Experts worldwide report improvements to the beta version of Swiss Post’s e-voting system
Swiss Post has been disclosing the beta version of its e-voting system in stages since January. With the participation of the international experts, it wants to uncover all vulnerabilities, remedy them and develop the system continuously. Several hundred experts have already participated and submitted numerous reports. Swiss Post has acted accordingly and made various improvements. On this page you will find a regularly updated description of all confirmed findings, the severity of which Swiss Post classifies as high or critical after an in-depth technical analysis.
Since the beginning of 2021, Swiss Post has been disclosing the beta version of its e-voting system in stages. The last time it published the source code was in September. At the same time, Swiss Post also launched the open-ended public bug bounty programme for the e-voting system. Depending on the severity, it will reward findings with up to 250,000 francs. This means that experts from all over the world can test the system, including by simulating voting procedures, and can report any improvements to Swiss Post. The aim is to find vulnerabilities early on with the participation of international experts, to correct them and thus continuously develop the system. The consciously sought-after external view of independent experts forms part of the mosaic in the development of a secure system. At the same time, public review is expected to become a federal requirement for e-voting systems in Switzerland that can be authorized for legally defined trial operation and used in cantons that are interested in the system.
Since July 2021, independent experts appointed by the Confederation have also been examining the beta version of Swiss Post’s e-voting system in parallel with the public review. The review will be completed with the publication of reports. Swiss Post will be notified in advance of the initial findings in order to ensure the rapid further development of the e-voting system. Swiss Post will also publish the resulting corrections on GitLab and on this website.
The findings of the e-voting system are classified in four severity categories (low, medium, high, critical). A description of the severity categories can be found on the e-voting community website.
So far, several hundred people, including specialists from science as well as ethical hackers, have participated in Swiss Post’s community programme on e-voting. Swiss Post has received 111 reports, including three findings with high severity. Two of them were received before the start of the public bug bounty programme. Swiss Post’s e-voting team discovered a new finding in October thanks to the analysis of the Confederation’s independent experts. Swiss Post has proposed solutions for all three findings, and in one case has already implemented the correction in the system. No findings of the highest severity (critical) have been received yet.
Swiss Post understands cyber security as a continuous participatory process. It is therefore pleased with the lively participation of specialists from around the world in its e-voting community programme. In this way, public scrutiny can have its full effect as a measure to keep the security of a system at the highest possible level at all times. Swiss Post corrects all serious findings before making its e-voting system available for use in the cantons.
Overview of the findings
|Number of reports ||115|
|Number of reports with high severity level ||3|
|Number of reports with critical severity level ||0|
|Total rewards paid out||€ 75 600|
Confirmed findings with high and critical severity
Swiss Post permanently and fully discloses its future e-voting system. Experts can analyze the documents and test the source code. As part of the bug bounty program, Swiss Post pays rewards for confirmed vulnerabilities. These are cyber security and international best practice measures to keep security at the highest possible level. The aim of these measures is to find and eliminate possible points of attack in the system at an early stage on the basis of the reported findings.
All information, including questions, comments and findings, is published on the GitLab specialist platform.
Below you will find a regularly updated description of all confirmed findings, the severity of which Swiss Post classifies as high or critical after a detailed technical analysis.
Date: October 2021
Reporting: Analysis of the Confederation’s independent experts (reported by: V. Teague, O. Pereira and Th. Haines), on the basis of which Swiss Post’s e-voting team discovered the error
Description: The error would an attacker who has gained control over the voting client, the voting server and a control component, to endanger individual verifiability. The attacker could falsify a public key, a cryptographic component used to securely transmit a message to the voter unaltered, and get the other control components to accept it anyway. The voter themselves would not be able to determine that their vote was invalidated, i.e. individual verifiability would not be ensured. However, the attack would be discovered when the canton checked the votes.
Date: June 2021
Reported by: Pierrick Gaudry, Véronique Cortier, Alexandre Debant
Description: If an attacker could control parts of Swiss Post’s server infrastructure and the last offline control component operated by the canton, it would be possible for them to exploit the error in order to break the voting secrecy of multiple votes. The control components do not currently check whether a ballot box belongs to a particular voting procedure. Nor do they check whether the votes in a ballot box have already been mixed and decrypted.
Status and solution: Risk of privacy breach due to the CCMs not checking the ZKP before mix-decrypting
Date: February 2021
Reported by: Thomas Haines
Description: An attacker who manages to break into the e-voting infrastructure can, by exploiting the described error, could obtain information that could help them guess choice return codes and the confirmation code. They could use this to indicate the correct registration of the vote to the voter while still recording the incorrect vote in the background.