West Virginia and Oregon have both recently deployed mobile a voting app called Voatz to facilitate absentee voting. But Voatz now turns out to have major security flaws, according to researchers from the Massachusetts Institute of Technology—including vulnerabilities that could let a hacker manipulate results.
The newly unearthed bugs could allow an attacker to reveal someone’s votes, block votes from being submitted, or even manipulate them. The findings, first reported in the New York Times, come as the United States is grappling with broad election security issues and debating whether mobile voting can safely expand accessibility. Security experts have long warned that it’s virtually impossible to guarantee safe mobile voting, while Voatz and other companies argue that technologies like biometric authentication and blockchain will make the process secure. Apparently note quite yet, though.
“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” wrote MIT researchers Michael Specter, James Koppel, and Daniel Weitzner.
The group found different types of vulnerabilities depending on what level of access an attacker has to a voter’s device, or to the Voatz servers and application programming interface. If a hacker manages to get root access to your smartphone, they could bypass Voatz’s defenses to grab your data, including the PIN you use to access Voatz’s servers. They could also control your vote, block it from sending, or see how you voted. If an attacker has access to Voatz’s systems, they could uncover data meant to be locked down by the platform’s blockchain scheme, allowing them to alter votes or link votes to specific individuals even though the system is supposed to be anonymous and immutable.
The attack scenarios the researchers looked at would require hackers to have already mounted successful, nontrivial attacks against user devices or Voatz’s systems. But motivated attackers would have a clear interest in executing that kind of sophisticated scheme against something as consequential as a voting app. Voting systems must be built to “assume breach,” as security experts often put it, and be resilient in the face of known attacks. And the research underscores that Voatz security is ultimately only as safe as the platform it runs on—which is not especially reassuring.
While the MIT researchers have produced the first substantive analysis of Voatz security, others have previously raised questions about the app’s defenses and architecture. A common criticism has simply been that its methods and systems lack transparency, making it impossible to tell whether the app delivers on its security promises. In a November letter to the Department of Defense and National Security Agency, Oregon senator Ron Wyden asked the agencies to conduct audits of Voatz’s systems. “While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments,” Wyden wrote. “In fact, Voatz won’t even identify its auditors. This level of secrecy hardly inspires confidence.”
The company still hasn’t published any of its audits, but said in a statement that the researchers based their work on an outdated version of the Voatz Android app that is not representative of the latest version used in elections. It is, however, the current version available on Google Play. Voatz also says that because the app was outdated, the researchers had to simulate portions of Voatz’s infrastructure rather than assessing the actual system. The company says that if the researchers had done their work through Voatz’s bug bounty program, run by HackerOne, they would have had access to the current app and even source code to complete a more accurate assessment.
“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” the company said in its statement.