A security and privacy researcher from France has found a significant loophole in Moscow’s blockchain-based voting system.
As preparations for Moscow’s upcoming city council elections hit the ground running, a security and data privacy researcher has cracked the code for the city’s blockchain-based voting system within minutes of unchallenging attempts. Apparently, Pierrick Gaudry could effortlessly decipher the encryption code using the digital voting system’s public keys.
The Russian authorities, who were all set to use the blockchain framework for a voting system in the city’s municipal elections, have been held responsible for the debacle during the election’s final innings. They use the derivative form of ElGamal encryption mode, which does not offer much security.
The block-chain based electronic voting system of Moscow's parliament is basically insecure, like in, totally broken. https://t.co/EafAAYXkpB pic.twitter.com/ISNcuPDvFu
— Lukasz Olejnik, Ph.D, LL.M (@lukOlejnik) August 20, 2019
Estimated damages from a weak blockchain-based voting system
According to Gaudry, if a publicly available software used from a personal computer could decode the encryption key within a matter of minutes, no encrypted information is secure from hacking.
However, as Gaudry speculates, it is difficult to estimate the magnitude of damage it can cause as the system’s procedures are not available in English. As a result, the complexity involved in encrypting the ballot boxes is open to question.
Even though it is not yet established how weak the encryption scheme is, at worst, the votes could be made public as soon as a voter casts his vote, says Gaudry.
The innovative blockchain-based design
Based on the smart contracts concept of the Ethereum blockchain, Moscow’s trailblazing in the crypto sphere took a new turn when the country’s most populous city decided to launch the e-voting system built on blockchain technology.
The one-of-a-kind voting system, slated to go live on Sep 08, will enable Moscow residents to cast a vote from the personal devices, without having to go to booth centers.
Following Gaudry’s shocking revelation, the Moscow department of IT has confirmed that the issue will be resolved before the elections. A spokesperson acknowledges its susceptibility to unauthorized access and assures that key length will be increased to 1024.
Interestingly though, Gaudry believes that the key length of 1024 bits may not turn the trick. According to him, the design should involve a range of 2048 bits instead.
Meanwhile, the Chief Security Strategist from Attivo Networks, Chris Roberts found an opportunity to take a jab at the US electoral systems, which are struggling with insecure voting systems for a long time. The US election systems must take a hint from this fiasco and bolster the security around the voting systems, he remarks.
And while Moscow officials prepare to reward Gaudry for his praiseworthy discovery, it is yet to be seen whether his suggestions will be successfully implemented.
