Officials deny another critical vulnerability in Moscow’s online voting system, as they secretly patch the issue
On August 28, Moscow officials conducted the fourth and final test of a new online voting system that will debut in City Duma elections on September 8. The new voting option will be available to roughly 5,000 Muscovites in three okrugi (districts), where the voters make up less than one percent of the electorate in their respective okrugi. Ahead of the final test, the Moscow Mayor’s Office patched a critical vulnerability that would have allowed hacked to track voting results in real time. The election’s organizers never acknowledged this flaw, and they’ve decided to wait until the last minute to release the system’s source code to independent experts.
The leaky bit
The problem
In early August, French cryptographer Pierrick Gaudry discovered the Moscow online voting system’s main vulnerability, demonstrating that its initial encryption keys were too short and could be cracked within 20 minutes using a standard home computer. (Meduza was able to replicate his results.) The Mayor’s Office quickly lengthened the encryption keys, and paid Gaudry 1 million rubles (about $15,000) for his discovery, but officials still refuse to call his work a “successful hack.”
In his work, Gaudry said he cracked the encryption keys because they were the easiest target, though he immediately noticed another flaw that would have taken more time to hack: because of the specific characteristics of the encryption key, one bit of secret data was vulnerable to decryption. Moscow officials have since patched this, as well.
Alexander Golovnev, a Belarusian mathematician and computer science postdoctoral fellow at Harvard University’s School of Engineering and Applied Sciences, has further investigated Gaudry’s bit leak. Golovnev discovered that a situation was possible where one bit of source data (in other words, information about a vote that’s been cast) could “leak,” even after the city’s encryption and security patches. This vulnerability didn't allow hackers to decrypt all votes, but in some cases it would be possible to count how many voters voted for a single candidate. If there were only two candidates in a race (or if the voting system was used with any question that has just two responses), then certain circumstances made it possible to calculate the vote tallies for both options, meaning that hackers could learn the results. Because online encrypted votes are published as they are submitted (so monitors can verify the absence of any tampering), Golovnev’s method made it possible to track voting results in real time.
“Of course, the first thing I did was inform the Mayor’s Office,” Golovnev told Meduza. On August 23, at Pierrick Gaudry’s recommendation, he wrote to both the online-voting support service and Moscow’s Information Technology Department. Golovnev then published the results of his work, and Gaudry cited his findings. When testing started five days later, it became clear that officials had patched the vulnerability Golovnev identified. Once again, however, the Mayor’s Office refused to acknowledge the discovery.
How the Mayor’s Office responded
During the test on August 28, at Meduza’s request, “Golos” election monitor co-founder Grigory Melkonyants asked the online voting system’s organizers to comment on Alexander Golovnev’s findings. According to Artem Kostyrko, the deputy head of Moscow’s Information Technology Department, his office never received Golovnev’s letter and learned “from colleagues” of his discovery, which is why they never contacted him directly, supposedly not knowing how to reach him. “But we studied his findings,” Kostyrko said.
He then discussed only the example that Golovnev laid out in his findings: If votes are designated simply by the numbers 1, 2, 3, and 4, then they can be detected easily. “We didn’t actually encrypt [the votes] like that. We just didn’t say that,” Kostyrko explained, claiming that Golovnev had suggested looking among the encrypted ballots for votes designated by the number 1.
This is inaccurate. In a paper Golovnev published on August 24, he stated, “We emphasize that this attack will distinguish (with high probability) two messages that differ only in their vote, regardless of the values of the deputy IDs and which fields of the ballots are encrypted.”
Kostyrko added that he does not believe Golovnev’s discovery qualifies as a vulnerability, because it didn’t allow hackers to crack the system’s encryption keys. Kostyrko did not comment at all about the changes to the voting system’s code, which clearly indicate that the Mayor’s Office took into account Golovnev’s findings. Meduza showed the new source code to Pierrick Gaudry, who agrees that the changes were made precisely to address the problem Golovnev identified. “It’s funny how they say there’s no problem, but then they quietly patch the vulnerability,” the French cryptographer observed.
Golovnev and Meduza checked the public encryption keys and response designations in the August 28 test bulletin, which contained only two answer options. If the Mayor’s Office hadn’t patched the source code, the results of this vote would have been calculable in real time.
“If I wanted to cheat”
The problem
In his remarks on August 28, Artem Kostyrko also focused on earlier reports by Meduza about Pierrick Gaudry’s success with hacking the voting system’s short encryption keys. To confirm that the encryption keys used in the system were too weak, Meduza also implemented Gaudry’s program. City Hall officials responded by refusing to post the private key and data for its August 7 test, thereby preventing outsiders from confirming that the system had indeed been hacked.
The official response
According to Kostyrko, the private key and data for the August 7 test weren’t released “simply as a matter of speed”: “If I’d wanted to cheat or do something like that, I would have just changed the private key. I’d have published them and said, ‘Look! They weren’t actually able to do anything!’”
Golovnev told Meduza, however, that Kostyrko described something that’s mathematically impossible. There is only one number, Golovnev explains, that is the private key that corresponds to the public key specified in the task released by the Mayor’s Office.
The Mayor’s Office won’t publish the online voting system’s source code until the last minute
The problem
One of the safeguards of online voting is the opportunity for independent verification. After numerous calls for access to its system’s source code, the Moscow Mayor’s Office has published parts of its program since July. It was this partial transparency that allowed both Pierrick Gaudry and Alexander Golovnev to locate the security vulnerabilities that the city later patched.
But the code used in the final test on August 28 wasn’t shared in advance. In other words, Golovnev’s vulnerability was patched, but we only know this thanks to indirect indicators in the compiled code. According to the voting system’s organizers, the final source code won’t be released until Tuesday, September 3, giving independent experts just four days to verify the program before Moscow’s actual elections.
The response from Alexey Venediktov, who heads the citizens’ board responsible for the elections
“This whole conversation about the code’s publication makes no sense to me. ‘You share the code with us, and we’ll hack you!’ It looks pretty odd, you’ll agree,” Venediktov said, explaining that he’s always opposed the widespread publication of the online voting system’s source code, preferring to restrict its discussion to expert working groups. “Our task is to prevent any hackers on September 8, so the results fit the voting. And that’s it!” Venediktov explained.
* * *
The Mayor’s Office previously abandoned the idea of printing a public key on paper copies of electronic ballots. (Every online voter receives part of the key that’s easily visible in the web page code displaying their ballot.) Election monitors also won’t have access to a public key. “Making it hard to access the public key is the wrong approach, and it’s a very bad sign that shows how much the system’s creators are unsure of their encryption scheme,” Pierrick Gaudry told Meduza.
Alexander Golovnev says the reaction from the Moscow Mayor’s Office has robbed him of any interest in carrying out further reliability tests on its online voting system. “I think the organizers are operating on some other understanding, and they’re not really looking for system vulnerabilities,” he says.
Translation by Kevin Rothrock