The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

摘要

In the world's largest-ever deployment of online voting, the iVote Internetvoting system was trusted for the return of 280,000 ballots in the 2015 stateelection in New South Wales, Australia. During the election, we performed anindependent security analysis of parts of the live iVote system and uncoveredsevere vulnerabilities that could be leveraged to manipulate votes, violateballot privacy, and subvert the verification mechanism. These vulnerabilitiesdo not seem to have been detected by the election authorities before wedisclosed them, despite a pre-election security review and despite the systemhaving run in a live state election for five days. One vulnerability, theresult of including analytics software from an insecure external server,exposed some votes to complete compromise of privacy and integrity. At leastone parliamentary seat was decided by a margin much smaller than the number ofvotes taken while the system was vulnerable. We also found protocol flaws,including vote verification that was itself susceptible to manipulation. Thisincident underscores the difficulty of conducting secure elections online andcarries lessons for voters, election officials, and the e-voting researchcommunity.