Attacking the verification code mechanism in the norwegian internet voting system

Authors:
Reto E. Koenig;Philipp Locher;Rolf Haenni
Affiliations:
Bern University of Applied Sciences, Biel, Switzerland;Bern University of Applied Sciences, Biel, Switzerland;Bern University of Applied Sciences, Biel, Switzerland
Venue:
Vote-ID'13 Proceedings of the 4th international conference on E-Voting and Identity
Year:
2013

Citing 10
Cited 0

The Zurich Trusted Information Channel --- An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks

Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Security and Trust for the Norwegian E-Voting Pilot Project E-valg 2011

NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Scantegrity II: end-to-end verifiability by voters of optical scan elections through confirmation codes

IEEE Transactions on Information Forensics and Security - Special issue on electronic voting
Secure internet voting with code sheets

VOTE-ID'07 Proceedings of the 1st international conference on E-voting and identity
On e-vote integrity in the case of malicious voter computers

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Prêt à voter with confirmation codes

EVT/WOTE'11 Proceedings of the 2011 conference on Electronic voting technology/workshop on trustworthy elections
Improving remote voting security with codevoting

Towards Trustworthy Elections
A formal analysis of the norwegian e-voting protocol

POST'12 Proceedings of the First international conference on Principles of Security and Trust
Transparency and technical measures to establish trust in norwegian internet voting

VoteID'11 Proceedings of the Third international conference on E-Voting and Identity
The secure platform problem taxonomy and analysis of existing proposals to address this problem

Proceedings of the 6th International Conference on Theory and Practice of Electronic Governance

Quantified Score

Hi-index	0.00

Visualization

Abstract

The security of the Norwegian Internet voting system depends strongly on the implemented verification code mechanism, which allows voters to verify if their vote has been cast and recorded as intended. For this to work properly, a secure and independent auxiliary channel for transmitting the verification codes to the voters is required. The Norwegian system assumes that SMS satisfies the necessary requirements for such a channel. This paper demonstrates that this is no longer the case today. If voters use smartphones or tablet computers for receiving SMS messages, a number of new attack scenarios appear. We show how an adversary may exploit these scenarios in systems providing vote updating and point out the consequences for the vote integrity in the Norwegian system. We also give a list of possible counter-measures and system enhancements to prevent and detect such attacks.