Researchers who replicated system in laboratory environment say software could be hacked to cast fake votes or servers attacked to alter totals – and the benefits aren't worth the risks

Estonia's internet voting system should not be used for the European elections in May because its security vulnerabilities could lead to faked votes or totals, say independent researchers.



The flaws were discovered by a team who were accredited to observe the October 2013 municipal elections. They said they observed election officials downloading key software over insecure internet connections, typing PINs and passwords in view of cameras, and preparing election software on insecure PCs. They have reported their findings to the Estonian government, but had had no response by Monday.

As one of the highest-profile countries in its adoption of the internet, Estonia intends to use the e-voting system for its European elections in May, and already uses it for national parliamentary and municipal elections. Up to a quarter of votes are cast online in elections.

The attacks could be carried out by nation states that wanted to compromise elections, or a well-funded candidate who hired criminal hackers with the capabilities to alter the vote, the researchers warned.

Harri Hursti, an independent researcher from Finland who works for the web security company SafelyLocked, said: "These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system." Hursti has carried out a number of tests of e-voting systems, demonstrating weaknesses in systems used in the US and elsewhere.

The Estonian government has been developing its e-voting system since 2002, and used it for the first time in 2005 for local government council elections. In 2009, about a third of the electorate voted in the European elections – of whom 15% used e-voting. In the parliamentary elections in March 2011, 61% of the total electorate voted; just under a quarter of the votes cast came through e-voting.

The researchers, including Hursti and a team from the University of Michigan, replicated the Estonian system using its published software which was used in the 2013 elections. "This was essentially their system, but used in a laboratory environment," Jason Kitcat, of the UK's Open Rights Group, told The Guardian. "We couldn't use their system that they used for real votes, because that would be unethical."

The results showed that "although the Estonian system contains a number of security safeguards, these are insufficient to protect against the attacks we tried", said Alex Halderman, assistant professor of computer science at the University of Michigan, who was an e-voting election observer in Estonia in 2013.

Those attacks included taking over voters' PCs to cast fake votes, and hacking into the vote-counting servers to install software that would alter the final count.

Estonian voters use a combination of smartcards, with built-in chips, and smartphone verification to confirm their votes. Even so, the researchers said it was vulnerable; and Kitcat warned that e-voting might be an area which could never be guaranteed safe from hacking.

In a statement to the Guardian, the Estonian National Electoral Committee said it took any evidence of flaws in balloting seriously, but that in the past decade its online balloting had stood up to numerous reviews and security tests. "We believe that online balloting allows us to achieve a level of security greater than what is possible with paper ballots."



It said it could give only preliminary answers to the findings as the researchers had not shared with it the full results of their work. "The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last six months to share the initial findings of their research. In reality, the only advance information we received was notification, on Saturday evening, of a press conference on Monday."

The committee said it could conclude that:

"The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole.

"It is not feasible to effectively conduct the described attacks to alter the results of the voting.

"The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."



The committee also claimed that the researchers did not “provide technical details on the alleged vulnerabilities in our system".



If confirmed, the discovery could have serious ramifications for other countries which are looking at adopting the Estonian system, including Lithuania, Finland and possibly the UK.



Estonia has been praised by UK ministers for its enthusiastic adoption of online systems for providing government systems. But some say e-voting should not be pursued.

Kitcat said: "Many computer scientists believe that the unique properties of an election make it impossible to do electronically. With e-commerce or banking, you can give a refund if something goes wrong. But you can't do that with a vote – you can't go in to the server and say, 'Yes, that's my vote', because otherwise you'd be able to sell it. A vote has to be anonymous and secure.

"Computer security scientists feel e-voting isn't the appropriate way to do it. A hacker only has to find one little hole and it's all in question. It's a question for the politicians – are the benefits really worth the risks?"

The researchers have released videos showing how they could create fake votes, and how they could infect servers to alter vote counts.

Facebook Twitter Pinterest Security researchers demonstrate how Estonia's e-voting system could be used to make fake votes

Facebook Twitter Pinterest Security researchers show how malware could be run on a server to create a faked total for e-votes using Estonia's e-voting software



• This article was updated on 13 May 2014 to include a response from the Estonian National Electoral Committee.

• "E-voting systems are inherently flawed – and susceptible to fraud"