Australian online voting system includes FREAK vulnerability



In the elections of Australian State of New South Wales, people went to the polls to elect a new government. Some residents cast their votes online, with a system that may be carrying the FREAK bug.The system is termed as iVote system that was launched in 2011 to serve voters who live far away from a polling station, or those who would be thruway. 



According to Teague and Halderman, their proof-of-concept scrutiny made it possible to intercept and manipulate votes ... though the same attack would also have succeeded against the real voting server," the pair wrote in analysis.


"The attack works if a voter uses iVote from a malicious network – say, from a WiFi access point that has been infected by malware.

"In our demonstration, the malicious network injects code that stealthily substitutes a different vote of the attacker’s choosing. We also show how the attacker can steal the voter’s secret PIN and receipt number and send them, together with the voter’s secret ballot choices, to a remote monitoring server." 

The iVote platform was discovered to be exposed to man-in-the-middle attacks. According to researchers, the voting website uses a safe SSL configuration, it includes JavaScript from an external server that is used to track site visitors and including FREAK attack.

 Teague reported that the system may be targeted by attackers from anywhere in the world acquiring sufficient but not enormous levels of skill could automate the hacking.

According to Teagu, the iVote patching process had merely disruptive vulnerability and that more could remain undiscovered

As reported by NSW chief information officer Ian Brightwell, iVote system could not guarantee the security of the voting system due to inherent risk in all paper and electronic voting mechanisms.