The research team included J. Alex Halderman, a computer science professor at the University of Michigan who studied electronic voting systems in different countries around the world; Maggie MacAlpine, an advisor on post-election audits in the U.S.; Harri Hursti, a Finnish independent security researcher known for previously demonstrating a successful attack against a Diebold voting machine; Jason Kitcat, who previously led an investigation into electronic voting in the UK for the Open Rights Group, a digital rights organization; and Travis Finkenauer and Drew Springall, two PhD students at the University of Michigan.
"There are so many attack vectors by which you could dirty the machines used to set up the elections that we believe this to be a very credible and viable attack; and we have photographic evidence on our website showing a personal computer with links to poker sites being used to set up the critical election systems [in Estonia]," Kitcat said.
The Estonian election officials should improve their operational procedures, but "we've also shown fundamental flaws in the architecture of the system, which means that we can steal votes remotely from voters' computers and those flaws cannot be fixed quickly or easily," he said.
The researchers said they notified the Estonian National Electoral Committee, as well as political parties, academics and media organizations in Estonia of their findings at the same time on Saturday. The research was presented in greater detail Monday during a press conference and a full report will be made available on a website that also contains other supporting material, including videos and photos.
The Estonian National Electoral Committee declined to comment until it reviews the full report.
The researchers believe the Estonian Internet voting system should be discontinued before the upcoming European Parliament elections on May 25. More generally they believe that building a secure and accurate electronic voting system is not possible with the current technology when taking sophisticated attackers like nation states into consideration.
Sign up for CIO Asia eNewsletters.