MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

Elections officials in quite a few states have piloted numerous cellular voting applications as a

Elections officials in quite a few states have piloted numerous cellular voting applications as a system of expanding access to the polls, but MIT scientists say one of the extra well-liked applications has security vulnerabilities that could open up it up to tampering by lousy actors.

The MIT analysis of the application, identified as Voatz, highlighted a selection of weaknesses that could let hackers to “alter, cease, or expose how an unique person has voted.”

In addition, the scientists found that Voatz’s use of Palo Alto-primarily based vendor Jumio for voter identification and verification poses opportunity privacy difficulties for consumers.

The review comes on the heels this month’s difficulty-plagued Iowa Democratic Presidential Caucus, which utilised an on the net app to keep votes but unsuccessful to do so properly since of a coding flaw and insufficient screening.

Some security professionals have very long argued that the only safe type of voting is paper ballots.

iPhone iOS voatz blockchain voting Voatz

Voatz Iphone cellular voting application.

The Voatz cellular voting application has been utilised in tiny pilots involving  only about 600 voters overall in Denver, West Virginia, five counties in Oregon, Utah and Washington Condition, wherever the key concentration was on inclusivity for absentee voters residing overseas.

In reaction, Voatz called the MIT report “flawed” since it primarily based its analysis on a very long-outdated Android edition of the app.

“Had the scientists taken the time, like practically one hundred other scientists, to take a look at and verify their claims utilizing the most up-to-date edition of our platform by means of our general public bug bounty plan on HackerOne, they would not have ended up manufacturing a report that asserts claims on the basis of an erroneous system,” Voatz stated in a weblog post today.

“We want to be crystal clear that all nine of our governmental pilot elections executed to date, involving less than 600 voters, have been executed securely and securely with no reported difficulties,” Voatz mentioned.

In 2018, West Virginia piloted Voatz’s cellular voting app for resident support members and spouse and children residing overseas who required to vote in the midterm typical election. 

West Virginia Secretary of State’s place of work pointed to a Section of Homeland Safety security evaluation of the 2018 Voatz pilots indicating there was “no threat actor behaviors or artifacts of earlier nefarious functions had been detected in the vendor’s networks.”

Audits of paper ballots made by the Voatz plaform on election day also confirmed the effects had been precise, according to the Secretary of State’s place of work.

“We want to get the word out to media retailers like Computerworld to make sure WV voters that we are taking each and every feasible precaution to harmony election security and integrity with WV requirement to supply absentee ballots electronically to overseas, navy and absentee voters residing with physical disabilities,” Mike Queen, deputy chief of personnel for West Virginia Secretary of Condition Mac Warner, mentioned by means of email.

The MIT review, on the other hand, underscored the will need for Voatz’s cellular app design and style to be extra transparent since general public facts about the technology is “vague” at very best.

Voatz’s platform uses a blend of biometrics, this kind of as cellular-cell phone primarily based facial recognition, and hardware-backed keystores to supply end-to-end encrypted and voter-verifiable ballots. It also uses blockchain as an immutable electronic ledger to keep voting effects.

Voatz has declined to supply official details about its platform, citing the will need to guard mental residence, the scientists mentioned in their paper.

In a weblog article right now, Voatz identified as the researchers’ strategy “flawed,” which “invalidates any claims about their capacity to compromise the general procedure.

“In brief, to make claims about a backend server with no any proof or link to the server negates any degree of credibility on behalf of the scientists,” Voatz mentioned.

The scientists also identified as Voatz out for reporting a University of Michigan researcher who in 2018 executed an analysis of the Voatz app. “This resulted in the FBI conducting an investigation versus the researcher,” the MIT scientists mentioned.

It’s not the to start with time Voatz has been criticized for not being extra open up about its technology. Previous Might, computer scientists from Lawrence Livermore Countrywide Laboratory and the University of South Carolina, alongside with election oversight groups, released a paper that criticized Voatz for not releasing any “in-depth technical description” of its technology.

“There are at least four companies trying to offer you internet or cellular voting solutions for higher-stakes elections, and one 2020 Democratic presidential applicant has provided voting from a cellular product by means of the blockchain in his coverage plank,” the MIT scientists mentioned in their paper. “To our knowledge, only Voatz has efficiently fielded this kind of a procedure.”

Along with Voatz, Democracy Stay, Votem, SecureVote and Scytl have all piloted cellular or on the net voting technology in numerous general public or personal balloting that provided firm stockholder and university board elections. Most a short while ago, a Seattle district piloted the Democracy Stay technology in a board of supervisors election that was open up to one.2 million registered voters.

Tusk Philanthropies, a nonprofit centered on promoting cellular voting as a way to improve voter turnout, has supplied money assistance to assistance governments put into action cellular voting pilots, allowing the businesses to opt for the vendor provider.

In a assertion to Computerworld, Tusk mentioned it feels confident in the effects of all the pilot elections since it executed impartial, 3rd-party audits “which showed that votes solid around the blockchain had been recorded and tabulated properly.”

“With that being mentioned, we generally welcome new security facts and will function with security professionals to overview this paper,” Tusk mentioned. “Security is an iterative approach that can only get superior around time. There is no room for mistake in our elections, in particular when it comes to data leakage, compromised encryption, damaged authentication, or denial-of-support attacks.”

Medici Ventures, the wholly-owned financial commitment subsidiary of Overstock.com, has also backed Voatz, whose application has mostly been utilised to let absentee voter support members and their families to solid their ballots by means of their smartphones from any where in the environment.

Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a assertion to a New York Moments article about the MIT review, declaring he thinks the Voatz technology is dependable and risk-free.

“It not only helps prevent voting fraud, but it also safeguards the privacy of each voter. The Voatz app even generates a paper ballot that can be audited to ensure the fidelity of the vote,” Johnson mentioned. “This is, we imagine, the ideal route forward to risk-free innovation in election technology. We should not enable ourselves derail the long term of voting.”

Critics of cellular or on the net voting, including security professionals, imagine it opens up the prospect of server penetration attacks, customer-product malware, denial-of-support attacks and other disruptions — all associated with infecting voters’ pcs with malware or infecting the pcs in the elections place of work that take care of and count ballots.

Jeremy Epstein, vice chair of the Association for Computing Machinery’s US Know-how Plan Committee (USTPC), has been a vocal critic of cellular voting platforms, which include Voatz. He mentioned the MIT review was “very thorough” and demonstrates specifically what professionals have been declaring for many years.

“Internet voting is dangerous. It really is no surprise that the Voatz procedure is susceptible to many sorts of attacks, even to an attacker with no access to source code or other within facts,” Epstein mentioned by means of email. “The attacks shown by MIT are properly in the abilities of country-state adversaries who are interested in manipulating US elections, and this kind of an adversary won’t publish their effects as the MIT workforce has performed, leaving us with an election that may be undetectably manipulated.”

The five-calendar year-old Voatz slammed the MIT scientists for by no means connecting even the outdated app they utilised to the company’s servers, which are hosted by Amazon AWS and Microsoft Azure.

In the absence of connecting to the true servers recording general public votes, “the scientists fabricated an imagined edition of the Voatz servers, hypothesized how they labored, and then created assumptions about the interactions amongst the procedure factors that are simply just untrue,” Voatz mentioned.

Epstein retorted that Voatz’s reviews “demonstrate that they will not understand both the severity of the attacks or the way security works in typical.

“Any election official utilizing Voatz goods would be properly suggested to cancel their plans, right before a stealthy assault in a true election compromises democracy,” Epstein mentioned.

Copyright © 2020 IDG Communications, Inc.