From a hacker’s perspective: how secure is Swiss Post’s e-voting system?
Swiss Post has always said that it wants to provide the cantons with a secure e-voting system. So we wanted to know: how secure is the e-voting system really? To celebrate the start of the public intrusion test, which is currently taking place, we talked to an ethical hacker. For several years, Swiss Post has been inviting hackers to check its IT systems for any security vulnerabilities and providing them with a reward for each vulnerability they identify. The same idea is now being applied to the e-voting system with a public intrusion test that is underway.
During the public intrusion test, ethical hackers are trying to attack the infrastructure behind Swiss Post’s future e-voting system. This test will last for a period of four weeks. For the first time, hackers can accurately simulate and target the vote casting process on the voting portal using sample voting cards. The aim is to detect potential vulnerabilities and rectify them in good time. Swiss Post will reward confirmed vulnerabilities identified as part of the intrusion test with up to 30,000 francs. This new testing option complements an existing initiative: independent experts from all over the world have been testing Swiss Post’s future e-voting system since the beginning of 2021. Swiss Post even pays rewards of up to 250,000 francs in total.
We took this as an opportunity to talk to an ethical hacker. Ruben Santamarta (40) has been working in the field of information security for half of his life and has given us an insight into his work. Santamarta grew up in Spain, but he has worked for companies all over the world.
Ruben Santamarta, the public intrusion test is currently up and running. With this in mind, we’d like to start with the following question: how easy is it to hack the e-voting-system?
It’s not easy at all. A malicious actor looking to fully compromise Swiss Post’s e-voting system so that the results of the election process can be altered will surely need quite a few resources to even try it.
Ruben Santamarta, let’s talk about hacking. You are a so-called ethical hacker. Can you explain what ethical hacking is all about? And what is the difference between ethical and non-ethical hackers?
From a technical point of view, ethical and non-ethical hacking are quite similar. Both use the same techniques and methodology. The goal of hacking is to extract information to gain knowledge that you are not allowed to access. So, the difference is the outcome. An ethical hacker shares the outcome of those actions to improve a system and help enterprises, while non-ethical hackers would use the information they have gained to inflict harm.
The job title “hacker” is somewhat unusual. What led you to become a hacker?
I have been interested in computers and security since I was a teenager. At 15, I started to learn programming, the basis of hacking and computer security skills in my own time. I always wanted to know how things worked. If I discovered vulnerabilities that no one had discovered before me, it was very exciting and motivated me. That’s still true today. In addition, it’s always a great feeling when a company is able to improve its systems thanks to my work.
After finishing high school, I started to work as a programmer. The job was not related to security but helped me to develop my skills a great deal. At the beginning of my 20s, I was hired by an antivirus company. Since 2006, I have been working as an independent security researcher, and I have already worked and performed for numerous global organizations and companies.
It’s difficult to imagine the everyday life of a hacker. What does a normal working day look like for you?
Well, I don’t have “normal working days”. As an independent security researcher, I work whenever I want. There are days – or even nights – when I am really focused on a project and find it difficult to tear myself away. And then there are days when I just do some research or look at papers.
And how do you approach your work?
The first thing I usually do is collect as much information as possible. I look at papers, technical documents, videos and so on. All this helps me to understand the entire system that I want to analyze. Once I have finished my research, I move on to analyze the code. I try to understand how the code works, and I don’t start to perform any actions, such as trying to attack the system or find vulnerabilities, until I have understood everything in detail. You could compare my work to that of a detective. You really have to investigate everything, collecting evidence and trying to figure out what is happening. And only then do you perform any actions.
And what specifically is the motivation behind trying to hack a company like Swiss Post?
I got involved with Swiss Post because of its electronic voting system. Systems of this kind are important to a lot of people. By providing the e-voting system, Swiss Post is in fact helping to make Switzerland’s democratic election processes easier. And that’s why I found it very interesting to get involved in this. In this specific case, I was not only motivated by a desire to understand how the system worked, but also by the fact that it’s a meaningful and important project. The online election process depends on the security of the system. That is why I found it very interesting to participate in this project.
Are there any differences compared to other programmes in which you have taken part?
Yes, Swiss Post’s approach is different from other programmes that I have participated in. First of all, the entire process is very transparent. As an ethical hacker, you have access to everything – all kind of documents and internal information. And if you have any questions, Swiss Post will help you. That’s different from other programmes, because we don’t usually have access to so much information. The transparency stands out from other programmes I have experienced. A second difference is that Swiss Post pays out higher rewards – obviously that’s not the reason to try to hack the system, but it helps.
Let’s be honest: how secure is Swiss Post’s e-voting system from a hacker’s perspective?
I think the system has improved a lot in comparison to the first version, which was published in 2019. I have been studying the system for quite a while now, and in my opinion, the security is pretty good. Obviously, there are still things that need to be improved. For example, there are some vulnerabilities found during the bug bounty programme that now need to be fixed, and Swiss Post is still adding some functionalities. This means that the process is not finished yet. But in general, my impression of the security aspects of the system is good.