July 14, 2024

Switzerland’s e-voting system has predictable implementation blunder

Last year, I published a 5-part series about Switzerland’s e-voting system.  Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted.   Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment.

But the Swiss Post e-voting system (that Switzerland uses) addresses the malware-in-voter-computer problem in an interesting way that’s worth taking seriously.  Each voter is sent a piece of paper with some special “return codes” that are never seen by the voter’s computer, so any potential malware can’t learn them.  And each voter is instructed to follow a certain protocol, checking the return codes shown on their screen against the return codes on the paper.

I described how it works here.  And then here I described some attacks and vulnerabilities, “threats that their experts didn’t think of”.   And one of those I wrote as,

The hacked app can change the protocol, at least the part of the protocol that involves interaction with the voter, by giving the voter fraudulent instructions.  There could be a whole class of threats there; I invite the reader to invent some.

When I say “predictable implementation blunder”, well, I predicted something like this.  But it’s a bit worse than I thought.

Andreas Kuster is a Swiss computer scientist living abroad, and a few months ago he received his election packet in the mail from his home canton of St. Gallen.  He discovered that the Swiss Post e-voting system had made a basic blunder:  the instructions to the voter about how to perform the return-code-checking protocol are not printed on the paper, they are only on the voting website itself.   That means if the voter’s computer is hacked by malware, the malware can direct the voter to a fake website that has different instructions, with a useless protocol. Or, as Kuster demonstrates, the malware can install a browser plug-in that alters the behavior of the real website.

He immediately notified Swiss Post following their “responsible disclosure” protocols with a 90-day period where he didn’t go public.  There’s been no remedy, so now he’s gone public.

Kuster’s fake protocol is not exactly what I imagined; it’s better.  He explains it all in his blog post.   Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what’s on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn’t know what’s on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video.

Up front in his article is a good-faith explanation to Swiss voters about how they should use the real protocol to protect their vote.  That is, he gives the instructions that Swiss Post should have printed on the paper.  That’s useful, except for the millions of voters who won’t see his article:  their votes could be at risk.

When I say, “worse than I thought”, it never occurred to me that the voter’s paper packet would have no description of the protocol, that they would leave the entire description of the protocol to the website that the protocol is supposed to protect.  That’s a blunder.


  1. Shymaa M Arafat says

    1-Can I ask how do they prevent or detect post office leakage from the guys on the printers/ envelopes to postmen opening the letters of abscent voters?
    Does the voting application contain a phase recognition part?Do they depend on audits for checking users real Identity??
    2-Have you studied the Estonian e-voting system as well?
    About the QR code revealing the vote, is this equally likely for all QR or cryptographic receipts in general?
    If so, and adding courts opinion on them, and the possibility of swapping receipts as mentioned here ( https://eprint.iacr.org/2022/1653) on the French FLEP 2022, are they that useful comparing to somehow clearer receipts that judges can check themselves without experts?

  2. Libor Supcik says
    • Andrew Appel says

      Just to be clear, that TED talk from 13 years ago is about a system that uses *paper ballots* in a physical polling place on election day, so it’s not really relevant to a discussion about remote internet voting.

  3. Cory Wagner says

    Malicious insiders changing the vote is essentially the American Republican Party voting model.

    This is how they secured George W Bush in 2000 and then Trump in 2016.

    Everyone on the planet needs to read this article but most won’t understand what it means.

    Can you kindly make a youtube video of this and post it up on social media and news aggregator sites like Reddit to get your voice heard?

    Use the Einstein model of explaining this like a 7 year old could understand it, so that it makes maximum impact.

Speak Your Mind