Defects could allow a hacker to modify, stop, or expose the way a person voted.
Election officials in many states have tested various mobile voting applications as a way to expand access to the polls, but MIT researchers say one of the most popular applications has security vulnerabilities that could expose it to manipulation by some bad actors.
Application analysis by MIT, called Voatz , highlighted a number of weaknesses that could allow hackers to «modify, stop or expose the way an individual user voted».
In addition, researchers found that use Voatz al provider Jumio with Palo Alto headquarters for voter identification and verification raises potential privacy issues for users.
Some security experts have long argued that the only safe way to vote is by ballot paper.
Voatz’s mobile voting application has been used in small pilot projects involving only about 600 voters in total in Denver, West Virginia , five Oregon counties, Utah and Washington State, where the main focus was on the inclusion of absent voters living abroad.
In response, Voatz called the MIT report «defective» because it based its analysis on an Android version of the application that was no longer up to date.
«If researchers took the time, like 100 other researchers, to test and verify their claims using the latest version of our platform through our public bug rewards program in HackerOne , would not have come to produce a report that would affirm the statements about him based on an erroneous method «, Voatz declared today in a blog post .
«We want to clarify that the nine pilot government elections held so far, which involve less than 600 voters, have been conducted safely and without reported problems,» Voatz said.
In 2018, West Virginia put Try the Voatz mobile voting app for resident service members and family members who live abroad and have wanted to vote in the midterm general election.
The West Virginia secretary of state’s office noted a 2018 Department of Homeland Security security assessment of Voatz pilots, stating that «no threatening behavior or artifacts of past adverse activity were detected in the provider’s networks.»
The audits of the ballots created by the Voatz platform on election day also confirmed that the results were accurate, according to the secretary of state’s office.
«We want to spread the word to the media. Computerworld to ensure that WV voters take all possible precautions to balance the security and integrity of elections with WV’s requirement to provide absentee ballots to absent, military and overseas voters living with physical disabilities, «said Mike Queen, Chief Deputy Cabinet Secretary of State for West Virginia Mac Warner said in an email.
The The MIT study, however, He stressed the need for a more transparent Voatz mobile application design, as public information about the technology is «vague» at best.
The Voatz platform uses a combination of biometric data, such as mobile-based facial recognition and hardware-backed key deposits to provide end-to-end encrypted and voter-verifiable ballots. It also uses the blockchain as an immutable electronic register to store voting results.
Voatz declined to provide formal details about its platform, citing the need to protect intellectual property, the researchers said in their article.
In a blog post today, Voatz called the researchers’ approach «flawed,» which invalidates any claims about its ability to compromise the overall system.
«In short, making claims about a backend server without any evidence or connection to the server denies any degree of credibility on behalf of the researchers,» Voatz said.
The researchers also turned to Voatz because they reported a University of Michigan researcher who conducted an analysis of the Voatz application in 2018. «This led to an investigation by the FBI against the investigator,» MIT investigators said.
This is not the first time Voatz has been criticized for not being more open about its technology. In May, computer scientists at Lawrence Livermore National Laboratory and the University of South Carolina, along with election monitoring groups, they published an article who criticized Voatz for not publishing any «detailed technical descriptions» of its technology.
«There are at least four companies trying to provide online or mobile voting solutions for high-risk elections, and a candidate for the 2020 Democratic presidency has included voting on a mobile blockchain device in his policy plan.» said MIT researchers in the article. . «As far as we know, only Voatz has successfully implemented such a system.»
Together with Voatz, Democracy Live , We vote , SecureVote and Scytl they have tested mobile or online voting technology in various public or private ballots, including the election of the company’s shareholders and the boards of the college. More recently, a Seattle has piloted Democracy Live technology in an election of the Board of Supervisors that was opened to 1.2 million registered voters.
Tusk Philanthropies, a non-profit organization focused on promoting mobile voting as a way to increase voter turnout, provided financial support to help governments implement pilot mobile voting programs, allowing agencies to choose the provider.
In a statement to Computerworld Tusk said he was confident in the results of all the pilot elections, as he conducted independent third-party audits «that showed that blockchain votes were accurately recorded and tabulated.»
«However, we always welcome new security information and will work with security experts to review this document,» Tusk said. «Security is an iterative process that can only be improved over time. There is no room for error in our choices, especially when it comes to data breach, compromised encryption, faulty authentication, or denial of service attacks. «
Medici Ventures, the wholly-owned investment subsidiary of Overstock.com, also supported Voatz, whose app was used primarily to allow absent election service members and their families to cast their votes via their smartphones from any part of the world.
Jonathan Johnson, CEO of Overstock and President of Medici Ventures, responded in a declaration yet article from New York Times in the MIT study, saying he believes Voatz technology is responsible and safe.
«Not only does it prevent electoral fraud, but it also protects the privacy of every voter. The Voatz app even generates a paper ballot that can be audited to ensure vote fidelity, ”Johnson said. «We believe that this is the right path to a secure innovation in electoral technology. We must not allow ourselves to derail the future of the vote. «
Criticisms of mobile or online voting, including security experts , I think it opens up the possibility of server penetration attacks, client device malware, denial of service attacks and other interruptions, all associated with infecting voters’ computers with malware or infecting computers. in the polling station that handles and counts the ballots.
Jeremy Epstein, vice chairman of the U.S. Technology Policy Committee for the Computing Machine Association (USTPC), has been a critical critic of mobile voting platforms, including Voatz. He said the MIT study was «very comprehensive» and shows exactly what experts have been saying for years.
«Online voting is risky. No wonder the Voatz system is vulnerable to many types of attacks, even an attacker without access to source code or other inside information, ”Epstein said in an email. «The attacks demonstrated by MIT fall within the capabilities of the opponents of the national state who are interested in manipulating the US elections and such an opponent will not publish his results as the MIT team did, leaving us a choice. Which can be modified. with undetectable. «
Five-year-old Voatz criticized MIT researchers for not even connecting the outdated application they used to the company’s servers, which are hosted on Amazon AWS and Microsoft Azure.
In the absence of connection to real servers that record public votes, «researchers fabricated an imaginary version of Voatz servers, hypothesized how they worked, and then made assumptions about interactions between system components that are simply false.» said Voatz.
Epstein responded that Voatz’s comments «show that I do not understand the seriousness of the attacks or how security works in general.
«Any election official who uses Voatz products should cancel his plans before a stealthy attack on a real election compromises democracy,» Epstein said.