MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

Elections officials in quite a few states have piloted different cell voting apps as a strategy of growing accessibility to the polls, but MIT scientists say a person of the additional well-known apps has safety vulnerabilities that could open it up to tampering by negative actors.

The MIT examination of the software, named Voatz, highlighted a number of weaknesses that could let hackers to “alter, quit, or expose how an particular person user has voted.”

Moreover, the scientists observed that Voatz’s use of Palo Alto-primarily based seller Jumio for voter identification and verification poses likely privacy problems for end users.

The review comes on the heels this month’s issues-plagued Iowa Democratic Presidential Caucus, which applied an on line application to retail outlet votes but unsuccessful to do so correctly mainly because of a coding flaw and inadequate testing.

Some safety authorities have very long argued that the only safe variety of voting is paper ballots.

iPhone iOS voatz blockchain voting Voatz

Voatz Apple iphone cell voting software.

The Voatz cell voting software has been applied in tiny pilots involving  only about 600 voters overall in Denver, West Virginia, 5 counties in Oregon, Utah and Washington Condition, exactly where the main aim was on inclusivity for absentee voters living overseas.

In response, Voatz called the MIT report “flawed” mainly because it primarily based its examination on a very long-outdated Android model of the application.

“Had the scientists taken the time, like just about 100 other scientists, to examination and verify their claims utilizing the most up-to-date model of our system by means of our general public bug bounty system on HackerOne, they would not have finished up manufacturing a report that asserts claims on the basis of an faulty strategy,” Voatz mentioned in a web site post today.

“We want to be obvious that all nine of our governmental pilot elections carried out to date, involving less than 600 voters, have been carried out properly and securely with no noted problems,” Voatz claimed.

In 2018, West Virginia piloted Voatz’s cell voting application for resident assistance associates and relatives living overseas who wished to vote in the midterm basic election. 

West Virginia Secretary of State’s office environment pointed to a Section of Homeland Protection safety assessment of the 2018 Voatz pilots indicating there was “no danger actor behaviors or artifacts of earlier nefarious activities ended up detected in the vendor’s networks.”

Audits of paper ballots made by the Voatz plaform on election day also confirmed the results ended up accurate, according to the Secretary of State’s office environment.

“We want to get the phrase out to media outlets like Computerworld to guarantee WV voters that we are using every attainable precaution to balance election safety and integrity with WV necessity to present absentee ballots electronically to overseas, armed service and absentee voters living with bodily disabilities,” Mike Queen, deputy main of personnel for West Virginia Secretary of Condition Mac Warner, claimed by means of e-mail.

The MIT review, having said that, underscored the need to have for Voatz’s cell application structure to be additional clear mainly because general public info about the engineering is “vague” at very best.

Voatz’s system employs a blend of biometrics, these types of as cell-cellular phone primarily based facial recognition, and components-backed keystores to present finish-to-finish encrypted and voter-verifiable ballots. It also employs blockchain as an immutable digital ledger to retail outlet voting results.

Voatz has declined to present official particulars about its system, citing the need to have to guard intellectual home, the scientists claimed in their paper.

In a web site write-up today, Voatz named the researchers’ tactic “flawed,” which “invalidates any claims about their ability to compromise the over-all program.

“In brief, to make claims about a backend server with no any proof or relationship to the server negates any diploma of trustworthiness on behalf of the scientists,” Voatz claimed.

The scientists also named Voatz out for reporting a University of Michigan researcher who in 2018 carried out an examination of the Voatz application. “This resulted in the FBI conducting an investigation against the researcher,” the MIT scientists claimed.

It is not the 1st time Voatz has been criticized for not remaining additional open about its engineering. Previous May, computer scientists from Lawrence Livermore Countrywide Laboratory and the University of South Carolina, together with election oversight groups, published a paper that criticized Voatz for not releasing any “specific technical description” of its engineering.

“There are at minimum four firms making an attempt to offer world wide web or cell voting alternatives for substantial-stakes elections, and a person 2020 Democratic presidential applicant has involved voting from a cell gadget by means of the blockchain in his policy plank,” the MIT scientists claimed in their paper. “To our information, only Voatz has properly fielded these types of a program.”

Alongside with Voatz, Democracy Dwell, Votem, SecureVote and Scytl have all piloted cell or on line voting engineering in different general public or private balloting that involved enterprise stockholder and college or university board elections. Most not long ago, a Seattle district piloted the Democracy Dwell technology in a board of supervisors election that was open to 1.2 million registered voters.

Tusk Philanthropies, a nonprofit concentrated on marketing cell voting as a way to raise voter turnout, has supplied economic aid to assistance governments implement cell voting pilots, permitting the businesses to opt for the seller company.

In a statement to Computerworld, Tusk claimed it feels self-confident in the results of all the pilot elections mainly because it carried out independent, 3rd-get together audits “which confirmed that votes solid above the blockchain ended up recorded and tabulated correctly.”

“With that remaining claimed, we constantly welcome new safety info and will function with safety authorities to evaluation this paper,” Tusk claimed. “Security is an iterative process that can only get far better above time. There is no home for mistake in our elections, primarily when it comes to data leakage, compromised encryption, broken authentication, or denial-of-assistance assaults.”

Medici Ventures, the wholly-owned investment subsidiary of, has also backed Voatz, whose software has mainly been applied to let absentee voter assistance associates and their family members to solid their ballots by means of their smartphones from anyplace in the earth.

Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a statement to a New York Periods article about the MIT review, expressing he thinks the Voatz engineering is accountable and harmless.

“It not only helps prevent voting fraud, but it also safeguards the privacy of every voter. The Voatz application even generates a paper ballot that can be audited to assure the fidelity of the vote,” Johnson claimed. “This is, we think, the appropriate path ahead to harmless innovation in election engineering. We need to not allow ourselves derail the upcoming of voting.”

Critics of cell or on line voting, including safety authorities, think it opens up the prospect of server penetration assaults, customer-gadget malware, denial-of-assistance assaults and other disruptions — all associated with infecting voters’ computers with malware or infecting the computers in the elections office environment that take care of and depend ballots.

Jeremy Epstein, vice chair of the Association for Computing Machinery’s US Technological innovation Plan Committee (USTPC), has been a vocal critic of cell voting platforms, which include Voatz. He claimed the MIT review was “very thorough” and demonstrates specifically what authorities have been expressing for many years.

“Internet voting is risky. It is no shock that the Voatz program is vulnerable to quite a few kinds of assaults, even to an attacker with no accessibility to supply code or other inside of info,” Epstein claimed by means of e-mail. “The assaults demonstrated by MIT are nicely within just the capabilities of country-condition adversaries who are intrigued in manipulating US elections, and these types of an adversary is not going to publish their results as the MIT workforce has done, leaving us with an election that may perhaps be undetectably manipulated.”

The 5-12 months-outdated Voatz slammed the MIT scientists for never ever connecting even the outdated application they applied to the company’s servers, which are hosted by Amazon AWS and Microsoft Azure.

In the absence of connecting to the precise servers recording general public votes, “the scientists fabricated an imagined model of the Voatz servers, hypothesized how they labored, and then produced assumptions about the interactions in between the program factors that are simply just bogus,” Voatz claimed.

Epstein retorted that Voatz’s remarks “demonstrate that they don’t have an understanding of either the severity of the assaults or the way safety operates in basic.

“Any election formal utilizing Voatz products and solutions would be nicely encouraged to cancel their plans, before a stealthy attack in a genuine election compromises democracy,” Epstein claimed.

Copyright © 2020 IDG Communications, Inc.