NEW SOUTH WALES: The results of New South Wales elections is seems to be changed as a new security flaw has been exposed in its iVote system. The security flaw named as FREAK has the ability to intercept the internet traffic of voter and can change the vote of the voter with his or her knowledge. Through this the 66,000 voters’ decision is now at a risk of being manipulate.
How do we know that? Because we uncovered a security flaw in the popular iVote system that would have let us do exactly that, if we’d chosen to. That’s despite repeated assurances from the New South Wales Electoral Commission that:
People’s vote is completely secret. It’s fully encrypted and safeguarded, it can’t be tampered with.
We should stress that rather than do anything illegal or disrupt the March 28 state election result, we tested this security weakness only on our own practice vote at the iVote practice server. After checking that the same weakness affected the real voting server, we alerted the authorities late last week. We also waited until we could see the problem had been fixed before talking publicly about it.
The problem we found was that the voting server had loaded some code from a third-party site vulnerable to the FREAK attack, a major security flaw that left Apple and Google devices vulnerable to hacking.
How did that global security problem affect iVote? For a longer, more technical explanation of what we did and found, read more here.
The shorter version is that with less than a week of concerted effort, the two of us discovered that the FREAK flaw allowed us – or potentially anyone with the right technical knowledge – to intercept a NSW voter’s internet traffic, and insert different code into vulnerable web browsers. Many, but not all, browsers have been appropriately patched over the last week – this site lets you check whether yours is still vulnerable.
We demonstrated that we could make the voter’s web browser display what the voter wanted, but secretly send a different vote to the iVote voting server.
The iVote system does include a vote verification process for people who choose to vote online or by phone, where they can subsequently call an automated interactive phone line to double-check what vote the system holds for them.
However, that verification system could have errors or security vulnerabilities; we can’t tell you with any certainty either way, since there’s no publicly-available source code or system details.
Given the supposedly “fully encrypted and safeguarded” iVote system proved so vulnerable to attack, we certainly would not recommend people take any chances by voting online in the NSW election.
