These vulnerabilities, better known as Spectre and Meltdown, have been found in the processors powering a vast number of computing devices – from PCs and tablets through to smartphones – as well as servers, databases and cloud computing systems. These vulnerabilities could allow hackers to steal sensitive data from memory without users being aware of it, by getting access to devices and running malicious code on them.
While the risk of a targeted attack remains relatively low on personal devices, it could be relatively higher in public cloud environments (where servers from different customers coexist at the same time). However, there is no evidence that Meltdown and Spectre are actively being used to steal data at the moment, and Scytl ensures clients are protected against these vulnerabilities.
Unlike other online voting technology solutions, Scytl does not rely solely on communication channel security (SSL encryption) or server encryption but instead, implements full and in-depth end-to-end encryption and security.
- With Scytl Online Voting solutions, votes are encrypted on the voter device and digitally signed before leaving the client application, preventing votes from being “read” or manipulated in case of any side-channel attack in the servers.
- Scytl’s end-to-end verifiability protocols provide a guarantee to both voters and election authorities that ballots were cast as intended and not modified, without needing to trust the voting device or infrastructure.
- Scytl’s private clouds and servers are closed systems with dedicated machines that are not shared with other customers (e.g., public clouds), making it impossible to be affected by the aforementioned vulnerabilities.
This, unfortunately, is not the case with other online voting technology providers that only rely on standard communication channel encryption and verifiability protocols, leaving potential attackers with full access to voting options, related user id´s or passwords.
However, as Spectre and Meltdown could also affect voter devices, Scytl recommends electoral commissions, governing bodies and private organizations to communicate to their voters the need to update their operating systems in order to mitigate risks as soon as possible:
- Chrome: https://www.chromium.org/Home/chromium-security/ssca
- Firefox: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
- Safari: https://support.apple.com/en-us/HT208403
- Internet Explorer / Edge: https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
- For maximum mitigation, Scytl recommends the use of Chrome/Chromium and the activation of the Site-Isolation feature: http://www.chromium.org/Home/chromium-security/site-isolation
Finally, while Scytl is actively working towards updating its IT infrastructure, the company recommends clients hosting Scytl’s solutions in their own infrastructure to update their environment and ensure that all security updates are installed.
Capitalizing on its +20 years of research in the field of election-specific cryptography and + 40 international patents and patent applications, Scytl is at the forefront of technological innovation in the election space, designing its solutions with security in mind in order to anticipate potential security threats.