After the exposure of a security breach in the system tallying the votes for the Likud primary this month, a new and serious cyber-weakness has been revealed concerning the April 9 Knesset election. The “Boharim” (Voting) website of the Interior Ministry, which was launched recently, does not have protection against repeated brute-force attacks to extract information on voters.
The website, which is part of the state’s “accessible government” initiative, allows any citizen to receive information on their polling station for the election by entering their identity card number and the date the ID card was issued. This allows anyone who knows anyone else's ID number, which can be easily obtained – for example, senior business leaders ID numbers appear in some regulatory filings – to then try a brute-force attack by running through dates to receive the information on a victim.
Nothing would stop multiple attempts at guessing the date.
So, what can you do with this information? Is it a big deal? You can, for example, enter the Finance Ministry’s site with the ID number and its date of issue and receive information about the person’s savings and insurance. You can also launch a phishing attack against the victim, such as impersonating their insurance company, and try to extract more exploitable financial information such as bank account or credit card details.
Roni Suchowski, an experienced cyber expert and the founder of the CISO Helper firm, was first in revealing the vulnerability. He insists the new site, which launched only a few days ago, does not comply with basic security requirements. "It could enable someone to impersonate someone else and vote in their place," he contends. "Even more worryingly, if someone works out the date of issue for your identity card, he or she can then use it to pose as you in all sorts of institutions, official bodies, insurance companies, banks and more," he concludes.
In order to demonstrate this weakness, Suchowski asked the author of this piece whether he could use the number of his identity card, and was able to return all the relevant data correctly: assigned polling station, date of issue, voting certificate. "Because there is no brute-force protection on the site, I was able to guess the date of issue of the identity card until I got it right," he said. "On top of that, the website does not have 'Captcha' technology, where you have to prove you’re not a robot: in theory, one could have downloaded a database of all eligible voters in Israel," he concludes.
The "accessible government" site said that as part of the preparations for the April election it is running continuous load tests, which started on Thursday. In order to conduct the tests, they removed the Captcha component temporarily, the site said. “An alternative mechanism exists in which after a certain number of requests access will be blocked, and as a result the possibility of a brute-force attack will be prevented,” the site said.
In other words, administrators claim they purposefully removed the protection technology, and that the Suchowski breach was just an exception. "That's not true, they have no alternative system of protection, I attempted new entries a thousand times and was not blocked," Suchowski retorted. Also, Suchowski claimed the test was not carried out properly: “They could have taken down the captcha defense just for their internal access and not for the entire public. If they want, I will explain it to them,” he concluded.
Want to enjoy 'Zen' reading - with no ads and just the article? Subscribe todaySubscribe now