Announcing the Secure Internet Voting Hacking Challenge
Experts have long agreed that secure internet voting in public elections is not feasible with today's technology, nor with any technologies of the foreseeable future. The challenges are numerous, including many fundamental threats such as vulnerability to malicious clients, authentication attacks, privacy attacks, network and Internet infrastructure attacks, server penetration attacks, and various kinds of denial of service attacks. Internet voting systems also suffer from a lack of any meaningful end-to-end auditability.
In this hacking challenge, we will set aside these broader concerns to focus on a specific proposed internet voting system called SIV (Secure Internet Voting) intended for real public elections in the United States. They are conducting a mock online election this week with the specific goal of challenging anyone to break their system.
Can you break the SIV system?
Can you find bugs anywhere in the SIV system?
Can you determine whether the system does things it should not do, like collect excessive PII or platform fingerprint data?
Can you penetrate the server side of the system, perhaps enabling a ransomware attack?
Can you change already cast ballots, or delete them?
Can you cast multiple ballots as a single voter?
Can you break authentication to impersonate another voter?
Can you break vote privacy to determine how someone else voted, or prove to a 3rd party (who did not look over your shoulder) how you voted?
Can you remotely disable the SIV system without a DDOS/Volumetric attack?
Can you find weaknesses in its random number generation or encryption?
Can hide your attempted attacks, whether successful or not, so they will not be detected?
Can you find any other way to compromise, or partially compromise, the integrity of an election conducted using the SIV system?
Your task is to approach this hacking challenge as a nation-state attacker. Everything can be attacked—the voting clients, the servers, authentication mechanism, data in motion, and infrastructure. All are all fair play. Be innovative!
Follow this link to the SIV landing page where detailed rules and procedures can be found, and also a description of possible cash prizes.
This challenge is available this week only, from August 6 to Sunday August 11th at 1pm PST.
To aid your attacks, you will have access to the source code for the SIV system. It is available at
https://github.com/siv-org/siv
You do not have to sign any NDA, and are free to talk or publish about your exploits.
If you discover any bugs or vulnerabilities, either in the implementation or the protocol, we at the Voting Village ask that you share your findings and comments with us via email at:
with the subject line “SIV Hacking Challenge”. We will share your findings with SIV. Additionally, SIV has their own reporting system.
If you find anything interesting, we may ask to interview you and publish your results in our Voting Village 2024 Report, giving you full credit for your work of course (under your name or any handle you wish).
So collaborate with your teammates, get out your best hacking techniques and tools, and lets PWN the SIV system!