Estonia's online voting system could easily be hacked by attackers working on behalf of an outside government, researchers have discovered. That's alarming news considering how much faith Estonia has shown in its e-voting system; it's the only country that uses web-based voting "in a significant way" for national elections, researchers said in a report published Monday. Other countries including the US have steered clear of web-based voting out of security concerns.
And Estonia is a good example of why they're reluctant to make the jump. After putting together a replica of the Estonian voting setup, a research team found that they were able to infiltrate the voting technology and change the result of an entire election — without leaving any real trace of the digital break-in. "The Estonian system uses a security architecture that may have been adequate when the system was introduced a decade ago, but it is now dangerously out of date," said the report authored by J. Alex Halderman, assistant professor of computer science and engineering at University of Michigan, along with several security experts and Ph.D. students. "Estonia’s system places extreme trust in election servers and voters’ computers — all easy targets for a foreign power."
One method of sneaking in involves planting malware on the home or work PCs used by voters. Malware could allow perpetrators to capture the information stored on individual ID cards and use that information to cast a replacement vote. "This attack could be replicated across tens of thousands of computers, the report warns. At the very least, the findings are enough to cast serious doubt on future elections in the country until security measures around online voting are tightened.
But the Estonian system can also be targeted with server-side attacks, an even more worrisome approach that could lead to votes being completely rigged after the fact. "The attack’s modifications would replace the results of the vote decryption process with the attacker’s preferred set of votes," said the researchers. The researchers concludes that Estonia's voting infrastructure is littered with "serious design weaknesses" and urges the company to cease e-voting until it can lock things down tighter. In 2007, Estonia suffered a huge denial-of-service that swamped its parliament, banking systems, and other organizations. Russia is believed to have been the culprit in that attack.