MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

Elections officials in a lot of states have piloted many cell voting apps as a strategy of increasing entry to the polls, but MIT scientists say one of the extra well known apps has stability vulnerabilities that could open it up to tampering by negative actors.

The MIT evaluation of the software, referred to as Voatz, highlighted a number of weaknesses that could permit hackers to “alter, stop, or expose how an person user has voted.”

In addition, the scientists identified that Voatz’s use of Palo Alto-dependent seller Jumio for voter identification and verification poses likely privateness troubles for end users.

The study will come on the heels this month’s hassle-plagued Iowa Democratic Presidential Caucus, which utilized an on the internet application to keep votes but unsuccessful to do so accurately simply because of a coding flaw and inadequate tests.

Some stability industry experts have extensive argued that the only protected type of voting is paper ballots.

iPhone iOS voatz blockchain voting Voatz

Voatz Apple iphone cell voting software.

The Voatz cell voting software has been utilized in small pilots involving  only about 600 voters overall in Denver, West Virginia, 5 counties in Oregon, Utah and Washington Point out, in which the primary concentrate was on inclusivity for absentee voters living abroad.

In reaction, Voatz called the MIT report “flawed” simply because it dependent its evaluation on a extensive-outdated Android version of the application.

“Had the scientists taken the time, like approximately one hundred other scientists, to take a look at and verify their statements working with the most up-to-date version of our system by means of our community bug bounty plan on HackerOne, they would not have ended up manufacturing a report that asserts statements on the basis of an erroneous strategy,” Voatz mentioned in a blog post today.

“We want to be very clear that all nine of our governmental pilot elections performed to date, involving less than 600 voters, have been performed safely and securely and securely with no claimed troubles,” Voatz stated.

In 2018, West Virginia piloted Voatz’s cell voting application for resident service associates and loved ones living abroad who wished to vote in the midterm typical election. 

West Virginia Secretary of State’s business office pointed to a Office of Homeland Safety stability evaluation of the 2018 Voatz pilots indicating there was “no threat actor behaviors or artifacts of earlier nefarious things to do were being detected in the vendor’s networks.”

Audits of paper ballots produced by the Voatz plaform on election working day also verified the benefits were being exact, according to the Secretary of State’s business office.

“We want to get the phrase out to media retailers like Computerworld to be certain WV voters that we are using each individual achievable precaution to stability election stability and integrity with WV necessity to give absentee ballots electronically to abroad, army and absentee voters living with physical disabilities,” Mike Queen, deputy main of staff members for West Virginia Secretary of Point out Mac Warner, stated by means of electronic mail.

The MIT study, even so, underscored the want for Voatz’s cell application layout to be extra transparent simply because community info about the technology is “vague” at most effective.

Voatz’s system works by using a blend of biometrics, such as cell-mobile phone dependent facial recognition, and components-backed keystores to give conclude-to-conclude encrypted and voter-verifiable ballots. It also works by using blockchain as an immutable electronic ledger to keep voting benefits.

Voatz has declined to give formal particulars about its system, citing the want to guard mental residence, the scientists stated in their paper.

In a blog article currently, Voatz referred to as the researchers’ technique “flawed,” which “invalidates any statements about their capability to compromise the over-all technique.

“In limited, to make statements about a backend server without any proof or link to the server negates any degree of credibility on behalf of the scientists,” Voatz stated.

The scientists also referred to as Voatz out for reporting a University of Michigan researcher who in 2018 performed an evaluation of the Voatz application. “This resulted in the FBI conducting an investigation towards the researcher,” the MIT scientists stated.

It’s not the very first time Voatz has been criticized for not being extra open about its technology. Final May, computer experts from Lawrence Livermore Nationwide Laboratory and the University of South Carolina, together with election oversight teams, revealed a paper that criticized Voatz for not releasing any “in-depth technological description” of its technology.

“There are at the very least four organizations making an attempt to offer world wide web or cell voting remedies for significant-stakes elections, and one 2020 Democratic presidential prospect has integrated voting from a cell system by means of the blockchain in his coverage plank,” the MIT scientists stated in their paper. “To our expertise, only Voatz has efficiently fielded such a technique.”

Together with Voatz, Democracy Live, Votem, SecureVote and Scytl have all piloted cell or on the internet voting technology in many community or private balloting that integrated firm stockholder and faculty board elections. Most lately, a Seattle district piloted the Democracy Live technology in a board of supervisors election that was open to 1.2 million registered voters.

Tusk Philanthropies, a nonprofit concentrated on advertising and marketing cell voting as a way to boost voter turnout, has furnished money aid to enable governments apply cell voting pilots, allowing for the organizations to pick out the seller company.

In a assertion to Computerworld, Tusk stated it feels assured in the benefits of all the pilot elections simply because it performed impartial, 3rd-occasion audits “which showed that votes forged above the blockchain were being recorded and tabulated accurately.”

“With that being stated, we generally welcome new stability info and will work with stability industry experts to evaluate this paper,” Tusk stated. “Security is an iterative procedure that can only get improved above time. There is no place for mistake in our elections, particularly when it will come to info leakage, compromised encryption, damaged authentication, or denial-of-service assaults.”

Medici Ventures, the wholly-owned financial investment subsidiary of, has also backed Voatz, whose software has primarily been utilized to permit absentee voter service associates and their people to forged their ballots by means of their smartphones from wherever in the environment.

Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a assertion to a New York Periods article about the MIT study, declaring he thinks the Voatz technology is liable and secure.

“It not only prevents voting fraud, but it also safeguards the privateness of every single voter. The Voatz application even generates a paper ballot that can be audited to ensure the fidelity of the vote,” Johnson stated. “This is, we believe that, the ideal route forward to secure innovation in election technology. We should not let ourselves derail the long term of voting.”

Critics of cell or on the internet voting, including stability industry experts, believe that it opens up the prospect of server penetration assaults, consumer-system malware, denial-of-service assaults and other disruptions — all involved with infecting voters’ computer systems with malware or infecting the computer systems in the elections business office that handle and count ballots.

Jeremy Epstein, vice chair of the Affiliation for Computing Machinery’s US Technologies Plan Committee (USTPC), has been a vocal critic of cell voting platforms, including Voatz. He stated the MIT study was “very thorough” and demonstrates exactly what industry experts have been declaring for years.

“Internet voting is risky. It truly is no shock that the Voatz technique is susceptible to several varieties of assaults, even to an attacker with no entry to source code or other inside of info,” Epstein stated by means of electronic mail. “The assaults demonstrated by MIT are nicely within just the capabilities of country-state adversaries who are fascinated in manipulating US elections, and such an adversary won’t publish their benefits as the MIT staff has done, leaving us with an election that may well be undetectably manipulated.”

The 5-12 months-old Voatz slammed the MIT scientists for in no way connecting even the outdated application they utilized to the company’s servers, which are hosted by Amazon AWS and Microsoft Azure.

In the absence of connecting to the genuine servers recording community votes, “the scientists fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then produced assumptions about the interactions amongst the technique elements that are simply just wrong,” Voatz stated.

Epstein retorted that Voatz’s responses “demonstrate that they really don’t realize possibly the severity of the assaults or the way stability functions in typical.

“Any election formal working with Voatz solutions would be nicely encouraged to terminate their programs, ahead of a stealthy assault in a genuine election compromises democracy,” Epstein stated.

Copyright © 2020 IDG Communications, Inc.