West Virginia and Oregon have both recently deployed a mobile voting app called Voatz to facilitate absentee voting. But Voatz now turns out to have major security flaws, according to researchers from the Massachusetts Institute of Technology—including vulnerabilities that could let a hacker manipulate results.
The newly unearthed bugs could allow an attacker to reveal someone’s votes, block votes from being submitted, or even manipulate them. The findings, first reported in The New York Times, come as the United States is grappling with broad election security issues and debating whether mobile voting can safely expand accessibility. Security experts have long warned that it’s virtually impossible to guarantee safe mobile voting, while Voatz and other companies argue that technologies like biometric authentication and blockchain will make the process secure. Apparently note quite yet, though.
“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” wrote MIT researchers Michael Specter, James Koppel, and Daniel Weitzner.
The group found different types of vulnerabilities depending on what level of access an attacker has to a voter’s device or to the Voatz servers and application programming interface. If a hacker manages to get root access to your smartphone, they could bypass Voatz’s defenses to grab your data, including the PIN you use to access Voatz’s servers. They could also control your vote, block it from sending, or see how you voted. If an attacker has access to Voatz’s systems, they could uncover data meant to be locked down by the platform’s blockchain scheme, allowing them to alter votes or link votes to specific individuals even though the system is supposed to be anonymous and immutable. The researchers even found weaknesses in how the app sends votes to the company’s servers that could be exploited if a user voted on an insecure Wi-Fi network or on a connection provided by an untrustworthy internet service provider.
The attack scenarios the researchers looked at would require hackers to have already mounted successful, nontrivial attacks against user devices or Voatz’s systems. But motivated attackers would have a clear interest in executing that kind of sophisticated scheme against something as consequential as a voting app. Voting systems must be built to “assume breach,” as security experts often put it, and be resilient in the face of known attacks. And the research underscores that Voatz security is ultimately only as safe as the platform it runs on—which is not especially reassuring.
While the MIT researchers have produced the first substantive analysis of Voatz security, others have previously raised questions about the app’s defenses and architecture. A common criticism has simply been that its methods and systems lack transparency, making it impossible to tell whether the app delivers on its security promises. In a November letter to the Department of Defense and National Security Agency, Senator Ron Wyden of Oregon asked the agencies to conduct audits of Voatz’s systems. “While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments,” Wyden wrote. “In fact, Voatz won’t even identify its auditors. This level of secrecy hardly inspires confidence.”
The company still hasn’t published any of its audits but said in a statement that the researchers based their work on an outdated version of the Voatz Android app that was “at least 27 versions old at the time of their disclosure” and not representative of the latest version used in elections. Additionally, for some of the work, the researchers had to simulate portions of the Voatz infrastructure that they couldn’t directly access. The company says this means the findings do not accurately reflect their infrastructure and that if the researchers had done their work through Voatz’s bug bounty program, run by HackerOne, they would have had access to the current app and even source code to complete a more accurate assessment.