In our public intrusion test, ethical hackers test an exact copy of the e-voting system’s production environment in an attempt to find security loopholes. This means that the test takes place under the same conditions as when e-voting is used in votes and elections.
Activity from 6,923 IP addresses
Swiss Post logged activity from 6,923 IP addresses during this year’s public intrusion test. Of these, 146 IP addresses recorded a high level of activity, with more than 50 attacks on the e-voting server throughout the duration of the test.
28,944 hits on the voting platform
During the intrusion test, Swiss Post tracks the attempted attacks on the system, just as it does during actual contests. It detected around 29,000 hits on the voting platform, of which 9,665 can be classified as attempted attacks.
Attacks from 62 countries
Swiss Post invites experts from all over the world to put its e-voting system to the test. During this year’s test, it detected hits from 62 countries. The most active participants came from 27 countries in total. The majority of attempted attacks originated in the United States of America (19 percent), followed by Switzerland and France (around 12 percent each).
One finding confirmed
The participating experts sent a total of four reports to Swiss Post. Of these, Swiss Post confirmed one as a finding. This had a severity rating of low (the first of four levels: “low”, “medium”, “high” and “critical”). The finding did not concern any security-related aspects. It shows an improvement in the communication between the servers, making simultaneous requests impossible. Swiss Post has implemented the improvement in the voting server.
4,500 francs of rewards paid out
Swiss Post paid a reward of 1,500 francs to the person who reported the finding. Because he was the first person to report a confirmed finding, he also received a bonus of 3,000 francs. Swiss Post increased its advertised rewards for e-voting security loopholes in 2024. It now pays up to 50,000 francs for critical vulnerabilities. If anyone succeeds in manipulating the electronic ballot without being detected, they will receive up to 250,000 francs.
Final report on the public intrusion test 2024