In 2007, the Estonian government came under a massive denial-of-service attack that crippled the country's banking, government and law enforcement infrastructure. Nobody took responsibility for the flood of bogus Internet traffic, but some suspected Russia was the culprit. Given what we know about Russia's aggressive border policies, it's a plausible theory. The Kremlin, after all, had a motive: Estonia had recently taken down a Soviet-era statue, and ethnic Russians were up in arms about it.
If Moscow wanted to take the opportunity to meddle in Estonia's affairs, according to research by an international team of security experts, it could do so cleanly and silently without anyone being the wiser. The attack could come via Estonia's online voting system.
Estonia's is one of the only such ballot systems in the world, which makes it a fascinating test case for other countries or governments weighing the costs and benefits of e-voting. Unfortunately, the researchers discovered, this system is vulnerable to hacking in ways that could change the outcome of entire elections.
Alex Halderman, a member of the research group and an associate professor of computer science at the University of Michigan, helped lead the study. Halderman and other researchers set up an exact replica of the Estonian e-voting infrastructure on a set of dummy machines and then probed them for weaknesses. Turns out the game can be rigged both by hacking voters' computers, as well as by loading malware onto the servers that log and count the votes.
"This reveals a tremendously worrying lack of operational security and professionalism on the part of the election administration," Halderman told reporters Monday in a news conference. "It creates multiple opportunities for an attack to try to compromise the system without either being detectable or being stopped by the [security] procedures that are in place."
To understand how the attacks work, you have to know a bit about the e-voting technology. According to Halderman, about a quarter of votes cast in recent Estonian elections have been filed electronically rather than by paper ballot — that's a high percentage. Voters who choose to cast their ballots online insert their ID card — which carries an electronic chip and is used not just for voting but also for banking and other purposes — into a card reader attached to their PC. Then they type in a passcode that gives them access to government services. After casting a vote, the voter simply takes the card out of the computer.
But if the PC is loaded with malware, hackers could steal the voter's credentialing information as it's being entered into the system. The next time the voter uses the ID card, Halderman says, the hackers could break their way in.
Another means of attack involves targeting the election servers that count the votes. By installing a trojan into a dummy server, Halderman and the other researchers were able to take a "legitimate" vote and covertly switch that vote to support another party.
"Estonia’s system places extreme trust in election servers and voters’ computers — all easy targets for a foreign power," according to the researchers' report, which recommends the e-voting system be dismantled until security can be improved. "Despite positive gestures towards transparency — such as releasing portions of the software as open source and posting many hours of videos documenting the configuration and tabulation steps — Estonia’s system fails to provide compelling proof that election outcomes are correct."
The Estonian government did not immediately respond to requests for comment.
Update: The Estonian National Electoral Committee has posted a statement online pushing back against the researchers' claims. They deny that the attacks identified by Halderman and his team can be successfully executed, and insist that the security protocols it has in place are robust enough to fend off malware.
"The Estonian National Electoral Committee is always open to constructive criticism concerning the security of any form of balloting in Estonia," according to the statement. "We look forward to reading the full results of the researchers' work, and are willing to meet with them to explore their findings in detail. Nevertheless, their last minute claims, published two days before the beginning of online balloting for elections to the European Parliament, give us no reason to suspend online balloting."
The researchers have said that they will post the technical results of their work once the elections are complete.