Overview of Our Findings
These videos show demonstration attacks we conducted against a replica of the Estonian I-voting system as it was used in the 2013 municipal elections. These are examples of more general attack strategies, and many variants are possible.
- Server Malware Attack
In this attack, malicious trojan software is inserted at the beginning of the server build sequence and filters down to infect all election servers. The trojan contains malware which exploits the counting server’s application flow to intercept the decrypted ballots and modifies them to favor a selected candidate.
- Client Ghost Click Attack
In this attack, malware records the PINs that the voter uses during voting. Sometime later when the voter inserts his or her ID card, the malware launches the voting application again and simulates keystrokes to vote for the intended candidate. Here, the malware launches the voting application window on the victim’s computer for demonstration purposes.
- Client Ghost Click Attack (stealth)
This attack is the same as the previous version, but the voting application window is launched on the attacker’s computer instead of the voter’s computer, so the voter would not notice the malware voting again.
- Client Bad Verify Attack
In this attack, the voter is assumed to have malware running on his or her computer and a malicious version of the smartphone verification app. (There are several ways that malware could spread from one to the other.) The malware changes the vote before it is sent to the server. In order to prevent verification from failing, when the user attempts to verify the vote using the smartphone, the malicious app reports that the voter’s candidate was chosen, while the attackers intended candidate was selected.
The process we used to set up the laboratory replica system, matching official procedures step by step.
- Debian ISO Burning
The setup process begins with the Election Officials checking the integrity of the Debian installation ISOs and burning them to DVDs.
- Installation Build
The election applications packages are built and burned to DVDs to be used during the installation of the election servers.
- HES Install
The HES/VFS (Vote Forwarding Server) is built (OS and election application install).
- HTS Install
The HTS/VSS (Vote Storage Server) is built (OS and election application install).
- HLR Install
The HLR/VCS (Vote Counting Server) is built (OS and election application install).
- LOG Install
The LOG server (maintains logs of the other servers) is built (OS and election application install).
- Election Config Creation
The configuration files for the election (candidate list, voter list, etc) are built.
- HES Config
The HES/VTS (Vote Forwarding Server) is configured with the election configuration and prepared for use.
- HTS Config
The HTS/VSS (Vote Storage Server) is configured with the election configuration and prepared for use.
- HLR Config
The HLR/VCS (Vote Counting Server) is configured with the election configuration and prepared for use.
Official videos from the October 2013 municipal elections
Official setup and administration steps, for comparison.
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.