Seals Symposium, 2006. http://www.ne.anl.gov/capabilities/vat/pdfs/choosing-seals-and-using-PSA-seals-2006.pdf.
[40]
R. Johnston. Insecurity of New Jersey's seal protocols for voting machines, Oct. 2010. http://www.cs.princeton.edu/~appel/voting/Johnston-AnalysisOfNJSeals.pdf.
[41]
R. Johnston and A. R. Garcia. Vulnerability assessment of security seals. Journal of Security Administration, 20:15--27, 1997.
[42]
D. W. Jones and B. Simons. Broken Ballots: Will Your Vote Count? Stanford University Center for the Study of Language and Information, 2012.
[43]
E. Kain. Report: NSA intercepting laptops ordered online, installing spyware. Forbes, Dec. 2013. Accessed: May 14, 2014, http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-orderedonline-installing-spyware/.
[44]
J. Kitcat. Source availability and e-voting: An advocate recants. Commun. ACM, 47(10):65--67, Oct. 2004.
[45]
B. Laxton, K. Wang, and S. Savage. Reconsidering physical key secrecy: Teleduplication via optical decoding. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pages 469--478, 2008.
[46]
M. Lindeman and P. B. Stark. A gentle introduction to risk-limiting audits. IEEE Security & Privacy, 10(5):42--49, 2012.
[47]
H. Lipmaa. Paper-voted (and why I did so). Blog post, Mar. 2011. http://helger.wordpress.com/2011/03/05/ paper-voted-and-why-i-did-so/.
[48]
H. Lipmaa. A simple cast-as-intended e-voting protocol by using secure smart cards, May 2014. http://eprint.iacr.org/2014/348.
[49]
Mandiant. APT1: Exposing one of China's cyber espionage units, Feb. 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf.
[50]
N. Mediati. How to remotely install apps on your smartphone. TechHive, Nov. 2013. http://www.techhive.com/article/2067005/how-toremotely-install-apps-on-your-smartphone.html.
[51]
U. Oja. Paavo Pihelgas: Elektroonilise hääletamise vaatlemine on lihtsalt võimatu, Mar. 2011. In Estonian. http://forte.delfi.ee/news/digi/paavo-pihelgas-elektroonilise-haaletamise-vaatlemineon-lihtsalt-voimatu.d?id=41933409.
[52]
F. Paget. Hacking summit names nations with cyberwarfare capabilities. McAfee Blog Central, Oct. 2013. http://blogs.mcafee.com/mcafee-labs/hackingsummit-names-nations-with-cyberwarfare-capabilities.
[53]
A. Parsovs. Practical issues with TLS client certificate authentication, Feb. 2014. https://www.internetsociety.org/sites/default/files/12_4_1.pdf.
[54]
B. Plumer. Estonia gets to vote online. Why can't America? Wonkblog. The Washington Post, Nov. 2012. http://www.washingtonpost.com/blogs/wonkblog/wp/2012/11/06/estonians-get-to-vote-online-why-cant-america/.
[55]
ptrace(2): process trace. Linux Programmer's Manual.
[56]
T. Raidma and J. Kase. Kohaliku omavalitsuse volikogu valimiste e-hääletamise protseduuride hindamise löpparuanne, Jan. 2014. In Estonian. http://vvk.ee/public/KOV13/lopparuanne_2013.ddoc.
[57]
D. G. Robinson and J. A. Halderman. Ethical issues in e-voting security analysis. In Proceedings of the 2nd Workshop on Ethics in Computer Security Research (WECSR), March 2011.
[58]
rsyslog: The rocket-fast system for log processing, Apr. 2014. http://www.rsyslog.com/.
[59]
P. Y. A. Ryan, D. Bismark, J. Heather, S. Schneider, and Z. Xia. Prêt à voter: A voter-verifiable voting system. Trans. Info. For. Sec., 4(4):662--673, Dec. 2009.
[60]
D. E. Sanger. Obama order sped up wave of cyberattacks against Iran. The New York Times, June 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacksagainst-iran.html.
[61]
B. Simons. Report on the Estonian Internet voting system. Verified Voting Blog, Sept. 2011. https://www.verifiedvoting.org/report-on-the-estonian-internet-voting-system-2/.
[62]
P. B. Stark. Super-simple simultaneous single-ballot risk-limiting audits. In Proceedings of the USENIXElectronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE), Aug. 2010.
[63]
K. Thompson. Reflections on trusting trust. Commun. ACM, 27(8):761--763, Aug. 1984.
[64]
I. Traynor. Russia accused of unleashing cyberwar to disable Estonia. The Guardian, May 2007. http://www.theguardian.com/world/2007/may/17/topstories3.russia.
[65]
I. Traynor. GCHQ: EU surveillance hearing is told of huge cyber-attack on Belgian firm. The Guardian, Oct. 2013. http://www.theguardian.com/uk-news/2013/oct/03/gchq-eu-surveillance-cyber-attack-belgian.
[66]
S. Wolchok, E. Wustrow, J. A. Halderman, H. K. Prasad, A. Kankipati, S. K. Sakhamuri, V. Yagati, and R. Gonggrijp. Security analysis of India's electronic voting machines. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pages 1--14, 2010.
[67]
S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman. Attacking the Washington, D.C. Internet voting system. In Proceedings of the 16th International Conference on Financial Cryptography and Data Security, Feb. 2012.
Information & Contributors
Information
Published In
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
Copyright © 2014 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 03 November 2014
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
Acceptance Rates
CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- Downloads (Last 12 months)1,118
- Downloads (Last 6 weeks)111
Reflects downloads up to 01 Feb 2025
Other Metrics
Citations
- Dağ MCeyhan E(2024)Elektronik Seçimin Yasal ve Politik Boyutu: Uluslararası Uygulama ÖrnekleriSakarya Üniversitesi Hukuk Fakültesi Dergisi10.56701/shd.145124712:1(327-350)Online publication date: 23-Jul-2024
- Acuña-Duarte ASalazar C(2024)Travel Cost on Election Day and Voter-Turnout in Chile: Exploring University Students’ Willingness to Cast a Hypothetical Online VoteSage Open10.1177/2158244024125205714:2Online publication date: 16-May-2024
- Arias JOlarte CPenczek WPetrucci LSidoruk T(2024)Model Checking and Synthesis for Strategic Timed CTL using Strategies in Rewriting LogicProceedings of the 26th International Symposium on Principles and Practice of Declarative Programming10.1145/3678232.3678240(1-14)Online publication date: 9-Sep-2024
- Zuevsky V(2024)Proof of Work and Secure Element in CDN-assisted votingDigital Government: Research and Practice10.1145/36648215:3(1-11)Online publication date: 13-Sep-2024
- Duenas-Cid D(2024)Trust and Distrust in electoral technologies: what can we learn from the failure of electronic voting in the Netherlands (2006/07)Proceedings of the 25th Annual International Conference on Digital Government Research10.1145/3657054.3657262(669-677)Online publication date: 11-Jun-2024
- Merino LAzhir AZhang HColombo STellenbach BEstrada-Galiñanes VFord B(2024)E-Vote Your Conscience: Perceptions of Coercion and Vote Buying, and the Usability of Fake Credentials in Online Voting2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00252(3478-3496)Online publication date: 19-May-2024
- Yao ZLiu JChen XHan LSun H(2024)Efficient Verification of Multi-Agent Systems Through Parallel2024 IEEE 24th International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS62785.2024.00079(745-756)Online publication date: 1-Jul-2024
- Mehraban EGulliver TAtani RHincal E(2024)A Novel Electronic Voting system using a Blind Signature scheme and Blockchain2024 11th International Symposium on Telecommunications (IST)10.1109/IST64061.2024.10843583(790-794)Online publication date: 9-Oct-2024
- Nikhare R(2024)Hybrid Voting System Using Blockchain2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT61001.2024.10726239(1-8)Online publication date: 24-Jun-2024
- Treier TDüüna K(2024)Identifying and Solving a Vulnerability in the Estonian Internet Voting Process: Subverting Ballot Integrity Without DetectionIEEE Access10.1109/ACCESS.2024.352133712(197766-197782)Online publication date: 2024
- Show More Cited By
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.