New South Wales, Australia is holding an election with a significant number of online votes. Researchers point out several concerns:
- Votes could have been easily changed with nobody the wiser
- The touted user verification has its own flaws.
- The system was taken down to fix (correct) the ballot.
- The source code is not disclosed, so there is no means to assess its vulnerabilities
Read the summary report and the researchers response to the response/criticisms from New South Wales officials <read>
As the summary concludes, this is not the first time flaws and risks have been exposed in Internet voting schemes:
The vulnerability to the FREAK attack [name for the particular attack mechanism demonstrated] illustrates once again why Internet Voting is hard to do securely. The system has been in development for years, but FREAK was announced only a couple of weeks before the election. Perhaps there wasn’t time to thoroughly retest the iVote system for exposure. We can bet that there are one or more major HTTPS vulnerabilities waiting to be discovered (and perhaps already known to sophisticated attackers). Verification is a vital safeguard against such unknown problems, but at best it detects problems rather than preventing them.
To election security researchers, these problems aren’t surprising. We’ve already seen dire security problems with Internet voting in Estonia and Washington, D.C. Securing Internet voting requires solving some of the hardest problems in computer security, and even the smallest mistakes can undermine the integrity of the election result. That’s why most experts agree that Internet voting cannot be adequately secured with current technology.
