MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

Elections officials in a lot of states have piloted different cell voting applications as a method of expanding entry to the polls, but MIT scientists say a single of the far more well-known apps has protection vulnerabilities that could open up it up to tampering by negative actors.

The MIT evaluation of the software, referred to as Voatz, highlighted a variety of weaknesses that could permit hackers to “alter, prevent, or expose how an personal user has voted.”

On top of that, the scientists found that Voatz’s use of Palo Alto-based mostly seller Jumio for voter identification and verification poses possible privateness troubles for end users.

The study arrives on the heels this month’s issues-plagued Iowa Democratic Presidential Caucus, which employed an online app to keep votes but unsuccessful to do so correctly because of a coding flaw and insufficient testing.

Some protection industry experts have lengthy argued that the only safe variety of voting is paper ballots.

iPhone iOS voatz blockchain voting Voatz

Voatz Iphone cell voting software.

The Voatz cell voting software has been employed in little pilots involving  only about 600 voters whole in Denver, West Virginia, 5 counties in Oregon, Utah and Washington Point out, wherever the most important target was on inclusivity for absentee voters dwelling overseas.

In response, Voatz called the MIT report “flawed” because it based mostly its evaluation on a lengthy-out-of-date Android version of the app.

“Had the scientists taken the time, like approximately 100 other scientists, to examination and confirm their promises applying the most current version of our platform by way of our general public bug bounty method on HackerOne, they would not have finished up making a report that asserts promises on the basis of an erroneous method,” Voatz mentioned in a site post today.

“We want to be very clear that all nine of our governmental pilot elections conducted to day, involving less than 600 voters, have been conducted securely and securely with no claimed troubles,” Voatz mentioned.

In 2018, West Virginia piloted Voatz’s cell voting app for resident assistance users and household dwelling overseas who desired to vote in the midterm typical election. 

West Virginia Secretary of State’s place of work pointed to a Division of Homeland Protection protection evaluation of the 2018 Voatz pilots indicating there was “no risk actor behaviors or artifacts of previous nefarious activities ended up detected in the vendor’s networks.”

Audits of paper ballots created by the Voatz plaform on election working day also confirmed the outcomes ended up precise, according to the Secretary of State’s place of work.

“We want to get the term out to media stores like Computerworld to be certain WV voters that we are taking every single attainable precaution to harmony election protection and integrity with WV need to provide absentee ballots electronically to overseas, armed forces and absentee voters dwelling with physical disabilities,” Mike Queen, deputy chief of staff members for West Virginia Secretary of Point out Mac Warner, mentioned by way of e mail.

The MIT study, nonetheless, underscored the will need for Voatz’s cell app design and style to be far more clear because general public information about the technological innovation is “vague” at ideal.

Voatz’s platform utilizes a blend of biometrics, this kind of as cell-cellular phone based mostly facial recognition, and hardware-backed keystores to provide finish-to-finish encrypted and voter-verifiable ballots. It also utilizes blockchain as an immutable digital ledger to keep voting outcomes.

Voatz has declined to provide official details about its platform, citing the will need to protect mental residence, the scientists mentioned in their paper.

In a site submit now, Voatz referred to as the researchers’ solution “flawed,” which “invalidates any promises about their skill to compromise the overall process.

“In quick, to make promises about a backend server with no any proof or relationship to the server negates any diploma of believability on behalf of the scientists,” Voatz mentioned.

The scientists also referred to as Voatz out for reporting a University of Michigan researcher who in 2018 conducted an evaluation of the Voatz app. “This resulted in the FBI conducting an investigation versus the researcher,” the MIT scientists mentioned.

It’s not the 1st time Voatz has been criticized for not remaining far more open up about its technological innovation. Last May, computer scientists from Lawrence Livermore Countrywide Laboratory and the University of South Carolina, alongside with election oversight teams, printed a paper that criticized Voatz for not releasing any “in-depth specialized description” of its technological innovation.

“There are at minimum four providers attempting to offer web or cell voting alternatives for high-stakes elections, and a single 2020 Democratic presidential prospect has provided voting from a cell unit by way of the blockchain in his coverage plank,” the MIT scientists mentioned in their paper. “To our expertise, only Voatz has properly fielded this kind of a process.”

Along with Voatz, Democracy Live, Votem, SecureVote and Scytl have all piloted cell or online voting technological innovation in different general public or non-public balloting that provided business stockholder and school board elections. Most just lately, a Seattle district piloted the Democracy Live technology in a board of supervisors election that was open up to one.two million registered voters.

Tusk Philanthropies, a nonprofit targeted on selling cell voting as a way to enhance voter turnout, has helped fund and encourage Voatz and Democracy Live.

In a assertion to Computerworld, Tusk mentioned it feels self-assured in the outcomes of all the pilot elections because it conducted unbiased, third-occasion audits “which confirmed that votes forged in excess of the blockchain ended up recorded and tabulated correctly.”

“With that remaining mentioned, we always welcome new protection information and will perform with protection industry experts to evaluation this paper,” Tusk mentioned. “Security is an iterative method that can only get greater in excess of time. There is no place for error in our elections, in particular when it arrives to info leakage, compromised encryption, broken authentication, or denial-of-assistance assaults.”

Medici Ventures, the wholly-owned financial commitment subsidiary of, has also backed Voatz, whose software has predominantly been employed to permit absentee voter assistance users and their family members to forged their ballots by way of their smartphones from anyplace in the earth.

Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a assertion to a New York Instances article about the MIT study, stating he believes the Voatz technological innovation is accountable and protected.

“It not only stops voting fraud, but it also safeguards the privateness of every voter. The Voatz app even generates a paper ballot that can be audited to guarantee the fidelity of the vote,” Johnson mentioned. “This is, we believe that, the proper route ahead to protected innovation in election technological innovation. We ought to not let ourselves derail the long run of voting.”

Critics of cell or online voting, including protection industry experts, believe that it opens up the prospect of server penetration assaults, client-unit malware, denial-of-assistance assaults and other disruptions — all affiliated with infecting voters’ pcs with malware or infecting the pcs in the elections place of work that handle and count ballots.

Jeremy Epstein, vice chair of the Association for Computing Machinery’s US Engineering Coverage Committee (USTPC), has been a vocal critic of cell voting platforms, which includes Voatz. He mentioned the MIT study was “very thorough” and demonstrates particularly what industry experts have been stating for decades.

“Internet voting is risky. It is no surprise that the Voatz process is susceptible to lots of forms of assaults, even to an attacker with no entry to source code or other within information,” Epstein mentioned by way of e mail. “The assaults shown by MIT are very well within just the abilities of nation-point out adversaries who are interested in manipulating US elections, and this kind of an adversary won’t publish their outcomes as the MIT workforce has carried out, leaving us with an election that may possibly be undetectably manipulated.”

The 5-calendar year-aged Voatz slammed the MIT scientists for never ever connecting even the out-of-date app they employed to the company’s servers, which are hosted by Amazon AWS and Microsoft Azure.

In the absence of connecting to the real servers recording general public votes, “the scientists fabricated an imagined version of the Voatz servers, hypothesized how they labored, and then built assumptions about the interactions in between the process elements that are merely bogus,” Voatz mentioned.

Epstein retorted that Voatz’s reviews “demonstrate that they you should not understand possibly the severity of the assaults or the way protection operates in typical.

“Any election formal applying Voatz products and solutions would be very well advised to terminate their ideas, in advance of a stealthy attack in a serious election compromises democracy,” Epstein mentioned.

Copyright © 2020 IDG Communications, Inc.