West Virginia and Oregon have both recently deployed a mobile voting app called Voatz to facilitate absentee voting. But Voatz now turns out to have major security flaws, according to researchers from the Massachusetts Institute of Technology—including vulnerabilities that could let a hacker manipulate results.
The newly unearthed bugs could allow an attacker to reveal someone's votes, block votes from being submitted, or even manipulate them. The findings, first reported in The New York Times, come as the United States is grappling with broad election security issues and debating whether mobile voting can safely expand accessibility. Security experts have long warned that it's virtually impossible to guarantee safe mobile voting, while Voatz and other companies argue that technologies like biometric authentication and blockchain will make the process secure. Apparently note quite yet, though.
"Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned," wrote MIT researchers Michael Specter, James Koppel, and Daniel Weitzner.
The group found different types of vulnerabilities depending on what level of access an attacker has to a voter's device or to the Voatz servers and application programming interface. If a hacker manages to get root access to your smartphone, they could bypass Voatz's defenses to grab your data, including the PIN you use to access Voatz's servers. They could also control your vote, block it from sending, or see how you voted. If an attacker has access to Voatz's systems, they could uncover data meant to be locked down by the platform's blockchain scheme, allowing them to alter votes or link votes to specific individuals even though the system is supposed to be anonymous and immutable. The researchers even found weaknesses in how the app sends votes to the company's servers that could be exploited if a user voted on an insecure Wi-Fi network or on a connection provided by an untrustworthy internet service provider.
The attack scenarios the researchers looked at would require hackers to have already mounted successful, nontrivial attacks against user devices or Voatz's systems. But motivated attackers would have a clear interest in executing that kind of sophisticated scheme against something as consequential as a voting app. Voting systems must be built to "assume breach," as security experts often put it, and be resilient in the face of known attacks. And the research underscores that Voatz security is ultimately only as safe as the platform it runs on—which is not especially reassuring.
While the MIT researchers have produced the first substantive analysis of Voatz security, others have previously raised questions about the app's defenses and architecture. A common criticism has simply been that its methods and systems lack transparency, making it impossible to tell whether the app delivers on its security promises. In a November letter to the Department of Defense and National Security Agency, Senator Ron Wyden of Oregon asked the agencies to conduct audits of Voatz's systems. "While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments," Wyden wrote. "In fact, Voatz won't even identify its auditors. This level of secrecy hardly inspires confidence."
The company still hasn't published any of its audits but said in a statement that the researchers based their work on an outdated version of the Voatz Android app that was "at least 27 versions old at the time of their disclosure" and not representative of the latest version used in elections. Additionally, for some of the work, the researchers had to simulate portions of the Voatz infrastructure that they couldn't directly access. The company says this means the findings do not accurately reflect their infrastructure and that if the researchers had done their work through Voatz's bug bounty program, run by HackerOne, they would have had access to the current app and even source code to complete a more accurate assessment.
"It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion," the company said in its statement.
Voatz flatly denies that anything from the researchers’ findings represents a vulnerability that could have been used to alter voting results.
The researchers dispute many of these assertions, though. They say that they assessed the version of the Voatz app that was available in Google Play in early December and that since then the company has done five, not 27, updates to the app according to Google Play's logs. They add that none of those five sets of update notes include any indication of security or architecture changes that would potentially negate their findings. And the researchers say that whenever they were forced to make assumptions about Voatz's systems in their analysis, they did so as generously as possible.
"We explicitly assume in the paper a very optimistic model of what Voatz’s backend could be doing," Specter, the lead researcher, told WIRED. "Every time we could possibly assume that Voatz could be preventing something we just assumed that they did it and that it’s completely secure. And even in that very strenuous situation we were able to show a number of attacks."
The researchers asked the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency to coordinate an anonymous disclosure process ahead of publication to safeguard against retaliation. Voatz memorably reported a University of Michigan researcher to the Federal Bureau of Investigation for what turned out to be security analysis of the app.
"When researchers recently contacted CISA to report vulnerabilities in mobile voting technology, we quickly shared this information with both the vendor and the state and local election officials who plan to pilot or use this technology during the 2020 election cycle," a CISA spokesperson said in a statement. "Potentially affected election officials were able to speak with the researchers and CISA to understand and manage risks to their systems."
The researchers say that during this process Voatz seemed to confirm the existence of at least two of the vulnerabilities and corresponding attack scenarios laid out in the paper. Voatz's statement does not make any specific technical claims, and the researchers emphasize that the response doesn't actually dispute any of their findings.
Security researcher Kevin Beaumont, who has found and pointed out bugs in Voatz's systems in the past, says that the findings from MIT don't surprise him. "Voatz has been trying to bury researchers in NDAs to stop findings going public, and reported one person who went public to the FBI," Beaumont says. "Elections are serious stuff. There is no place for nondisclosure agreements and false audit claims in something this targeted. It's difficult to know how Voatz is getting signed off to be involved in elections when their credentials appear questionable at best."
Though more research into the Voatz app is needed to fully understand the reality of the platform's defenses, the MIT research speaks to the pressing need for transparent, auditable voting systems—a point researchers have also strenuously made about existing, in-person voting machines.
"I think the research raises enough red flags to ask what Voatz is actually doing to protect your vote," says Matthew Green, a Johns Hopkins cryptographer who viewed the findings ahead of publication. "People shouldn’t have to reverse-engineer an app to answer these questions. Democracy requires a lot more transparency."
Updated Thursday February 13, 2020, 3:20pm ET to include comment from the MIT researchers, including more details on which version of the app they analyzed.
Updated Friday February 14, 2020, 10am ET to emphasize that Voatz denies that an attacker could alter voting results on the platform.