MIT researchers disclose vulnerabilities in Voatz mobile voting election app
Academics from MIT's computer science laboratory have published a security audit today of Voatz, a mobile app used for online voting during the 2018 US midterm elections and scheduled to be used again in the upcoming 2020 presidential election.
MIT academics claim they identified bugs that could allow hackers to "alter, stop, or expose how an individual user has voted."
SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
"We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality," the research team said in a technical paper released today.
"Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections," researchers added.
MIT academics urge states to continue using paper ballots rather than mobile apps that transmit votes over the internet.
They say the current paper ballot voting system is designed to be transparent, and allow citizens and political parties to observe the voting process.
"Voatz's app and infrastructure were completely closed-source," said James Koppel, one of the MIT academics.
"We were only able to get access to the app itself," Koppel added, explaining that the research only audited the app that is installed on voters' devices, but not the app's backend, which could contain other issues.
Voatz downplays research results
The researcher team said they notified the the Department of Homeland Security's Cybersecurity and Infrastructure Agency (DHS CISA) of their findings.
The Voatz security audit paper says Voatz acknowledged the vulnerabilities, but disputed their severity. In a blog post published today, the Voatz team downplayed the MIT research team's results, but also its methodology.
They said researchers used an older version of their app that was 27 versions old. However, researchers said they tested the Voatz app version that was available on the Google Play Store on January 1, 2020.
The Voatz team also said the MIT team tested their app offline, and was never connected to the Voatz backend server, and, hence, never went through the layers of identity checks that Voatz servers would force any attackers to go through.
"In short, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers," the Voatz team said.
"It is clear that from the theoretical nature of the researchers' approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers' true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion," Voatz added.
However, Voatz has a complicated past when it comes to dealing with security researchers, and is known for its aggressive stance and response. One reason why the MIT team did not conduct a test using the live Voatz backend is that in 2018, Voatz reported a University of Michigan researcher to the FBI for conducting a dynamic analysis of the Voatz app, an incident that was framed as a hacking attempt.
Referring researchers following terms of your bug bounty to the FBI isn't cool. According to https://t.co/OIR3XXB0h8 Voatz director says the "live election system" was "out of scope", but this was added to the terms today (https://t.co/60b4isZMZZ).
— Jack Cable (@jackhcable) October 5, 2019
One of the things with Voatz is (as you’ll see from that thread) is they have a history of locking security researchers behind NDAs to stop disclosure of holes, and ‘interesting’ press relations. Good on MIT for going Rambo, it’s too important a field to let a startup control.
— Kevin Beaumont (@GossiTheDog) February 13, 2020
However, as Johns Hopkins University professor Matthew Green pointed out today, in its blog post, Voatz did not refute any of the MIT team's claims, but merely focused on disputing and attacking the methodology and research team.
Voatz app has been used in several election cycles already
Currently, the Voatz app has been used in several election cycles to allow military and overseas voters to cast ballots via their smartphones, over the internet.
It's been used in West Virginia during the 2018 midterm elections, and in the counties of Denver (Colorado) and Utah (Utah) during 2019 municipal elections.
Two Oregon counties -- Jackson and Umatilla -- have also announced plans to start using the app to allow military and overseas voters to vote during upcoming elections.
In Utah County, the Voatz app was also used internally, in the US, and not just for overseas voters. During last year's municipal elections, officials allowed the app to be used by voters with disabilities. West Virginia will soon follow suite.
Both West Virginia and the aforementioned counties plan to continue using the Voatz app for the upcoming 2020 US presidential elections.
Althought, currently the app's eligibility is limited to only a handful of voter categories -- military personnel, overseas voters, voters with disabilities -- there is mounting pushback against its use and the use of any over-the-internet voting system, in general.
The recent Iowa caucus app debacle stood to prove a point that a voting system designed around untested software solutions is currently too brittle to misfirings, interference, and will most likely delay and cast doubt over an election's results if anything ever goes bad.
"We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field," says Daniel Weitzner, the lead of the MIT security audit in the Voatz app. "We cannot experiment on our democracy."
"The consensus of security experts is that running a secure election over the internet is not possible today," Koppel added. "The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today's software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take."
Voatz has recently played down fears and concerns over its app's security following a letter from Oregon Senator Ron Wyden.
"We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues," the Voatz team said today.
Article updated an hour after publication with Voatz's reply to the MIT research and the 2018 University of Michigan incident.