Online voting takes another hit
Connecting state and local government leaders
Security researchers at MIT reported several vulnerabilities in the Voatz mobile voting app, although the company vigorously disputed the findings.
The Voatz blockchain-secured mobile voting app took a shellacking from researchers at MIT, who reported they uncovered several security vulnerabilities.
The MIT researchers said their security analysis pointed to weaknesses that would allow hackers to "alter, stop, or expose how an individual user has voted," poses "potential privacy issues for users" and has limited transparency, limiting security researchers' ability to assure the apps integrity.
"Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections," they wrote in a paper describing their analysis of the Voatz system.
For their analysis, the MIT researchers reversed engineered the app and created a model of the Voatz server. They said the company's "minimal available documentation of the system" prevented them from running tests on the actual voting process, so their study presents "an analysis of the election process as visible from the app itself."
Before releasing the paper, the MIT team took its findings to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, whose Hunt and Incident Response Team (HIRT) investigated whether there was any evidence of current or previous malicious activity in the Voatz network environment.
According to the week-long evaluation conducted in September 2019 focusing on Voatz's corporate and cloud networks, CISA found no evidence of active threats, according to a report by Coindesk. In the HIRT report, investigators said they uncovered some issues that could pose future concerns, but overall they commended the company for its "proactive measures in the use of canaries, bug bounties, Shodan alerts, and active internal scanning and red teaming."
HIRT did not assess the security of the app itself.
In a blog post titled "Voatz Response to Researchers’ Flawed Report," the company detailed three "fundamental" flaws with the research.
First, company officials said, the MIT team used an Android version of the Voatz app that was "at least 27 versions old at the time of their disclosure and not used in an election." Second, the app never connected to the Voatz servers, which are hosted in Amazon Web Services and Microsoft Azure clouds, making the researchers unable to register with the app, verify their identity or receive or cast a ballot. Third, the company said that rather than accessing the Voatz servers, the researchers "fabricated an imagined version" of the servers, hypothesized as to how they worked and made assumptions "that are simply false."
Addressing the researchers complaints about the company's lack of transparency, Voatz said it works with "qualified, collaborative researchers." It also emphasized that in all the elections that have used the Voatz app – which have involved less than 600 voters – no issues have been reported.
"The reality is that continuing our mobile voting pilots holds the best promise to improve accessibility, security and resilience when compared to any of the existing options available to those whose circumstances make it difficult to vote," the blog said.
The Voatz app has been used most extensively in West Virginia. Secretary of State Mac Warner first tested the option for qualified overseas military service members to cast absentee ballots in county primary elections in May 2018. It was also used in the state's November 2018 election, where 144 voters in 30 different countries were able to cast their ballots. In February, the app will be made available to absentee voters with physical disabilities.
Users download the app to their smartphones, verify their identities by providing a photo of their driver’s license, state ID or passport that is matched to a selfie. Once voters' identities are confirmed, they receive a mobile ballot based on the one that they would receive in their local precinct. The distributed ledger technology ensures the votes cannot be tampered with once they've been recorded. The app has also been used in Colorado and Utah.
One Voatz advocate contacted by CoinDesk said the accessibility benefits of the app far outweigh any security risks. Amelia Powers Gardner, an election auditor in Utah County, Utah, who supervised her use of the Voatz system for disabled voters and service members deployed overseas, said the Voatz system is a much better option than email ballots for otherwise disenfranchised voting groups.
“While these concerns of around mobile loading can be valid, they don't rise to a level of security that causes me to even question the use of the mobile app,” she told Coindesk.