An international group of researchers who have been examining the source code for an internet voting system Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection.

The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection.

“The vulnerability is astonishing,” said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers’ report. “In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that.”

The researchers provided their findings last week to Swiss Post, the country’s national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Post’s secured IT infrastructure “as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.”

But this ignores the fact that Swiss Post and other insiders themselves could pull off the attack.

“Their response hides that they are the primary threat actor for this scenario,” said Sarah Jamie Lewis, a former computer scientist for England’s GCHQ intelligence agency who conducted the research with two academics. “Swiss Post have ‘control over Swiss Post’s secured IT infrastructure’. No election system should have a backdoor that allows the people running the election the ability to undetectably modify the election outcome.”

Green and Lewis said the Swiss government should immediately halt the internet voting rollout as a result of the finding.

“If you’re building a voting system where the chief threat is somebody can hack into a server and replace votes, and if the primary mechanism for preventing that is implemented in a way that is wrong—and not just wrong but wrong in a way that I think any experienced cryptographer should have known was wrong—then … it’s a disqualifying flaw in a system like this,” Green said.

“We have only examined a tiny fraction of this code base and found a critical, election-stealing issue.”

Although Lewis said the particular fix Scytl has apparently employed should theoretically solve the issue if the company implements it correctly, there’s no reason to trust that Scytl will do it right. And given that the flaw was so fundamental to the system, and that several previous professional audits of the code never caught the problem, it raises serious questions about the rest of the system.

“We have only examined a tiny fraction of this code base and found a critical, election-stealing issue,” said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. “Even if this [backdoor] is closed its mere existence raises serious questions about the integrity of the rest of the code.”

Lewis conducted the research with Olivier Pereira, who teaches cryptography at the Université catholique de Louvain in Belgium, and Vanessa Teague, who teaches cryptography at the University of Melbourne in Australia. They’ve posted a paper about their findings, but Lewis said they need more time to do a thorough analysis of the rest of the code.

Internet voting has been used in Switzerland in various cantons on a trial basis since 2004, but Switzerland hoped to make it available as an option nationwide, with plans to offer it in the majority of the country’s cantons by October. Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for administering the internet voting system in their districts.

Swiss Post made headlines last month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. As part of the penetration program, Swiss Post made source code for the system available to participants in the program who agreed to specific terms, among them that they wouldn’t publish any findings without first notifying Swiss Post and then only after at least 45 days had passed after notification.

Someone apparently objected to the terms and published the source code online, which is the code Lewis and her research partners examined, without having to agree to conditions.

Lewis and Green previously reported, after just a couple of hours looking at the code, that it was a poorly constructed and convoluted maze that made it difficult to follow what was going on in the system and effectively evaluate whether security measures deployed in the system were done properly. In digging through the system more thoroughly over the following days, Lewis and her team discovered that in fact at least one critical part of the system wasn’t done properly.

The way the Swiss system works is that voters authenticate themselves to the voting website using their birthdate and an initialization code they receive from Swiss Post in the mail. When they make their selections on screen, the votes are encrypted before going to the Swiss Post servers, where they are processed through a so-called “mix network” that cryptographically shuffles the votes to anonymize them and make sure there is no way to match them to the voter. Once the votes are shuffled, they’re counted then decrypted.

"If I set out to design a backdoor that allowed someone to compromise the election, it would look exactly like this."

The system uses four computers to do the shuffling. Batches of ballots go to the first server, which decrypts and shuffles them before re-encrypting them and sending them to the next server, which shuffles them in a different order before sending them to the third server, which does the same. The system uses what’s known as a zero-knowledge proof to prove that ballots haven’t been swapped out during this shuffling phase.

“If the zero-knowledge proof works, then all of the ballots going in are guaranteed to be the same ones going out,” Green said. “But what the researchers discovered is that that zero-knowledge proof is seriously flawed."

Lewis said the mistake Scytl made would not only allow an attacker to swap out all of the ballots, they could do this while the zero-knowledge proof still showed that everything was working correctly and valid.

“It is only with knowledge of the [cryptographic backdoor] … that someone could detect that there had been manipulation,” Lewis said.

Green said that Swiss Post’s assertion that an attacker would need access to the infrastructure to pull off the attack belies the intended design of the system, which is supposed to ensure that even if the infrastructure is malicious, the election would still be safe.

“This system was designed so that you should not have to trust the voting infrastructure,” he said. “[But] what they’re saying is, if you can hack the voting servers then you can do this. But they’re saying it’s hard to hack into our voting servers. OK, if you say so…. It seems worrisome that this is what you’re hanging the security of an entire election on.”

Lewis said that nothing in their analysis suggests that Scytl introduced the flaw deliberately. "It is entirely consistent with a naive implementation of a complex cryptographic protocol by well-intentioned people who lacked a full understanding of its security assumptions and other important details. Of course, if someone did want to introduce an opportunity for manipulation, the best method would be one that could be explained away as an accident if it was found.”

Green agreed.

“I don’t think this was deliberate. However, if I set out to design a backdoor that allowed someone to compromise the election, it would look exactly like this,” he said.

Swiss Post has said the system previously underwent three professional audits by the auditing giant KPMG, though it has never made the auditing reports public or disclosed if the audits found serious problems in the system. Scytl cited previous code reviews as well in a post the company published after Lewis published her initial findings showing the code was poorly designed. The company wrote that the cryptographic protocols used in the system were the result of research done since the company was founded in 2001 and that they had “successfully passed the scrutiny of 3rd party cryptographic experts” to achieve “complete verifiability” and “confidence that no attack might compromise… the integrity of the election results."

Lewis said the flaw her group found raises serious questions about the reviews done by those cryptographic experts and the professional audits done by KPMG.

“Why did several past audits fail to uncover [what we found]? Why did anyone believe that this system was up to the standard of securing national elections? And what would have happened if we had not found it? Those questions need to be asked and answered by an independent body,” she said.

Although the backdoor issue might be specific to Switzerland, it raises questions about the security and integrity of other Scytl systems in use in elections. Scytl is a leader in developing various internet and other voting solutions for national or regional elections in 42 countries, including at least 1,400 counties in the US. In the US, however, the Scytl system doesn’t collect votes over the internet as the Swiss system does; it just delivers ballots via the internet to US military and other citizens overseas, who print them out and return them via fax or offline mail.

“This should raise numerous questions about related code [created by Scytl],” Lewis said.

Lewis and her team aren’t the only ones examining the Swiss code. The bug bounty and public penetration test of the system continues until March 24. The bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election test or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. More than 2,000 people registered to participate in the hacking test, but it will likely be weeks before the public will learn the details of any problems they have found.