Elections officials in many states have piloted various cell voting apps as a method of growing entry to the polls, but MIT researchers say 1 of the a lot more popular applications has stability vulnerabilities that could open up it up to tampering by terrible actors.
The MIT examination of the software, termed Voatz, highlighted a quantity of weaknesses that could allow for hackers to “alter, end, or expose how an person consumer has voted.”
Additionally, the researchers identified that Voatz’s use of Palo Alto-based seller Jumio for voter identification and verification poses likely privateness problems for end users.
The examine will come on the heels this month’s problems-plagued Iowa Democratic Presidential Caucus, which used an on line app to retail outlet votes but failed to do so properly for the reason that of a coding flaw and insufficient tests.
Some stability experts have prolonged argued that the only safe kind of voting is paper ballots.
The Voatz cell voting software has been used in little pilots involving only about 600 voters whole in Denver, West Virginia, five counties in Oregon, Utah and Washington Condition, exactly where the key aim was on inclusivity for absentee voters dwelling abroad.
In reaction, Voatz called the MIT report “flawed” for the reason that it based its examination on a prolonged-out-of-date Android edition of the app.
“Had the researchers taken the time, like practically one hundred other researchers, to take a look at and validate their claims employing the newest edition of our platform through our community bug bounty application on HackerOne, they would not have finished up creating a report that asserts claims on the basis of an erroneous method,” Voatz stated in a blog post today.
“We want to be crystal clear that all nine of our governmental pilot elections carried out to date, involving less than 600 voters, have been carried out securely and securely with no described problems,” Voatz reported.
West Virginia Secretary of State’s office environment pointed to a Office of Homeland Stability stability assessment of the 2018 Voatz pilots indicating there was “no menace actor behaviors or artifacts of earlier nefarious activities had been detected in the vendor’s networks.”
Audits of paper ballots made by the Voatz plaform on election working day also verified the final results had been precise, in accordance to the Secretary of State’s office environment.
“We want to get the word out to media outlets like Computerworld to guarantee WV voters that we are using every single achievable precaution to balance election stability and integrity with WV necessity to present absentee ballots electronically to abroad, armed forces and absentee voters dwelling with physical disabilities,” Mike Queen, deputy chief of staff for West Virginia Secretary of Condition Mac Warner, reported through electronic mail.
The MIT examine, having said that, underscored the need for Voatz’s cell app structure to be a lot more clear for the reason that community data about the technological innovation is “vague” at most effective.
Voatz’s platform works by using a combination of biometrics, these as cell-cellphone based facial recognition, and components-backed keystores to present conclude-to-conclude encrypted and voter-verifiable ballots. It also works by using blockchain as an immutable electronic ledger to retail outlet voting final results.
Voatz has declined to present formal particulars about its platform, citing the need to shield intellectual property, the researchers reported in their paper.
In a blog put up now, Voatz termed the researchers’ technique “flawed,” which “invalidates any claims about their potential to compromise the total method.
“In small, to make claims about a backend server with no any evidence or link to the server negates any degree of trustworthiness on behalf of the researchers,” Voatz reported.
The researchers also termed Voatz out for reporting a University of Michigan researcher who in 2018 carried out an examination of the Voatz app. “This resulted in the FBI conducting an investigation from the researcher,” the MIT researchers reported.
It is not the to start with time Voatz has been criticized for not becoming a lot more open up about its technological innovation. Very last May well, computer experts from Lawrence Livermore National Laboratory and the University of South Carolina, together with election oversight teams, posted a paper that criticized Voatz for not releasing any “specific technological description” of its technological innovation.
“There are at minimum four firms attempting to give online or cell voting solutions for high-stakes elections, and 1 2020 Democratic presidential candidate has provided voting from a cell device through the blockchain in his policy plank,” the MIT researchers reported in their paper. “To our understanding, only Voatz has effectively fielded these a method.”
Together with Voatz, Democracy Dwell, Votem, SecureVote and Scytl have all piloted cell or on line voting technological innovation in various community or non-public balloting that provided organization stockholder and faculty board elections. Most recently, a Seattle district piloted the Democracy Dwell technology in a board of supervisors election that was open up to one.2 million registered voters.
Tusk Philanthropies, a nonprofit concentrated on advertising cell voting as a way to improve voter turnout, has served fund and promote Voatz and Democracy Dwell.
In a statement to Computerworld, Tusk reported it feels confident in the final results of all the pilot elections for the reason that it carried out independent, 3rd-party audits “which confirmed that votes solid above the blockchain had been recorded and tabulated properly.”
“With that becoming reported, we constantly welcome new stability data and will operate with stability experts to assessment this paper,” Tusk reported. “Security is an iterative process that can only get superior above time. There is no area for mistake in our elections, particularly when it will come to facts leakage, compromised encryption, broken authentication, or denial-of-service attacks.”
Medici Ventures, the wholly-owned expenditure subsidiary of Overstock.com, has also backed Voatz, whose software has largely been used to allow for absentee voter service members and their family members to solid their ballots through their smartphones from everywhere in the planet.
Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a statement to a New York Periods article about the MIT examine, indicating he believes the Voatz technological innovation is liable and protected.
“It not only prevents voting fraud, but it also safeguards the privateness of each voter. The Voatz app even generates a paper ballot that can be audited to warranty the fidelity of the vote,” Johnson reported. “This is, we consider, the proper path forward to protected innovation in election technological innovation. We ought to not allow ourselves derail the long run of voting.”
Critics of cell or on line voting, including stability experts, consider it opens up the prospect of server penetration attacks, client-device malware, denial-of-service attacks and other disruptions — all associated with infecting voters’ computers with malware or infecting the computers in the elections office environment that tackle and count ballots.
Jeremy Epstein, vice chair of the Affiliation for Computing Machinery’s US Technological innovation Coverage Committee (USTPC), has been a vocal critic of cell voting platforms, which include Voatz. He reported the MIT examine was “very thorough” and demonstrates precisely what experts have been indicating for yrs.
“Internet voting is risky. It is no surprise that the Voatz method is vulnerable to numerous kinds of attacks, even to an attacker with no entry to supply code or other inside of data,” Epstein reported through electronic mail. “The attacks shown by MIT are effectively in just the abilities of nation-state adversaries who are fascinated in manipulating US elections, and these an adversary won’t publish their final results as the MIT workforce has accomplished, leaving us with an election that may be undetectably manipulated.”
The five-year-old Voatz slammed the MIT researchers for hardly ever connecting even the out-of-date app they used to the company’s servers, which are hosted by Amazon AWS and Microsoft Azure.
In the absence of connecting to the genuine servers recording community votes, “the researchers fabricated an imagined edition of the Voatz servers, hypothesized how they labored, and then designed assumptions about the interactions concerning the method parts that are basically untrue,” Voatz reported.
Epstein retorted that Voatz’s comments “demonstrate that they do not understand both the severity of the attacks or the way stability functions in general.
“Any election official employing Voatz goods would be effectively encouraged to terminate their strategies, right before a stealthy assault in a authentic election compromises democracy,” Epstein reported.
Copyright © 2020 IDG Communications, Inc.