Incident: Security Vulnerabilities in Estonia's E-Voting System for European Elections

Published Date: 2014-05-12

Postmortem Analysis
Timeline 1. The software failure incident regarding Estonia's internet voting system occurred in October 2013 as mentioned in Article 26586.
System 1. Estonia's internet voting system [26586]
Responsible Organization 1. Independent researchers, including Harri Hursti and a team from the University of Michigan, who discovered the security vulnerabilities in Estonia's internet voting system [26586].
Impacted Organization 1. Estonian government [26586]
Software Causes 1. Security vulnerabilities in Estonia's internet voting system, including flaws in the system's design and implementation, such as inadequate security safeguards and insufficient protection against attacks [26586].
Non-software Causes 1. Insecure internet connections used for downloading key software by election officials. 2. Typing PINs and passwords in view of cameras during the preparation of election software. 3. Preparation of election software on insecure PCs. 4. Lack of response from the Estonian government to the reported findings by independent researchers [26586].
Impacts 1. The security vulnerabilities in Estonia's internet voting system could lead to faked votes or totals, potentially compromising the integrity of elections [26586]. 2. The incident raised concerns about the security and reliability of e-voting systems, not only in Estonia but also in other countries considering adopting similar systems like Lithuania, Finland, and possibly the UK [26586]. 3. The discovery of flaws in the e-voting system could have serious ramifications for the future of online voting systems and their adoption in various countries [26586]. 4. The incident highlighted the debate among computer scientists and experts regarding the appropriateness and security risks of e-voting, with concerns about the potential for manipulation and the inability to ensure the anonymity and security of votes [26586].
Preventions 1. Implementing secure software development practices such as secure coding, regular code reviews, and security testing [26586]. 2. Ensuring secure transmission of sensitive data by using encrypted connections for downloading key software and entering credentials [26586]. 3. Conducting thorough security assessments and audits of the e-voting system to identify and address vulnerabilities [26586]. 4. Enhancing physical security measures to prevent unauthorized access to election software and systems [26586]. 5. Establishing a clear communication channel between independent researchers and government officials to promptly address reported security issues [26586].
Fixes 1. Implementing stronger security measures such as secure internet connections, secure PCs, and secure handling of PINs and passwords during the election process [26586]. 2. Conducting thorough security tests and reviews of the e-voting system to identify and address vulnerabilities [26586]. 3. Enhancing the security safeguards within the e-voting system to protect against potential attacks like taking over voters' PCs to cast fake votes or hacking into vote-counting servers [26586]. 4. Collaborating with independent researchers and experts in computer science to continuously assess and improve the security of the e-voting system [26586].
References 1. Independent researchers accredited to observe the October 2013 municipal elections [26586] 2. Harri Hursti, an independent researcher from Finland working for the web security company SafelyLocked [26586] 3. Jason Kitcat from the UK's Open Rights Group [26586] 4. Alex Halderman, assistant professor of computer science at the University of Michigan [26586] 5. Estonian National Electoral Committee [26586]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to Estonia's internet voting system has happened again within the same organization. The article mentions that the Estonian government has been developing its e-voting system since 2002 and has been using it for various elections since 2005. Despite the security vulnerabilities and flaws discovered by independent researchers, Estonia still intends to use the e-voting system for its European elections in May [26586]. (b) The software failure incident related to the security vulnerabilities in Estonia's e-voting system could have serious ramifications for other countries looking to adopt a similar system, including Lithuania, Finland, and possibly the UK. The incident serves as a warning to other countries considering implementing online voting systems similar to Estonia's, highlighting the potential risks and security concerns associated with such systems [26586].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the case of Estonia's internet voting system. Independent researchers discovered security vulnerabilities in the system, such as election officials downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. These design flaws introduced by the system development and procedures to operate the system contributed to the potential for faked votes or totals in the elections. (b) The software failure incident related to the operation phase is highlighted by the researchers' demonstration of how they could create fake votes and infect servers to alter vote counts using Estonia's e-voting software [26586]. This indicates that the operation or misuse of the system could lead to significant security breaches and manipulation of election results.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to Estonia's internet voting system was primarily due to contributing factors that originated from within the system. Independent researchers discovered security vulnerabilities within the e-voting system, such as election officials downloading key software over insecure connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. The researchers were able to replicate the Estonian system using its published software and demonstrated weaknesses in the security safeguards of the system, including taking over voters' PCs to cast fake votes and hacking into vote-counting servers to alter the final count [26586]. (b) outside_system: The software failure incident also highlighted the potential external threats that could exploit the vulnerabilities within the system. The researchers warned that attacks could be carried out by nation states or well-funded candidates who might hire criminal hackers to compromise elections by altering votes [26586]. Additionally, the researchers demonstrated how malware could be run on a server to create a faked total for e-votes using Estonia's e-voting software, indicating the external threat of malicious software impacting the system [26586].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident in Estonia's internet voting system was primarily due to security vulnerabilities in the system that could lead to faked votes or totals. Independent researchers discovered flaws in the system, such as insecure internet connections used to download key software, election officials typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. (b) The software failure incident occurring due to human actions: Human actions also played a significant role in the software failure incident. Election officials were observed engaging in insecure practices like downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs. Additionally, the Estonian government had been developing its e-voting system since 2002 and used it for various elections despite the identified security vulnerabilities [26586].
Dimension (Hardware/Software) software (a) The software failure incident related to hardware: The software failure incident in Estonia's internet voting system was not directly attributed to hardware issues. The vulnerabilities and security flaws were primarily due to insecure practices such as election officials downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. (b) The software failure incident related to software: The software failure incident in Estonia's internet voting system was primarily due to security vulnerabilities and flaws in the software itself. Independent researchers discovered weaknesses in the e-voting system's security safeguards, which were insufficient to protect against attacks such as taking over voters' PCs to cast fake votes and hacking into vote-counting servers to alter the final count [26586]. The incident highlighted the risks associated with e-voting systems and the potential for malicious actors to exploit software vulnerabilities for electoral manipulation.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the Estonian e-voting system was malicious in nature. Independent researchers discovered security vulnerabilities in the system that could potentially lead to faked votes or totals. They warned that these vulnerabilities could be exploited by nation states or well-funded individuals with criminal hackers to compromise elections [26586]. The researchers demonstrated how they could create fake votes and infect servers to alter vote counts, highlighting the malicious intent behind the identified flaws in the system [26586].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was related to poor_decisions. Independent researchers discovered security vulnerabilities in Estonia's internet voting system, including election officials downloading key software over insecure connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. The researchers warned that these actions could compromise the security of the entire system, making it vulnerable to attacks by nation states or well-funded individuals seeking to alter the vote [26586]. The Estonian government had been developing its e-voting system since 2002 and used it for various elections, but the researchers found that the security safeguards in place were insufficient to protect against the attacks they conducted [26586]. The Estonian National Electoral Committee responded to the findings by stating that the researchers did not provide technical details on the alleged vulnerabilities in their system, indicating a lack of transparency and communication regarding the security flaws [26586].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the Estonian e-voting system can be attributed to development incompetence. Independent researchers discovered security vulnerabilities in the system, including election officials downloading key software over insecure connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs [26586]. The researchers, including Harri Hursti and a team from the University of Michigan, replicated the Estonian system using its published software and found that the security safeguards were insufficient to protect against attacks, such as taking over voters' PCs to cast fake votes and hacking into vote-counting servers to alter the final count [26586]. (b) The software failure incident can also be considered accidental as the Estonian National Electoral Committee claimed that the researchers did not provide technical details on the alleged vulnerabilities in their system [26586]. The committee stated that the researchers did not share the full results of their work and only gave preliminary answers to the findings, indicating a lack of communication and possibly accidental oversight in sharing critical information about the vulnerabilities discovered in the e-voting system.
Duration temporary The software failure incident related to Estonia's internet voting system can be considered as a temporary failure. The incident was due to security vulnerabilities in the system that could lead to faked votes or totals [26586]. The flaws were discovered by independent researchers who observed election officials downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs. The researchers demonstrated weaknesses in the system used in the 2013 elections, showing that the security safeguards were insufficient to protect against the attacks they tried, such as taking over voters' PCs to cast fake votes and hacking into the vote-counting servers to alter the final count [26586]. The Estonian National Electoral Committee stated that the researchers did not provide technical details on the alleged vulnerabilities in their system, and they believed that it was not feasible to effectively conduct the described attacks to alter the results of the voting [26586].
Behaviour value, other (a) crash: The software failure incident in the article is not related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident in the article is not related to an omission where the system omits to perform its intended functions at an instance(s). (c) timing: The software failure incident in the article is not related to timing issues where the system performs its intended functions correctly, but too late or too early. (d) value: The software failure incident in the article is related to the system performing its intended functions incorrectly. The incident involves security vulnerabilities in Estonia's internet voting system that could lead to faked votes or totals [26586]. (e) byzantine: The software failure incident in the article is not related to a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The software failure incident in the article involves security vulnerabilities in the e-voting system, potentially allowing for fake votes and manipulation of vote counts, as demonstrated by security researchers [26586].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident reported in the articles. [26586] (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm to individuals resulting from the software failure incident reported in the articles. [26586] (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure incident reported in the articles. [26586] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident could potentially impact the integrity of election results, which could have significant implications for the democratic process and public trust in the electoral system. [26586] (e) delay: People had to postpone an activity due to the software failure - The software failure incident did not result in any activities being postponed as per the information provided in the articles. [26586] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident primarily focused on the security vulnerabilities in Estonia's internet voting system and the potential risks associated with compromised election results. [26586] (g) no_consequence: There were no real observed consequences of the software failure - The Estonian National Electoral Committee stated that they did not believe the described attacks to alter voting results were feasible and highlighted the numerous safeguards in place to detect and prevent attacks against the elections or manipulated results. They also mentioned that the researchers did not provide technical details on the alleged vulnerabilities in their system. [26586] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed included the risk of faked votes or totals, compromising election security, and the implications for other countries considering adopting similar e-voting systems. However, the Estonian National Electoral Committee maintained that their online balloting had withstood numerous reviews and security tests over the past decade. [26586] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The potential consequences of the software failure incident included undermining the security of the entire voting system, compromising the integrity of election results, and raising concerns about the safety and reliability of e-voting systems in general. [26586]
Domain information, government (a) The failed system was intended to support the information industry. The software failure incident was related to Estonia's internet voting system, which is used for national parliamentary and municipal elections, with up to a quarter of votes being cast online [26586]. The system was designed to facilitate the voting process electronically, allowing citizens to submit their votes online rather than through traditional paper ballots.

Sources

Back to List