Last week, Swiss Post’s recently launched online voting system’s source code was leaked. The experts who examined the code reported that the system is poorly designed and makes it difficult to audit the code for security and configure it to operate securely.
Swiss Post, Switzerland’s national postal service also launched a fully verifiable system and a bug bounty program to test the system’s resilience to attacks this month. According to Motherboard report, “critics are already expressing concern about the system’s design and about the transparency around the public test.”
Nathalie Dérobert, a spokeswoman for Swiss Post, said the public intrusion test is not meant to be an audit of the code “or to prove the security of the Swiss Post online voting system.” Instead, it’s meant to help inform the developers about improvements they need to make.
In an email, Dérobert wrote, “Security is a process and even if the source code passed numerous previous security audits, we expected criticism and even outright negative comments. After all, that is the whole point of publishing the source code: we want a frank response and an honest discussion about the merits and shortcomings of our work… [W]e are determined to take up the negative comments, discuss them with our developing partner Scytl and to get in touch with the people where we see a benefit.”
As for the public test of the new online system, more than 2,000 people have registered. The test will take place from February 25 to March 24. As per the rules, the bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. The Swiss Post is making the source code for the software available to participants. However, the code wasn’t supposed to be open to just anyone to examine.
Swiss Post responded to the publication of the code, saying the source code was not leaked as it was already available to anyone who wanted to see it—as long as they registered with Swiss Post. Swiss Post also wrote that there is no NDA or confidentiality agreement around publishing information about the source code or citing parts of the code, but the statement did not say anything about the Scytl technical documents themselves and the architecture and protocol information that is contained in them.
Cryptography experts, after examining the allegedly leaked code said: “the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.”
Sarah Jamie Lewis, a former security engineer for Amazon and a former computer scientist for England’s GCHQ intelligence agency, said, “Most of the system is split across hundreds of different files, each configured at various levels. I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.”
Lewis said that the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this.
“Someone could wire the thing in the wrong place and suddenly the system is compromised. And when you’re talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make”, Lewis added.
The voting system was developed by Swiss Post and the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad Autónoma de Barcelona (Autonomous University of Barcelona) in 2001. “Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for the configuration. Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt. But there are reasons to be concerned about such claims”, Motherboard reports.
Matthew Green, a noted cryptographer teaching cryptography at Johns Hopkins University, said that the system is highly complex and “at this point, I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography. And even then I’d be concerned, given the stakes.”
To know more about this news, head over to Motherboard’s complete coverage.