28-09-2022

Around 3,400 hackers from all over the world spent four weeks trying to get into Swiss Post’s future e-voting system. They put the system to the test by launching around 60,000 attacks. The intrusion test has now been completed. In this type of test, hackers attack an application and try to detect vulnerabilities. In the test, no-one succeeded in penetrating the e-voting system, or even the electronic ballot box. But Swiss Post still has not achieved its goals, even after completion of the intrusion test: further tests by ethical hackers and independent verification on behalf of the Swiss Confederation are currently being carried out.

Swiss Post is working intensively to develop a secure e-voting system for Switzerland. Another milestone has now been reached. Ethical hackers from all over the world took part in the public intrusion test over a four-week period. In this type of test, hackers attack an application. They attempt to find vulnerabilities and security flaws. The intrusion test on the e-voting system took place from 8 August to 2 September 2022. For Swiss Post, this is a key instrument in detecting any vulnerabilities in the system, rectifying them quickly and making the system even more secure. The external opinion of independent experts is a vital part of developing a secure e-voting system for Switzerland.

The intrusion test attracted interest from hackers worldwide. Around 3,400 hackers tried to get into Swiss Post’s e- voting system and 60,000 attacks were made on the system. The test has now been completed and the results are available: no-one succeeded in hacking into the e-voting system, or even getting into the electronic ballot box. “We are delighted that so many specialists attempted to hack into our system. The more, the better, as far as the security of the system is concerned. We clearly want to learn from vulnerabilities, but we are very pleased, and it can be seen as a success that nobody managed to hack into the system – that says something about our system’s high level of security,” says a delighted Nicole Burth, Head of Communication Services at Swiss Post.

Infrastructure of the e-voting system rigorously tested – no serious findings
The beta version of Swiss Post’s e-voting system has been tested by global experts since early 2021. E-voting allows voters to participate in votes and elections electronically. Eligible voters who can use e-voting receive the voting or electoral materials by letter mail, and, in turn, also obtain the individual security codes for electronic voting. They can register on the e-voting platform of their canton and vote or cast a ballot electronically. All information transmitted during the vote is anonymized and protected with end-to-end encryption. Only the cantonal electoral authorities can analyse the results in the electronic ballot box. At no point can inferences be made about individual voters from the votes cast. During the intrusion test, ethical hackers tried out the vote casting process on the voting portal using sample voting cards.

The intrusion test gave ethical hackers the opportunity to target the e-voting infrastructure for the first time – in other words, the e-voting system’s outer protective shield. The hackers also tried out the vote casting process on the voting portal using sample voting cards. This was exactly the same procedure that would be used for elections and votes.

Findings are classified at four levels of severity: low, medium, high or critical. During the intrusion test no findings classified as medium, high or critical were received or confirmed. After verification, Swiss Post was only able to confirm one of two findings received. This was classified as “low”. The finding did not concern any security-relevant aspects, but will help to streamline processes on the voting portal. Swiss Post is implementing this proposal, and the hacker received a reward of 500 francs.

Another independent verification on behalf of the Confederation
The completion of the intrusion test is another step towards providing Switzerland with a secure e-voting system. In parallel to the ongoing testing by hackers, independent verification on behalf of the Confederation is also taking place. Experts are tasked with investigating whether the system meets the requirements set out in the legal bases. The first evaluation report was published in April 2022, and Swiss Post has since improved its system. The e-voting system is currently being analysed by independent experts appointed by the Confederation. Swiss Post plans to make its new e- voting system available for use by interested cantons during the course of 2023.

Source: Swiss Post