E-voting is (too) secure
Anto Veldre writes about yet another attack against Estonian e-elections that started this week: again political, again not technical.
Responsible and irresponsible disclosure
‘Responsible disclosure’ is a standard practice in the information security community – a person who identifies a security issue doesn't rush to abuse it (to rob a bank or extort money) – but contacts the company that created the software and tells them where exactly the vulnerabilities are, what they look like, etc.
This practice is reasonable, as repairing security holes may be very expensive for some companies, which means that hiding the hole for as long as possible may be economically more beneficial for such companies.
Responsible disclosure policy helps against such delays – at first, the author of the faulty software is given time to correct the error (a month or two), but a date is set when the technical description of the error will be made public. This way, the wolves are fed and the sheep stay safe.
The way responsible disclosure usually works in practice is that the experts who detect the security vulnerability send an accurate, passionless and technical description of the error to the author (the manufacturer of the device or software). For example, citizen X reports that such a security hole (followed by a description) was detected in product Z of company Y.
Technical information, network dump and command line examples are added so other parties can reproduce the error and correct it. A competent specialist looks at the description and immediately understands: “Yep, the hole is here!”. Any specialist following the instructions in the initial report can also reproduce the problem.
Without a detailed description, security errors cannot be confirmed, checked or repaired. It’s up to the reporter to produce the description. In contrast, cartoons, political invective or the drum roll of Siberian shamans proclaiming the end of the world are not the proper way to report security problems. Hysterical cries that the bug will bring about the end of the world tomorrow are likewise useless.
PR incidents, on the other hand, are completely different creatures. They appear in another manner: either as newspaper articles, anonymous phone calls or hints given by friends. The claim made in the case of a PR incident usually is that absolutely everything is kaput, the security hole is the size of the Earth, but the technical information required for checking the claim is not provided.
Stories about the impending end of the world in media publications keep collecting clicks, but the experts who would like to repair the errors never get to discuss details with the accusers or, even if they manage to do so, get no substantive information. But the ‘risk assessment’ thrown into the media is scary, the ‘end of the world’ is coming and cannot be stopped!
Yet another attack
On the evening of the second Sunday in May, a website » appeared from nowhere claiming that things with the e-elections in Estonia had gone all pear-shaped and that there was going to be a press conference at 11 am on Monday. A project-based claim site » had also been prepared about the case.
Although the claim site was not yet up on Sunday, it later became evident that a group of ‘independent experts’ had audited the Estonian e-voting system, found it to be ‘shockingly unsecure’ and the voting results ‘easy to manipulate’, and urged the Republic of Estonia to cancel its online voting.
Quote: "We urgently recommend that Estonia discontinue use of the system." And then: "...use of the Estonian I-voting system should be immediately discontinued."
This was followed by a friendly suggestion: "Estonia has a well organised paper voting system that they should revert to." So, some ‘expert’ arrives and asks the Republic of Estonia to take down one of its public information systems. Immediately! Of course, the Government of the Republic of Estonia can be the only addressee of this demand, as online voting, which is carried out on the basis of law, simply cannot be cancelled at a lower level.
There is also the promise that information about the errors will be given, but… only after the elections?
Why is it bad that e-elections are so secure? Because manipulating such elections is extremely difficult. This doesn’t suit those who are used to achieving what they want by bending the rules. To wit, e-elections don’t enable the sort of grotesque ‘voting’ we saw in Eastern Ukraine last week (and whose more ‘civilised’ variant people who under Commununism still remember).
Maybe the reason for the attack against e-elections is that one or more political parties operating in Estonia would be pleased about such falsification? The foreign experts who’ve been ‘thrown under the bus’ may not even understand that they’re here not because of their technical savvy, but their politically suitable (although technically incompetent) message.
Alleged security holes
The first allegation made by the group of experts is that PCs may be infected with malware. Take note – may be! Cyber hygiene in Estonia is relatively high. It is true that there is more malware circulating in Estonia than in Finland, Denmark or Singapore », but we’re still far ahead of the other Eastern bloc countries.
About that hole. Item 9.2.4 of the an E-voting security analysis commissioned by the National Elections Committee tells us that the possibility of a voter’s computer being exploited was acknowledged back in 2003. What was done with this knowledge?
In a democratic country, it is unthinkable that the State goes to a person’s home, even virtually, and starts creating order in voters’ computers, e.g. by removing malware. That’s why this risk has been acknowledged and marked as an ACCEPTED risk (see the explanations here »).
Voters themselves have to keep their computers clean (at least) during the elections! Of course, using smartcard readers with built in PIN-pads really helps, as this way malware on your computer cannot see your PINs. There’s nothing that malware can do with the ID card – it is a two factor device, so PINs are always required. Even if the card has been glued into the card reader.
Anyway – we were given the general opinion of some expert that the voter’s computer MAY be infected with a virus. It may indeed be. But nice people who care about computer hygiene have no viruses. And if someone is afraid that their computer may be infected, they can always go to the polling station on the day of the elections or use a card reader with a PIN pad. It’s up to the person to decide – do they know what’s going on in their computer or would they rather go to the polling station.
The other serious allegation is that the DVDs from which the e-voting systems are installed MAY be infected. This is a valid claim, THEORETICALLY. Just like a storm hitting Estonia on the day of the elections and paralysing our energy system, the explosion of a neutron bomb on a train arriving at the Main Railway Station or the Sun transforming into a Supernova.
Alright then. How will a DVD and/or the software on it become infected and infect others? Are we talking about an attack against the file system, compromising the software, screwing up the compiler or what exactly is happening, dear e-election experts?
OK. Let’s suppose that there is ‘an attack’. Who on the IT team of the elections are the traitors who lie that the image hashes on the discs are a match, although this is not the case when they’re compared?
As far as we know, no technical descriptions of the attacks have been given to the Election Committee (EC), to us or to anybody else.
Apparently, the group reviewed last year’s e-voting audit videos » on Youtube minute by minute and found some interesting events:
- Debian Linux packages were downloaded from a place that the experts didn’t like.
So they should’ve been downloaded a distro from a .ru or .su website?
- The icon of a poker website could be seen on the desktop (was it actually a poker website or ‘an icon similar to the icon of a poker website’?).
Of course, having this icon on the desktop of course discredits the user of that computer, their country and the entire European Union.
- The RAID controller had a delay recognising a disk.
The RAID controller was obviously infected with BadBIOS and FOXACID at the same time! In addition to the “Bundestrojaner”.
- The WiFi password of the local guest network could be seen on the wall.
Oh dear, because the election servers (with the telephones and computers of all guests) are certainly connected to that WiFi network, their ILO ports greedily open.
- The cameraman who shot the audit filmed an elections observer in such a manner that his password was captured on film.
We do thank you for this observation – we will improve our cameraman’s training – but this is an error of the supporting process (the audit) and not the main process (the elections).
The fact that the e-elections team in corpore change all of their PINs and passwords after the elections isn’t important here.
But… how did these five findings lead to the conclusion that the entire e-election server system has actually been compromised by a foreign country (Russia was explicitly named) and so unsecure that the I-voting must be cancelled?
The experts have not presented descriptions of any repeatable activities that (apart or together) lead to the materialisation of such a scenario.
I remember the meeting in July 2013 where the source code used for the e-voting was made public. During a two-hour meeting, the e-voting team received considerably more constructive feedback from the public than we have now received from the Kitcat team in three days.
US vs Estonia
In North America, the attitude towards any e- or i-voting differs significantly from Estonians’. The first attempts at electronic voting on the other side of the Atlantic were plagued by security holes. Security specialists broke into Diebold’s election machines » (well, kiosk like devices). We were well aware of all this when we launched e-voting in Estonia. Our attitude towards e-voting has been positive, or at least cautiously neutral, from the very beginning. The attitude of the US towards e-voting is strictly negative. There are entire schools of specialists who are ideologically convinced that e-voting is the devil’s playground.
Electronic or online, i.e. i-voting? The Americans only learnt to distinguish between these two in the last couple of years. They couldn’t have online voting (which is what we call i-voting), as they don’t have anything like our ID card and PKI. The real issue isn’t about the physical, plastic ID card, but about a nationally supported PKI system (Public Key Infrastructure), which makes it possible to identify the cardholder remotely by electronic channels and to make sure that the signature they give is authentic. This service, provided by Estonia’s Certificate Authority, is the very ‘magic’ that allows Estonian banks, the Tax Board or small company websites to identify people electronically.
This difference probably led to several hilarious situations during the events organised by the Estonian Centre Party, where examples of attacks against Diebold voting machines were used to preach “the truth” that Estonian e-voting is the deed of The Satan. But comparing Diebold machines with Estonian e-voting system is as comparing wild boar with a toothbrush – both are hairy!
Estonians’ experience with falsifying the paper voting dates back to the Soviet era: The Communist Party always received 97-99% of votes in all polling stations. How? Well, the memories of that voting process could be rather traumatic for “the voters”, featuring free vodka, bribery, broken fingers, swollen testicles or event some cold years in Siberia.
Point being, we have very real memories of the practices used to falsify the “paper voting”.That’s opposed to the fact that it’s rather difficult to bribe » a computer.
Therefore, the experience over here, in Estonia, is that paper voting is a lot easier to falsify.
Theoretical vs practical security
People in the West probably still believe that verified security solutions (altogether with the back doors) can be created on a drawing board and then used for decades without any changes. This hasn’t been the case for a long time. The development of computers has increased the complexity of technology significantly. Try as hard as you want, there is always going to be an error, not to mention intentional traps.
Joanna Rutkowska hit the nail on the head when she wrote that the keyboard, screen and mouse » of your computer belong to… whom? No, they don’t belong to you, they belong to the software manufacturer. Technically, the manufacturer can take over your identity at any time and do whatever it wants on your behalf. Not a single modern operating system has been designed in consideration of the opposite requirement. Therefore, we can only trust our computer so much. In practice, though, Microsoft and Apple don’t interfere with people’s lives and we can only guess why.
The same applies to the hardware we use. It’s made somewhere in China or South Korea and it is possible that there is a back door somewhere on the motherboard.
These claims sound so horrendous that we should stop using computers altogether!? The reality isn’t actually that bad. Despite the OS and hardware risks, it is still possible to build software and procedures on top of these that are owned by the state of Estonia and use the Internet as the communications channel. Every movement that is important for the outcome (of the voting process) is logged and the e-voting process is observed by dozens of IT people (and international IT aware observers are very welcome as well!). Yes, we must keep the threats described above in mind and evaluate them in our risk assessment formulae as well as in our software development process.
Secure e-voting is impossible in theory (at least that’s what they think in America). In practice, computer risks have been eliminated with different measures, from procedures and audits to the ‘four eyes principle’ of cross checking every step in the process. In Estonia, we’ve carried out e-voting six times now and haven’t had any security incidents yet.
We believe that computer systems are built differently in an e-society. The computer or the software is not trusted; the system that is designed on top of these, the system logs its own operations and is in its turn supervised by people.
Our dear foreign guests also seem to forget this tiny little detail that in the case of e-voting, the network layer, monitoring and logs are under our control and not under the control of an attacker, like it may have seemed in their laboratory.
Harri Hursti introduced himself as an independent security expert at the press conference of 12 May. He’s not really that independent, is he? He has twice taken part in election events of the Tallinn City Government called “The Devil Votes Online”. At the time, the (mostly retirement-age) people who attended the events also failed to understand why the online elections in Estonia are compared to some foreign electronic voting process or why election kiosks are mentioned.
Jason Kitcat and Alex Halderman are well known for having been against e-, I- and any other non-paper elections for at least five years, if not longer. Back in 2011, Halderman already taught a university course whose message was: society is not yet ready for e-elections. That’s exactly the case in the US. But this objection cannot be automatically applied to Estonia. We really do understand that the Americans are disappointed in their voting kiosks, we really do understand that they want to fight against kiosk elections in their own country… But perhaps they could have this fight without trampling all over the small country of Estonia in the process, because we have managed to solve this task perfectly for ourselves? True, in slightly different cultural conditions.
The experience has certainly proven to be interesting for the two students in the team: they were able to play with the world’s best online voting system in their lab and then get sent on a holiday to that country.
To be honest, the quality of the videos uploaded on Jason’s website, as a training material, are ridiculous. If students at the Estonian IT College had created something like this for their homework, they would’ve received an F.
But about the video: We see something like a server with three sparkling diodes on the table and there are messages in a foreign language (that the students don’t understand) running across the screen. There is some activity without any commentary, things are selected from the menus displayed on the screen, some discs are inserted into the server, etc. People in dark appear scurrying around the computers, moving the VGA cable between the projector and the server back and forth so that the projector blinds the camera.
Compare this to the 3-minute lock bumping video on YouTube. Could you open the lock after watching the video? Now watch Kitcat’s almost 12-minute video and answer this question: could you break into the Estonian online voting system after this? I’m sure that your answer is “No”.
The most important thing is that the promised PDF summary has still not been uploaded on Jason’s site. Apparently, it still needs some editing and there’re a couple of more things that need to be added and the summary will only be presented after the elections!
Update: Full report » (PDF) was published on May 17 2014.
To me, it looks more like an attempt to rig » the elections by scaremongering than a piece of research or responsible disclosure of an actual security hole.
The glad news is that the Estonian online voting system is still secure and we can use it to vote again in a couple of days. We’re grateful to our foreign guests for these little crumbs that will help us make the e-voting procedure even better in the future. Those of you who suspect a computer virus at home – do make sure you head your polling station on the day of the elections!
We have the only functioning nationwide e-voting system in the world! Let’s be proud!
More news on the same subject
CERT-EE reports an increase in the number of instances of salary account fraud wherein the employee sends a letter to the HR manager requesting that their salary be transferred to a new bank account starting from the following month. In reality, however, this request is sent by cybercriminals, who take the money.
CERT-EE has been notified of telephone calls in English in which people are asked about the security of their computer and to grant the caller access it. Disconnect these calls immediately!