Public hacker test on Swiss Post’s e-voting system 07.02.2019
Swiss Post will be carrying out resilience testing, also known as a public intrusion test (PIT), on its e-voting system between 25 February and 24 March 2019. During the test, hackers and other independent IT specialists can challenge the Swiss Post e-voting system with deliberate attacks. How does the intrusion test work and what happens if anything is found? The answers to the key questions are given below.
How does the intrusion test work?
The test simulates a federal vote. As with normal voting procedures, the casting of votes is opened and then the intrusion test takes place four weeks prior to voting Sunday. 24 March 2019 is taken as voting Sunday. The intrusion test thus lasts from 25 February until 24 March.
Those interested in participating need to register on the www.onlinevote-pit.ch platform. The Confederation and cantons have commissioned the independent company SCRT SA to perform the intrusion test and operate the platform.
Participants can download their voting cards for the test on the platform. As with normal votes, the card contains the codes necessary to participate in the simulated vote and thus the intrusion test. Unlike normal contests, participants can obtain several voting cards, which are not sent by post but are instead available electronically.
Participants can submit their findings on the www.onlinevote-pit.ch platform. The company SCRT will look into the findings and if plausible, will forward them to Swiss Post.
Swiss Post will then analyse the findings and where necessary, reproduce them. If it is able to confirm a finding, it will release it for publication and the person who submitted the finding will be entitled to financial compensation if they were the first to report it.
On Sunday 24 March, the electronic ballot box will be decrypted and opened by the fictional electoral commission. Findings can be submitted until 25 March at midnight.
Why is Swiss Post performing an intrusion test on its e-voting system?
In order for the cantons to be able to offer e-voting with Swiss Post’s completely verifiable system to all voters in the future, the system requires federal approval. To gain such approval the system must undergo a public intrusion test in accordance with the requirements of the Confederation and the cantons. Swiss Post complies with this requirement.
What is the aim of the intrusion test?
Swiss Post's completely verifiable e-voting system is state of the art. This means that it complies with the latest developments and meets the highest safety requirements. Intrusion testing is a standard tool in the IT industry to put state-of-the-art systems and processes through their paces before going live. This is precisely the aim of the intrusion test on the e-voting system. The results of the intrusion test will be used for the development of the e-voting system.
What exactly can participants check for?
All attacks aimed at reading votes or manipulating the election. Attacks on the central security mechanisms of the e-voting system, individual and universal verifiability are also part of the test.
The intrusion test aims to examine the e-voting system, not the other systems and processes concerned with electronic voting. For this reason, scenarios that attack other systems or processes are excluded from the test. Also excluded are attacks that are known and against which security precautions already exist. Such scenarios would not provide any knowledge gain. Examples of excluded scenarios include:
- Attacks on the PC, laptop or tablet of the voter: A security mechanism already exists against these attacks with individual verifiability. Individual verifiability is part of the intrusion test.
- Social engineering: such attacks exploit the good faith or insecurity of individuals to gain access to confidential information. It is difficult to simulate such complex behaviour in a test. There is also a security mechanism against social engineering among voters with individual verifiability. Social engineering at the electoral commissions concerns the processes in the cantons in which Swiss Post has no influence, e.g. the decryption and counting of the electronic ballot box.
- Overload attacks (DDoS attacks): DDoS attacks are basically part of the security infrastructure of IT systems. Nevertheless, every system has load limits. However, DDoS attacks are not part of the test because they are not specific to e-voting and would not provide any knowledge gain. This limitation is common in intrusion tests. Swiss Post regularly conducts practical DDoS tests to ward off such attacks.
Detail can be found in the Code of Conduct.
What will Swiss Post do in the event of discovering a vulnerability?
Anyone conducting a public intrusion test deliberately exposes themselves to the sophistication of independent hackers and must expect findings.
Swiss Post will evaluate the submitted findings, classify them according to their degree of severity and correct them according to risk.
Is Swiss Post carrying out the intrusion test in a transparent and credible manner?
Yes, among other things, because:
- All attack scenarios for the purpose of reading or manipulating votes are authorized for the intrusion test.
- All confirmed findings will be published on the platform www.onlinevote-pit.ch.
- Each participant receives the right to publish his findings after a maximum of 45 days. Many other intrusion tests do not allow this.
- There are no participation restrictions. Participants are required to register, however.
- The testers can request not just one but multiple voting cards to attack the system multiple times.
- The source code of the system is published, including the documentation necessary to verify all security aspects of the system.
With these framework conditions, Swiss Post fulfils the requirements of the Confederation and the cantons, and in some cases goes beyond standard practice for the IT sector for intrusion tests.
Are there any differences between the intrusion test and a genuine electoral contest?
Yes, there are some differences. The following in particular:
- Swiss Post will deactivate certain security measures within the system to enable participants to concentrate fully on attacking the core system. During normal operations, Swiss Post has gathered experience in recent years on how to quickly identify potential hackers. These warning signals will be ignored for the intrusion test.
- For practical reasons, the voting cards are sent electronically for the intrusion test instead of by post. The cards are also generated by Swiss Post and not the cantonal authorities.
- The testers are able to order several voting cards, not just one.
Who can participate?
Everyone is entitled to register. There are no restrictions. However, certain individuals are not entitled to compensation, e.g. Swiss Post employees.
Where can participants register?
On the www.onlinevote-pit.ch platform.
Why do participants need to register?
Registration is necessary for three reasons:
- It ensures that participants are legally entitled to attack the system.
- It ensures that compensation can be paid in the event of a confirmed finding.
- It is necessary to ensure that participants sign the conditions of participation. This is essential to ensure orderly conduct and dialogue for more than 2,500 registered participants worldwide.
Why is an external company performing the intrusion test? What function is performed by this company during the intrusion test?
The Confederation and cantons have commissioned the Swiss company SCRT SA to implement the intrusion test on an operational level. This ensures independent performance and initial analysis of the results. SCRT SA specializes in performing intrusion tests. Its most important tasks are:
- Operating the platform www.onlinevote-pit.ch for registration and submission of findings
- Initial review of submitted findings
- Communication with participants and coordination between participants and Swiss Post
Where can participants submit their findings? When is the deadline for submitting findings?
Participants needs to submit their findings by Monday 25 March 2019 at midnight at www.onlinevote-pit.ch.
How does the evaluation process work for findings?
If a hacker believes he has discovered a vulnerability, he will report it on the platform www.onlinevote-pit.ch. The independent company commissioned by the Confederation and cantons, SCRT SA, performs an initial review of the findings. If a finding is plausible, SCRT SA forwards it to a group of specialists within Swiss Post. They analyse and evaluate the finding and also try to reproduce it.
After this analysis, the submitter will know if he has actually discovered a relevant vulnerability. After a waiting period of 45 days, the submitter can publish confirmed findings himself. Many other intrusion tests do not allow this. The entire process is monitored by the Confederation and the Cantons.
The rules of publication described in the Code of Conduct apply to confirmed findings.
Why is there a waiting period of 45 days for the publication of confirmed findings?
Each participant receives the right to publish his findings. Many other intrusion tests do not allow this. In return, Swiss Post has stipulated that participants must observe a waiting period of a maximum of 45 days to publish a report. This way, Swiss Post ensures that they can carefully examine the submitted findings and provide the submitter with in-depth feedback.
What are the rules for compensation?
A participant will receive compensation if he or she is the first to submit the finding and provided that it is confirmed by the Confederation, the cantons and Swiss Post. The extent of compensation granted depends on the severity of the finding. The following categories have been defined.
||Minimum compensation in CHF|
|Best Practice (uncritical optimisation possibilities)
|Intrusion into the e-voting system
|Corrupting votes or rendering them unusable
|Successful attack on voting secrecy on the servers
|Manipulation of votes detected by the system
|Undetected manipulation of votes
||30,000 - 50,000
Details on the compensation to be granted can be found in the conditions of participation.
What rules do participants need to follow?
The rules of conduct and conditions of participation have been published here. These define exactly what participants are permitted to test, as well as compensation and the rules for publishing findings.
Whom should participants contact if they have questions about the intrusion test?
Questions can be submitted via a contact form on the www.onlinevote-pit.ch platform.
Where is the source code published?
Swiss Post published the source code here on 7 February 2019. Registration is required to view this. The source code is published permanently to ensure Swiss Post meets the legal requirements. More information on the source code can be found in the blog post.
Was the source code leaked as published in the media?
No, please see the blog post.
More information on the intrusion test
- Press release of the Federal Chancellery,7 February 2019