sb-eu logo
Story image

Swiss Post asks public to hack its e-voting system

18 Feb 2019

Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.

Previously e-voting systems were somewhat verifiable, but could not be fully verifiable. Now Switzerland and the cantons have been conducting e-voting trials since 2004 and it now has what it believes is the first fully verifiable system.

The system will eventually make e-voting available to the broader public and also detects technical errors such as malfunctions, human error, or attempted manipulation.

“The online voting system currently subject to the public intrusion test (PIT) is provided by Swiss Post. It has already been pen-tested and certified under the legal framework of the Swiss Confederation. By performing the PIT, the Confederation and the Cantons are hoping to get a valuable outside view on the system by a large number of competent people.”

To put those claims to the test, it’s asking hackers to test their systems as part of a bug bounty and penetration testing exercise in February and March.

From February 25 to March 24, hackers should try to read votes, manipulate votes, and disable or circumvent the security measures that protect votes and security-related data.

They must also publish information including the title, category, vulnerability description, evidence of its successful exploitation, and a full reproduction guide with all PoC code and elements.

Successful submissions could earn as much as 50,000 Swiss Francs CHF per vulnerability – and already it has attracted entrants from around the globe. Caterories and minimum compensation:

  • Best Practice (uncritical optimisation possibilities) 100 CHF
  • Intrusion into the e-voting system 1,000 CHF
  • Corrupting votes or rendering them unusable    5,000 CHF
  • Successful attack on voting secrecy on the servers 10,000 CHF
  • Manipulation of votes detected by the system 20,000 CHF
  • Undetected manipulation of votes 30,000 - 50,000 CHF

Swiss Post is responsible for paying people who report security breaches. Swiss Post decides how much is paid. The federal government and the cantons are contributing CHF 250,000 towards the public intrusion test via eGovernment Switzerland’s priority plan.

“The public intrusion test has the added benefit of including a large number of people to test the security of a system,” a statement says.

Swiss Post also says that the public test will encourage people to report vulnerabilities to organisers who can then fix the problem, rather than to attackers and adversaries.

“The payments offered by Swiss Post provide an incentive to report weaknesses to the organisers. Illegal attempts to find weaknesses could be made at any time, not just during the public intrusion test. On the other hand, the public intrusion test provides well-meaning participants with the opportunity to examine the system thoroughly for weak points.”

SCRT, a company specialising in intrusion tests, will register participants on behalf of the Confederation and the cantons, and will also evaluate feedback and comment on it.

Swiss Post is also working with an accredited firm on its own e-voting penetration testing process.

Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
California's CCPA now enforced worldwide
“The expansive reach of the CCPA and scope of data it covers can make compliance feel daunting to many,” comments ISACA Privacy Group member David Bowden.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More