Researchers say hackers can alter, stop, or expose how an individual user has voted through the Voatz app.
The makers of the blockchain voting platform Voatz have had to go on the offensive to address assertions from MIT researchers that their app is insecure and can be easily hacked into. MIT researchers released a lengthy paper on Thursday that said hackers could change votes through the app, which has already been used in Oregon, West Virginia, Washington, and Utah since 2018.
"Their security analysis of the application, called Voatz, pinpoints a number of weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted," MIT said in a news release.
Additionally, the researchers found that Voatz' use of a third-party vendor for voter identification and verification poses potential privacy issues for users," the MIT press release said.
In a blog post and call with reporters, Voatz defended its security practices and disputed the claims made by the MIT researchers. The company said the research paper was based on an "old version" of the app and that because of this, many of their claims were invalid.
"Voatz has worked for nearly five years to develop a resilient ballot marking system, a system built to respond to unanticipated threats and to distribute updates worldwide with short notice. It incorporates solutions from other industries to address issues around security, identity, accessibility, and auditability," the company wrote.
MIT said in its release: "After uncovering these security vulnerabilities, the researchers disclosed their findings to the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA). The researchers, along with the Boston University/MIT Technology Law Clinic, worked in close coordination with election security officials within CISA to ensure that impacted elections officials and the vendor were aware of the findings before the research was made public."
SEE: Iowa caucus app fiasco: How it happened and lessons learned (free PDF) (TechRepublic)
Michael Specter, a graduate student in MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Internet Policy Research Initiative, and James Koppel, also a graduate student in EECS, described what went wrong with Voatz and how they discovered the vulnerabilities in their paper, "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S Federal Elections."
They said they were initially inspired to look into Voatz because other researchers at MIT were looking at ways to use blockchain in elections and were interested in how the Boston-based company was able to put their platform together.
Voatz did not publicly release any source code or documentation for how its system operates, so Specter and Koppel reverse engineered the Voatz application.
They said they were both immediately alarmed by what they found. Cybercriminals with remote access to a device with Voatz could very easily change votes.
"It does not appear that the app's protocol attempts to verify [genuine votes] with the back-end blockchain. Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you're on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election," Specter said.
"Worse, more aggressive attackers could potentially detect which way you're going to vote and then stop the connection based on that alone."
They also discovered that Voatz was using external vendors to handle the verification of voter IDs, giving outside groups access to photos and information on driver's licenses.
Koppel said that running any secure election over the internet is not possible based on the consensus of opinions from security experts.
The two researchers lauded Voatz for trying to make voting more accessible but said the platform had to be secured through the proper channels.
Nothing in the MIT press release or study indicates that Voatz was hacked during the 2018 midterm elections throughout the four states it was used. But researchers noted in the study that hacking Voatz would be "well within the capacity of a nation-state actor."
The smartphone app was designed to help make it easier for certain communities to vote and essentially take the place of absentee voting systems. Voatz allows people to vote through an Android app. Oregon, Washington, and West Virginia used it to help military officials overseas vote in local elections, while a county in Utah used it for disabled voters.
Voatz has been used by both parties, deployed for the 2016 Massachusetts Democratic Convention as well as the 2016 Utah Republican Convention.
NBC obtained a study of Voatz conducted by the Department of Homeland Security last year that found a number of security flaws as well. In a statement, West Virginia Secretary of State Mac Warner said it was following the MIT research and noted that only about 200 votes were cast through the app in the 2018 elections.
"In an effort to provide additional security to any platform we may use, we continue to welcome critiques of the Voatz technology as does Voatz," Warner's spokesperson Mike Queen told NBC in an email.
The MIT researchers are not the only people who took issue with Voatz. In November, Oregon Senator Ron Wyden sent a letter to the Pentagon demanding the government look into Voatz and force them to address the security concerns it presents.
"I am also very concerned about the significant security risks associated with voting over the internet, including through the use of smartphone-based apps like Voatz. A chorus of cybersecurity experts laid out their concerns in a 2018 National Academy of Sciences Report," Wyden wrote, including a quote from the report that said the internet should not be used for the return of market ballots.
"While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments. In fact, Voatz won't even identify its auditors. This level of secrecy hardly inspires confidence," he added before imploring the Pentagon to conduct its own audit of Voatz.
The Voatz blog post says the credibility of the researchers is negated by the fact that they did not have any actual access to Voatz' backend servers and therefore could not prove any of what was in the study. Voatz also disputed the idea that they were not transparent, writing that the company is open with "qualified, collaborative researchers."
Voatz noted that all nine of the company's governmental pilot elections conducted have involved less than 600 voters and have had no reported issues.
"It is clear that from the theoretical nature of the researchers' approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers' true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."
On a later call with Voatz CEO Nimit Sawhney, Larry Moore, senior vice president, and Hilary Braseth, vice president, said the company has worked alongside election officials and independent cybersecurity organizations to develop a post-election audit process.
Moore suggested the MIT researchers were trying to use media attention to stop Voatz' work.
Sawhney said a number of the assertions made in the paper have already been fixed and they are working with the Department of Homeland Security to address any other concerns the government may have.
"Their claim of being able to compromise a device and then being able to use that to connect to the network, that would have gotten blocked by server-side protection. And so definitely, there's a lot of the intelligence in the system that relies on the server-side, in the cloud, which they completely missed because they were just looking at one isolated piece of the system," Sawhney said.
"So as far as Voatz users are concerned, we do not believe that they should be worried at all about these vulnerabilities."
Sawhney went on to say that the MIT researchers could not reverse engineer all the code in the Android app and are missing some pieces in the Android app itself as well as a significant portion of Voatz' server architecture information.
Moore also addressed the New York Times report that Mason County, Washington has decided not to use the app in their elections, saying the person in charge had been pressured by government officials to scrap the app.
The MIT researchers have not responded to the assertions made by Voatz executives but were very clear that no app like Voatz should be used during elections at this point.
"We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field," says Weitzner.
"We cannot experiment on our democracy."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet) All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)