A French researcher has exposed a security breach in an electronic voting system to be used in next month’s municipal elections in Moscow, potentially giving hackers access to voters’ choices.
The University of Lorraine and France’s CNRS research institute said this week the cryptographer had taken up a challenge set by Echo of Moscow radio to test the system being rolled out for the vote.
“Less than a month before Moscow tries online voting for electing the city’s new parliament, a French cryptographer has just exposed a security breach for the protocol being tested,” the two institutions said in a statement.
The researcher, Pierrick Gaudry, was able to crack into the source code being published daily as part of a public test since late July.
Gaudry needed only 20 minutes to break the encryption code, or “private key”, that is supposed to protect voters’ identities and choices. He used a standard computer and widely available free software.
“According to him, a hacker would have been able to get this private key in just 10 minutes,” they said.
“In the worst-case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote,” Gaudry wrote of his findings in a research paper posted online.
Since mid-July, Moscow has seen a wave of rallies drawing tens of thousands onto the streets after opposition figures were barred from standing in the elections to Moscow’s city parliament on September 8.
The online voting system, available through the City Hall website, requires passport information, home address and other sensitive information, and uses text message verification.
Officials say the system testing won’t be complete until next week, just days ahead of the election.
Since the publication of Gaudry’s paper on August 14, Moscow authorities have said the encryption code has been made more complex, and will be divided into seven distinct parts kept separate until voting ends.
The editor-in-chief of Echo of Moscow, Alexey Venediktov, announced on his Telegram channel Tuesday that he had given Gaudry a prize of RUB one million ($15,000). Other awards would be offered to anyone else who exposed breaches in the system.