MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities
Elections officials in numerous states have piloted various mobile voting applications as a method of expanding access to the polls, but MIT researchers say one of the more popular apps has security vulnerabilities that could open it up to tampering by bad actors.
The MIT analysis of the application, called Voatz, highlighted a number of weaknesses that could allow hackers to "alter, stop, or expose how an individual user has voted."
Additionally, the researchers found that Voatz's use of Palo Alto-based vendor Jumio for voter identification and verification poses potential privacy issues for users.
The study comes on the heels this month's trouble-plagued Iowa Democratic Presidential Caucus, which used an online app to store votes but failed to do so accurately because of a coding flaw and insufficient testing.
Some security experts have long argued that the only secure form of voting is paper ballots.
The Voatz mobile voting application has been used in small pilots involving only about 600 voters total in Denver, West Virginia, five counties in Oregon, Utah and Washington State, where the main focus was on inclusivity for absentee voters living overseas.
In response, Voatz called the MIT report "flawed" because it based its analysis on a long-outdated Android version of the app.
"Had the researchers taken the time, like nearly 100 other researchers, to test and verify their claims using the latest version of our platform via our public bug bounty program on HackerOne, they would not have ended up producing a report that asserts claims on the basis of an erroneous method," Voatz stated in a blog post today.
"We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues," Voatz said.
In 2018, West Virginia piloted Voatz's mobile voting app for resident service members and family living overseas who wanted to vote in the midterm general election.
West Virginia Secretary of State's office pointed to a Department of Homeland Security security assessment of the 2018 Voatz pilots indicating there was "no threat actor behaviors or artifacts of past nefarious activities were detected in the vendor's networks."
Audits of paper ballots created by the Voatz plaform on election day also confirmed the results were accurate, according to the Secretary of State's office.
"We want to get the word out to media outlets like Computerworld to ensure WV voters that we are taking every possible precaution to balance election security and integrity with WV requirement to provide absentee ballots electronically to overseas, military and absentee voters living with physical disabilities," Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said via email.
The MIT study, however, underscored the need for Voatz's mobile app design to be more transparent because public information about the technology is "vague" at best.
Voatz's platform uses a combination of biometrics, such as mobile-phone based facial recognition, and hardware-backed keystores to provide end-to-end encrypted and voter-verifiable ballots. It also uses blockchain as an immutable electronic ledger to store voting results.
Voatz has declined to provide formal details about its platform, citing the need to protect intellectual property, the researchers said in their paper.
In a blog post today, Voatz called the researchers' approach "flawed," which "invalidates any claims about their ability to compromise the overall system.
"In short, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers," Voatz said.
The researchers also called Voatz out for reporting a University of Michigan researcher who in 2018 conducted an analysis of the Voatz app. "This resulted in the FBI conducting an investigation against the researcher," the MIT researchers said.
It's not the first time Voatz has been criticized for not being more open about its technology. Last May, computer scientists from Lawrence Livermore National Laboratory and the University of South Carolina, along with election oversight groups, published a paper that criticized Voatz for not releasing any "detailed technical description" of its technology.
"There are at least four companies attempting to offer internet or mobile voting solutions for high-stakes elections, and one 2020 Democratic presidential candidate has included voting from a mobile device via the blockchain in his policy plank," the MIT researchers said in their paper. "To our knowledge, only Voatz has successfully fielded such a system."
Along with Voatz, Democracy Live, Votem, SecureVote and Scytl have all piloted mobile or online voting technology in various public or private balloting that included company stockholder and college board elections. Most recently, a Seattle district piloted the Democracy Live technology in a board of supervisors election that was open to 1.2 million registered voters.
Tusk Philanthropies, a nonprofit focused on promoting mobile voting as a way to increase voter turnout, has helped fund and promote Voatz and Democracy Live.
In a statement to Computerworld, Tusk said it feels confident in the results of all the pilot elections because it conducted independent, third-party audits "which showed that votes cast over the blockchain were recorded and tabulated accurately."
"With that being said, we always welcome new security information and will work with security experts to review this paper," Tusk said. "Security is an iterative process that can only get better over time. There is no room for error in our elections, especially when it comes to data leakage, compromised encryption, broken authentication, or denial-of-service attacks."
Medici Ventures, the wholly-owned investment subsidiary of Overstock.com, has also backed Voatz, whose application has mainly been used to allow absentee voter service members and their families to cast their ballots via their smartphones from anywhere in the world.
Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a statement to a New York Times article about the MIT study, saying he believes the Voatz technology is responsible and safe.
"It not only prevents voting fraud, but it also protects the privacy of each voter. The Voatz app even generates a paper ballot that can be audited to guarantee the fidelity of the vote," Johnson said. "This is, we believe, the right path forward to safe innovation in election technology. We should not let ourselves derail the future of voting."
Critics of mobile or online voting, including security experts, believe it opens up the prospect of server penetration attacks, client-device malware, denial-of-service attacks and other disruptions - all associated with infecting voters' computers with malware or infecting the computers in the elections office that handle and count ballots.
Jeremy Epstein, vice chair of the Association for Computing Machinery's US Technology Policy Committee (USTPC), has been a vocal critic of mobile voting platforms, including Voatz. He said the MIT study was "very thorough" and demonstrates exactly what experts have been saying for years.
"Internet voting is risky. It's no surprise that the Voatz system is vulnerable to many kinds of attacks, even to an attacker with no access to source code or other inside information," Epstein said via email. "The attacks demonstrated by MIT are well within the capabilities of nation-state adversaries who are interested in manipulating US elections, and such an adversary won't publish their results as the MIT team has done, leaving us with an election that may be undetectably manipulated."
The five-year-old Voatz slammed the MIT researchers for never connecting even the outdated app they used to the company's servers, which are hosted by Amazon AWS and Microsoft Azure.
In the absence of connecting to the actual servers recording public votes, "the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false," Voatz said.
Epstein retorted that Voatz's comments "demonstrate that they don't understand either the severity of the attacks or the way security works in general.
"Any election official using Voatz products would be well advised to cancel their plans, before a stealthy attack in a real election compromises democracy," Epstein said.