Researcher hacked Moscow's blockchain voting in 20 minutes

Moscow voting hack

French cryptographer Pierreck Godry hacked the Internet voting system developed by the Moscow Department of Information Technology (DIT), which put some of its components in the public domain, inviting everyone to find vulnerabilities, Meduza reports.

So, the developers of DIT published encrypted messages and public keys, and after a while decrypted messages and three secret keys. In this way, hackers could check if they had successfully cracked the system.

Note that messages are hypothetical votes of voters that are recorded on the blockchain. In this case, the secret key in theory is distributed among the members of the election commission, and is collected back only after the vote.

Godry allegedly managed to recover all three secret keys in just 20 minutes. A similar experiment was repeated by the journalists of Medusa, now they only have to verify the secret keys if the representatives of the DIT publish them.

According to Godry, the main weakness of the system is that the size of the keys for encryption is too small: less than 256 bits, and, according to him, 2048 bits are necessary. Godry suggested that DIT employees might encounter features of the programming language for smart contracts Solidity, which does not allow directly to operate with integers whose size exceeds 256 bits.

The DIT did not recognize the fact of breaking the encryption scheme, but promised to increase the key size to 1024 bits. It is interesting that earlier it was reported that the system was allegedly checked by the FSB and the FSTEC, Meduza writes.

It is worth adding that the hacking did not prove that the anonymity of the vote is at stake, but showed that the election process can be monitored in real time, which contradicts the legislation of the Russian Federation.

Recall that the election to the Moscow City Duma will take place on September 8. Residents of three districts will be able to vote via the Internet through a blockchain-based system.

We recommend brave