An introduction to vulnerabilities in electronic voting

This quick and dirty essay was written for the IRR in the lead up to public commentary on the South African electoral reform bill.

Among other items in the ANC’s newly proposed electoral reform bill, there are demands that the IEC “keep abreast” of the latest voting technology, to make sure that the electoral medium makes use of the latest and most sophisticated electronic products[1]. A particular technology that has been promoted is what is known as blockchain encryption[2], which due to its broad application and initial resilience to exploitation, has been touted as virtually impenetrable by many of its promoters, but it has already been shown to have its own vulnerabilities[3]. What follows is a summary of the main concepts concerning security vulnerabilities in electronic voting.

Basic concepts

Stages of the voting system

Whether in purely physical systems, or in partially- or fully-electronic ones, there are several analogous components of the voting system that persist. At each stage, these represent several points of failure.

• Registration
  • a register of legitimate voters and issue documentation on their status must be maintained accurately.
  • Voter registration must be secure and reliable, ensuring that no illegitimate voters may register to vote,
  • No person should be allowed to vote twice, by means of registering under a false identity
• Casting
  • The voter must be capable of voting in secret and without intimidation, and the choices must be present and legible to them.
  • The voting habits of citizens should not be visible to government agents, or to members of the public, without the express permission of the voter.
• Verification
  • The voter must be assured that the vote that they have cast is in fact received as such by the system. For physical ballots, this is
• Storage and transport
  • Transfer of data on votes must be immune from interception. For electronic means, this means encryption.
  • Storage of votes, whether physical or virtual, must be immune to illicit access and tampering. There must also be a clear means of detecting whether storage has been violated.
• Tally
  •  The people or machines which count the votes and collate them with the central authorities

The electoral system need not only defend itself from malicious outsiders, but also from insider attacks, and the one great weakness of electronic systems is that while attacks can require a high level of technical expertise, it can be harmed in a much more systematic way, and much more covertly, than traditional electoral systems.

Purposes of interference

Broadly speaking, those who would interfere with electoral processes can be classed into three groups according to their aims[4]:

1. Influencing outcomes
   1. These actors intend to assure a certain electoral outcome, whether by falsifying the count, destroying ballots, or through intimidation.
2. Revealing voting choices
   1. To successfully intimidate an electorate, knowing the contents of their votes, or to be convincingly able to make their votes public, is essential
3. Discrediting the election
   1. This aim relies entirely on perception management. By successfully convincing a portion of the population that the election was tampered with, they can undermine confidence in the vote.

Forms of penetration

 Penetrations can be considered covert, overt, or surreptitious.

• Covert penetrations are typically difficult to trace, but can be detected with some effort.
• Overt penetrations are easy to detect, even obvious.
• A surreptitious penetration is one that is in principle untraceable.

An actor wanting to discredit an election may desire an overt penetration, to maximise the visibility of their violation of protocol. Those revealing voter choices may wish either overt or covert, depending on what power they possess to defend themselves from potential backlash, or to what extent they are capable of carrying out overt intimidation. Those intending to influence outcomes will require covert means, or ideally surreptitious means, since their desire is to secretly defraud an election while establishing its legitimacy.

Electronic Voting systems

Systems for electronic voting can be classed into three general categories.

1. Automated paper ballot voting machines (APV)
   1. These machines will register a decision made by a voter, and then print a physical ballot to be counted later by hand or by a mechanical counter. The
2. Direct-recording electronic voting (DRE)
   1. In this system, votes are recorded on an electronic database on the voting machine, and can be accessed later for counting purposes.
3. Voter Verified Paper Audit Trail (VVPAT)
   1. The voter will receive a receipt for the vote they have electronically submitted
4. Public-networked direct-recording electronic voting (PNV)
   1. Like DRE, PNV records votes purely electronically. But in this case, the votes are tallied centrally and electronically by being sent over an (ideally, secure) public network.
5. Online voting (OV)
   1. As the name suggests, this system is the use of (ideally, secure) logins on citizens’ personal computers to register votes remotely for elections.

General Vulnerabilities

Between 2000 and 2011, several Western countries introduced various forms of electronic voting, with Estonia introducing the more ambitious remote online voting system in 2007[5]. Prima facie benefits include the promise of lower operating costs, and greater speed. However in practice costs can exceed that of regular voting, as was determined in the Netherlands[6], and initial set-up can be expensive, and the systems can multiply vulnerabilities[7].

Vulnerabilities exist at a far greater scale because of systematisation, and electronic systems are far less transparent. It is easier to perform an attack without being detected, and trust can be eroded due to a lack of tangible functionality – understanding the system requires technical education. Because of the length of the design, development and procurement process, voting machines often have a lifetime of 20-30 years, and it is almost impossible to prepare decades in advance for potential vulnerabilities, which multiply as technology advances[8].

Internet voting presents an additional set of vulnerabilities, since it operates over a large quantity of different client systems, whose security cannot be assumed or assured. Voter coercion is also impossible to prevent in the case of remote internet voting.

There are four main categories of vulnerability[9]:

• Malware insertion
  • The attacker accesses the machine either physically or remotely, and inserts a piece of code which changes or destroys the recorded votes, or records new ones.
• Remote control/access
  • The attacker accesses the machine wirelessly or remotely, either to shut off the machine, to observe voters ballots, or to manipulate their recorded state.
• Denial of Service attacks
  • A computer in the network is flooded with requests from a remotely controlled network, which uses up processing power or bandwidth and inhibits functionality, preventing the election from proceeding.
• Attacks on tallying servers
  • This attack attempts to alter or destroy recorded votes at a central location after they have been cast.
• Compromising paper trails
  • This is an attack on the paper receipts issued in VVPAT systems, by making them non-representative of the votes cast, most effectively to discredit the system.
• Shutting off assistance features
  • Many voters require assistance using the machines, whether due to lack of understanding or physical disability, and the software or hardware which provides for this can be disabled.
• Social engineering
  • The use of phishing (spoof emails, texts etc) can be used to trick voters into giving up information – their registration, their voting keys, their voting choices, etc.
  • Compromising of technicians or overseers to gain access to machines, whether through manipulation, fraud, threat or bribery.

Worth bearing in mind, is that much of the information obtained by researchers in this area, even professionals, comes from involuntary access to proprietary software and hardware – penetration testing[10]. The vast majority of electronic voting systems do not place adequate defences in place even for ordinary commercial-grade IT infrastructure, though in the case of political processes, the stakes are significantly higher, and the incentives to cheat are exponentially larger. Companies who supply the infrastructure for electronic voting have a material interest in downplaying the risks and vulnerabilities inherent in the equipment they sell. They have actively used copyright and privacy laws to shield their products from scrutiny, and produce literature promoting the notion that their systems are a solution to the perennial vulnerabilities in voting[11].

The general flaw in electronic voting, electronic voter registration and other such systems, is that the checks and balances required to ensure security are large and complicated, and hence have many more points of failure. The difficulty in assuring compliance with security protocols and protecting passwords over many jurisdictions reduces reliability, and the secrecy around voting system software can reduce public trust. By comparison, physical elections are much more transparent to both voters and overseers, and can be observed at every stage. The voter can tell concretely what vote s/he has cast, and covert tampering is more difficult.

For the classic secret ballot to function, there need only be a secret booth, a sealed box, a legible ballot, and an impartial system of oversight for counting. For an electronic system, similar concepts apply (albeit in a virtual sense), but at each stage, the “parts” of the system are far greater in quantity, and the failure of any one part can compromise the validity of a ballot, or even an entire election.

For South Africa in particular, there are other problems. Remote electronic voting is infeasible in a country with low internet penetration, and regions with low levels of technological literacy will encounter difficulties operating machines. Lack of available technicians also presents a problem, as does unreliable electricity supply and network access. Inability to ensure a clean and legitimate tender procedure for the acquisition of equipment, is of course the strongest and most damning objection.

Examples

The Netherlands were both early adopters (1997), and early abolishers (2008) of DRE voting machines. The key vulnerability that was detected was a tempest attack. Despite all the measures taken by producers and coordinaters to ensure that votes were anonymous, reliable and encrypted, radio frequency emanations from the voting machines could be picked up by nearby listening devices. Electronic signal disturbances caused by changes in current when votes were logged allowed a security activist to read votes as they were recorded. This led to electronic voting being discontinued[12].

VVPAT has proved to bear several vulnerabilities, not just in terms of the physical vulnerabilities which complex systems are prone to, but also in terms of the cognitive vulnerabilities of voters – voters often have a poor recollection of how they voted, and can easily be convinced that they made an error[13]. For this reason, a paper receipt is insufficient to ensure integrity.

The infamous Diebold Accu-Vote TS, used in the United States for the 2006 election, was deployed widely enough to cover approximately 10% of the electorate. It was discovered by researchers that the source code was published on the manufacturers’ website in 2003, but it was not until 2006 that researchers could access the physical machines. Because the machines were run off Windows, it was fairly simple for anyone who had access to the machines to insert malicious software. The lock on the machine was easily picked with a paperclip, and all machines shared a universal key anyway, meaning stealing one such key would grant access to all machines, and the company’s website included a photograph of the key sufficiently detailed to make physical copies from. Poll workers were often let to take the machines home with them before the election.[14].

Estonia is famous for its use of online voting. However, several flaws in their system were identified at the time of the 2015 election. The Estonian system assumed the voters’ computers are trustworthy, and did not anticipate the possibility of the use of a voter’s computer as a point of injection of malicious code. The voting system also left open a 30 minute window after voting in which a second vote could be sent, invalidating the first, thus providing attackers with the ability to override votes. The procedures for ascertaining whether the counting servers had been tampered with were found to be inadequate. A live video feed of the server room showed that employees were using inappropriate software (online poker games), and exposed the officials to keystroke analysis and potential theft of security keys[15].

In practise, whether in Latin America[16], the United States, India or elsewhere, electronic voting has proved to be vulnerable to just the same classes of vulnerabilities as regular elections, albeit in different ways, and also provided some novel vulnerabilities of its own. Recently, a vulnerability in the voting record in Oregon State on the anonymous messaging board 4chan, has demonstrated that, even decades into the electronic age, governments are still highly ignorant or negligent when it comes to good practice in electronic security. Using just a citizen’s name and date of birth, it was possible to determine which candidate they had voted for, and to change the mailing address for the voter via the public voter registration website[17]. These are significant, because without a secret ballot, voters are subject to intimidation, and with the heavy use of mail-in ballots in the 2020 election, a close and highly contested competition, the vulnerability of ballots to tampering is of high concern.

Cryptography

The key security element used in electronic voting is cryptography, which is used to secure the confidentiality and authenticity of votes. Confidentiality is achieved by scrambling the data according to a certain pattern, the decoding of which is possible by means of a secure digital key – usually a very large unique number. End-to-end encryption can have a high degree of security against interception[18], but does not guarantee security against exploits at the point of recording, registration or collation. Furthermore, blockchain technology is not immune to exploitation. There are several methods of encryption, but as anyone having observed a WhatsApp message leak can observe, an end-to-end encrypted platform is only as secure as the end devices.

Blockchain technology is a fairly recent development, and a highly complex cryptographic instrument. It enables secure, verified, and anonymous transactions between nodes in a decentralised network, which is an appealing concept, since in theory, it fulfils several of the essential requirements of a secret ballot. It has no single point of failure, and is less prone to data loss or corruption, since the hole ledger is encrypted redundantly at all nodes of the network.

Since blockchain technology is decentralised, it is often touted as a system with no single point of failure, and therefore more resilient than previous cryptographic communication technologies, which is true, but does not make it invulnerable. Hasanova et al, 2018 provides a comprehensive overview of the vulnerabilities of blockchain, but here is a brief summary:

A blockchain functions as a distributed ledger of timestamped data transactions which is composed of discrete “blocks” encrypted by a hash, and helps to prevent tampering of information. Each block linked in a sequential chain to their “parent” and “daughter” blocks, and each block has one parent, and many daughters. Any user, or node in this network, also identified by a unique generated hash, may edit the ledger, but only by adding to it.

There are two types of consensus protocols; Proof of Work (PoW), and Proof of Stake (PoS). For PoW, each block has to be generated by algorithm, and this process is called “mining”, providing “coins” or tokens as proof of work. The first computer in the network to provide the solution to an algorithm which encodes a new block onto the network typically gets to write their transactions onto the blockchain ledger. PoS already has every coin mined, and awards and generates new blocks through staking – those who purchase or are awarded control of part of the network, rather than rewarding those who solve hashes competitively. The stake in the network allows the stakeholder to certify transactions.

A more comprehensive summary of the available proposed systems for blockchain-based voting is covered in Taş & Tanrıöver, 2020: 11-15. In this paper, it is pointed out in the conclusion that the threats and vulnerabilities to blockchain voting are as yet unknown. For a blockchain system to be able to secure an e-voting system, it will need to integrate the registration, authentication, casting and tallying stages[19],  and that high degree of scalability poses an unknown risk.

It is also worth pointing out that blockchain technology is not invulnerable to attack. While the ledger is both transparent and anonymous, it is possible to crack. The most famous is a vulnerability of PoW systems – a party with enough computing power to solve for 51% of the ledger, can thereby gain control of the power to rewrite and edit the ledger for malicious purposes[20]. While solutions and workarounds to these vulnerabilities exist, more vulnerabilities are revealed over time.

Concluding remarks

Ultimately, regardless of the promised quality of the technology used, the trust component is always the most salient. Electronic systems are only transparent to a tiny selection of technicians, whose access to voting procedures is controlled by the state. Traditional safeguards for ballot security have the advantage of being legible to the entire public, and violations of protocol are easy enough for anybody to comprehend. Violations are less ambiguous and easier to detect.

While there are secure cryptographic models which can securely protect against unauthorised access, electronic voting is vulnerable to authorised attacks – that is, attacks from the official parties responsible for conductive the election. In South Africa, where the government is openly hostile to checks on its power or criminal activities, in which it can be reasonably assumed all ruling party members are complicit, this is grounds enough to disregard attempts to digitise our future elections.

Considering the rather large initial investment required for the hardware and proprietary software necessary for undertaking the challenge of a secure electronic voting system, and the limited budget available to the South African state at this time, it would not be advisable.

---

[1] Lekota et al, 2020: 10

[2] Lekota et al, 2020: 16

[3] Hasanova et al, 2019

[4] Halderman, 2016: 144

[5] Taş & Tanrıöver, 2020

[6] Bokslag & de Vries, 2016 – a particularly concise guide

[7] Çabuk et al, 2020

[8] Halderman, 2016: 150

[9] Abba et al, 2017; Norden, 2006

[10] Halderman, 2016 – a very comprehensive guide to vulnerabilities

[11] Halderman, 2016

[12] Jacobs & Pieters, 2009

[13] DeMillo, Kadel & Marks, 2018

[14] Halderman, 2016: 146-9

[15] Bokslag & de Vries, 2016

[16] Taopanta et al, 2019

[17] Franceschi-Bicchierai, 2020

[18][18] Kiavias et al, 2017

[19] Taş & Tanrıöver, 2020: 4

[20] Hasanova et al, 2018

References:

Abba, Abdullahi Lawal, Mohammed Awad, Zakaria Al-Qudah, and Abdul Halim Jallad. “Security analysis of current voting systems.” In 2017 International Conference on Electrical and Computing Technologies and Applications (ICECTA), pp. 1-6. IEEE, 2017.

Bernhard, Matthew, Allison McDonald, Henry Meng, Jensen Hwa, Nakul Bajaj, Kevin Chang, and J. Alex Halderman. “Can Voters Detect Malicious Manipulation of Ballot Marking Devices?.” In 41st IEEE Symposium on Security and Privacy. 2020.

Bokslag, Wouter, and Manon de Vries. “Evaluating e-voting: theory and practice.” arXiv preprint arXiv:1602.02509 (2016).

Çabuk, Umut Can, Eylul Adiguzel, and Enis Karaarslan. “A survey on feasibility and suitability of blockchain techniques for the e-voting systems.” arXiv preprint arXiv:2002.07175 (2020).

De Faveri, Cristiano, Ana Moreira, João Araújo, and Vasco Amaral. “Towards security modeling of e-voting systems.” In 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW), pp. 145-154. IEEE, 2016.

DeMillo, Richard, Robert Kadel, and Marilyn Marks. “What Voters are Asked to Verify Affects Ballot Verification: A Quantitative Analysis of Voters’ Memories of Their Ballots.” Available at SSRN 3292208 (2018).

Franceschi-Bicchierai, Lorenzo. “4Chan’s Pathetic Attempt to Alter Votes Isn’t Going to Accomplish Anything” Vice, October 20, 2020.

Halderman, J. Alex. “Practical attacks on real-world e-voting.” Real-World electronic voting: Design, analysis and deployment (2016): 145-171.

Hasanova, Huru, Ui‐jun Baek, Mu‐gon Shin, Kyunghee Cho, and Myung‐Sup Kim. “A survey on blockchain cybersecurity vulnerabilities and possible countermeasures.” International Journal of Network Management 29, no. 2 (2019): e2060.

Jacobs, Bart, and Wolter Pieters. “Electronic Voting in the Netherlands: from early Adoption to early Abolishment.” In Foundations of security analysis and design V, pp. 121-144. Springer, Berlin, Heidelberg, 2009.

Kshetri, Nir, and Jeffrey Voas. “Blockchain-enabled e-voting.” IEEE Software 35, no. 4 (2018): 95-99.

Lekota, Hon M, Dr M Louis M Maimane MF Cassim N Van’t Riet L Macfarlane M Laws C Louis.  An Opportunity for Meaningful Electoral Reform in South Africa, 13 July 2020 (accessed online at https://dearsouthafrica.co.za/wp-content/uploads/2020/08/Policy-on-electoral-Reform.pdf)

Norden, Lawrence D., J. M. Creeland, A. Munoz, and W. Quesenbery. The machinery of democracy: Protecting elections in an electronic world. Brennan Center for Justice at NYU School of Law, 2006.

Osgood, Ryan. “The future of democracy: Blockchain voting.” COMP116: Information security (2016): 1-21.

Sudharsan, B., Nidhish Krishna MP, and M. Alagappan. “Secured Electronic Voting System Using the Concepts of Blockchain.” In 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 0675-0681. IEEE, 2019.

Taş, Ruhi, and Ömer Özgür Tanrıöver. “A Systematic Review of Challenges and Opportunities of Blockchain for E-Voting.” Symmetry 12, no. 8 (2020): 1328.

Toapanta, Segundo Moisés Toapanta, Iván Fernando Marriott Saá, Félix Gustavo Mendoza Quimi, and Luis Enrique Mafla Gallegos. “An approach to vulnerabilities, threats and risk in voting systems for popular elections in Latin America.” Adv. Sci. Technol. Eng. Syst. J 4, no. 3 (2019): 106-116.