Security researchers have found key flaws in a mobile voting app that some states plan to use in the 2020 election that can allow hackers to launch both client- and server-side attacks that can easily manipulate or even delete someone’s vote, as well as prevent a reliable audit from taking place after the fact, they said.
A team of researchers at MIT released a security audit of Voatz—a blockchain app that already was used in a limited way for absentee-ballot voting in the 2018 mid-term elections—that they said bolsters the case for why internet voting is a bad idea and voting transparency is the only way to ensure legitimacy.
West Virginia was the first state to use Voatz, developed by a Boston-based company of the same name, in the mid-term election, marking the inaugural use of internet voting in a high-stakes federal election. The app primarily collected votes from absentee ballots of military service personnel stationed overseas. Other counties in Utah and Colorado also used the app last year in a limited way for municipal elections.
However, despite the company’s claim that the app has a number of security features that make it safe for such an auspicious use—including immutability via its use of a permissioned blockchain, end-to-end voting encryption, voter anonymity, device compromise detection, and a voter-verified audit trail–the MIT team found that any attacker that controls the user’s device through some very rudimentary flaws can brush aside these protections.
“We find that an attacker with root privileges on the device can disable all of Voatz’s host-based protections, and therefore stealthily control the user’s vote, expose her private ballot, and exfiltrate the user’s PIN and other data used to authenticate the server,” MIT researchers Michael A. Specter, James Koppe and Daniel Weitzner wrote in their paper (PDF), “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S.Federal Elections.”
Researchers said they performed their audit on a recent version of the app found on the Google Play store on Jan. 1, 2020. Among their findings are specific holes in the hallmark security features of the app that can be exploited in a number of ways.
For example, researchers said the Zimperium SDK included within Voatz that’s supposed to detect any attempts to modify the app didn’t appear to be working. “By default, it would have detected our security analysis, prevented the app from running normally, and alerted the API server of our actions,” researchers noted, adding that this didn’t happen.
The team also found fault with Voatz’s encryption that leaves a user’s PIN and log-in information unprotected and exposed, which “would allow a remote attacker to impersonate the user to Voatz’s servers directly, even off-device,” researchers wrote.
One of the most troubling vulnerabilities in the app researchers found is that it doesn’t appear to allow for either a voter or a third party to verify a ballot once it’s been cast, or to know if it’s been counted to a final tally.
“We find no indication that voters are able to query the blockchain (or see proofs of inclusion) directly to confirm that their vote was recorded,” researchers wrote.
Given the recent drama surrounding the Democratic caucuses in Iowa—where election officials may never know the true and final tally of votes–this could prove important if an audit of an election becomes necessary in a close or disputed race.
Voatz responded to the claims of the MIT team by calling their report “flawed” and even going so far as to suggest it’s an attack on the democratic process itself.
“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” the company wrote in a blog post.
However, one security expert pointed out on Twitter that Voatz’s defense was weak because it chose to mount an attack rather than disprove the claims researchers made.
“It seems to avoid actually refuting any of the findings, and concentrated on vaguely attacking the research methods,” tweeted Matthew Green, a professor who teaches cryptology at Johns Hopkins University.
The research is causing a ruckus, and rightly so, a mere nine months before the crucial 2020 election, as worries about election tampering and the potential validity of election results mount and horror stories abound about what might happen come November.
At the very least, the report means election officials in states considering using Voatz—including West Virginia, Oregon and Washington—have some tough and potentially controversial decisions to make.
One voting district in Washington state—Mason County–already has pulled its plans to use Voatz in November, according to the New York Times, while West Virginia is moving ahead with its plans to expand Voatz used to disabled voters, the paper reported.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.