MIT researchers say cellular voting app piloted in U.S. is rife with vulnerabilities
Elections officers in quite a few states have piloted varied cellular voting purposes as a technique of increasing entry to the polls, however MIT researchers say one of many extra widespread apps has safety vulnerabilities that would open it as much as tampering by unhealthy actors.The MIT evaluation of the appliance, known as Voatz, highlighted plenty of weaknesses that would enable hackers to “alter, cease, or expose how a person consumer has voted.”Moreover, the researchers discovered that Voatz’s use of Palo Alto-based vendor Jumio for voter identification and verification poses potential privateness points for customers.The examine comes on the heels this month’s trouble-plagued Iowa Democratic Presidential Caucus, which used a web-based app to retailer votes however failed to take action precisely due to a coding flaw and inadequate testing.Some safety specialists have lengthy argued that the one safe type of voting is paper ballots. Voatz
Voatz iPhone cellular voting software.
The Voatz cellular voting software has been utilized in small pilots involving solely about 600 voters whole in Denver, West Virginia, 5 counties in Oregon, Utah and Washington State, the place the primary focus was on inclusivity for absentee voters dwelling abroad.In response, Voatz known as the MIT report “flawed” as a result of it primarily based its evaluation on a long-outdated Android model of the app.“Had the researchers taken the time, like practically 100 different researchers, to check and confirm their claims utilizing the most recent model of our platform by way of our public bug bounty program on HackerOne, they’d not have ended up producing a report that asserts claims on the idea of an misguided technique,” Voatz said in a weblog put up right this moment.“We need to be clear that all 9 of our governmental pilot elections performed thus far, involving lower than 600 voters, have been performed safely and securely with no reported points,” Voatz stated.In 2018, West Virginia piloted Voatz’s cellular voting app for resident service members and household dwelling abroad who needed to vote within the midterm common election. West Virginia Secretary of State’s workplace pointed to a Division of Homeland Safety safety evaluation of the 2018 Voatz pilots indicating there was “no menace actor behaviors or artifacts of previous nefarious actions had been detected within the vendor’s networks.”Audits of paper ballots created by the Voatz plaform on election day additionally confirmed the outcomes had been correct, in accordance with the Secretary of State’s workplace.”We need to get the phrase out to media retailers like Computerworld to make sure WV voters that we’re taking each potential precaution to steadiness election safety and integrity with WV requirement to offer absentee ballots electronically to abroad, navy and absentee voters dwelling with bodily disabilities,” Mike Queen, deputy chief of employees for West Virginia Secretary of State Mac Warner, stated by way of e mail.The MIT examine, nevertheless, underscored the necessity for Voatz’s cellular app design to be extra clear as a result of public details about the know-how is “imprecise” at greatest.Voatz’s platform makes use of a mixture of biometrics, resembling mobile-phone primarily based facial recognition, and hardware-backed keystores to offer end-to-end encrypted and voter-verifiable ballots. It additionally makes use of blockchain as an immutable digital ledger to retailer voting outcomes.Voatz has declined to offer formal particulars about its platform, citing the necessity to defend mental property, the researchers stated of their paper.In a weblog put up right this moment, Voatz known as the researchers’ strategy “flawed,” which “invalidates any claims about their capability to compromise the general system.”Briefly, to make claims a couple of backend server with none proof or connection to the server negates any diploma of credibility on behalf of the researchers,” Voatz stated.The researchers additionally known as Voatz out for reporting a College of Michigan researcher who in 2018 performed an evaluation of the Voatz app. “This resulted within the FBI conducting an investigation in opposition to the researcher,” the MIT researchers stated.It’s not the primary time Voatz has been criticized for not being extra open about its know-how. Final Could, laptop scientists from Lawrence Livermore Nationwide Laboratory and the College of South Carolina, together with election oversight teams, printed a paper that criticized Voatz for not releasing any “detailed technical description” of its know-how.“There are no less than 4 firms making an attempt to supply web or cellular voting options for high-stakes elections, and one 2020 Democratic presidential candidate has included voting from a cellular gadget by way of the blockchain in his coverage plank,” the MIT researchers stated of their paper. “To our information, solely Voatz has efficiently fielded such a system.”Together with Voatz, Democracy Dwell, Votem, SecureVote and Scytl have all piloted cellular or on-line voting know-how in varied public or non-public balloting that included firm stockholder and school board elections. Most lately, a Seattle district piloted the Democracy Dwell know-how in a board of supervisors election that was open to 1.2 million registered voters.Tusk Philanthropies, a nonprofit centered on selling cellular voting as a approach to improve voter turnout, has helped fund and promote Voatz and Democracy Dwell.In an announcement to Computerworld, Tusk stated it feels assured within the outcomes of all of the pilot elections as a result of it performed unbiased, third-party audits “which confirmed that votes forged over the blockchain had been recorded and tabulated precisely.”“With that being stated, we all the time welcome new safety data and can work with safety specialists to evaluation this paper,” Tusk stated. “Safety is an iterative course of that may solely get higher over time. There isn’t a room for error in our elections, particularly relating to knowledge leakage, compromised encryption, damaged authentication, or denial-of-service assaults.”Medici Ventures, the wholly-owned funding subsidiary of Overstock.com, has additionally backed Voatz, whose software has primarily been used to permit absentee voter service members and their households to forged their ballots by way of their smartphones from wherever on this planet.Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in an announcement to a New York Occasions article in regards to the MIT examine, saying he believes the Voatz know-how is accountable and protected.“It not solely prevents voting fraud, however it additionally protects the privateness of every voter. The Voatz app even generates a paper poll that may be audited to ensure the constancy of the vote,” Johnson stated. “That is, we imagine, the fitting path ahead to protected innovation in election know-how. We should always not let ourselves derail the way forward for voting.”Critics of cellular or on-line voting, together with safety specialists, imagine it opens up the prospect of server penetration assaults, client-device malware, denial-of-service assaults and different disruptions — all related to infecting voters’ computer systems with malware or infecting the computer systems within the elections workplace that deal with and rely ballots.Jeremy Epstein, vice chair of the Affiliation for Computing Equipment’s US Know-how Coverage Committee (USTPC), has been a vocal critic of cellular voting platforms, together with Voatz. He stated the MIT examine was “very thorough” and demonstrates precisely what specialists have been saying for years.“Web voting is dangerous. It is no shock that the Voatz system is weak to many sorts of assaults, even to an attacker with no entry to supply code or different inside data,” Epstein stated by way of e mail. “The assaults demonstrated by MIT are properly inside the capabilities of nation-state adversaries who’re considering manipulating US elections, and such an adversary will not publish their outcomes because the MIT staff has completed, leaving us with an election which may be undetectably manipulated.”The five-year-old Voatz slammed the MIT researchers for by no means connecting even the outdated app they used to the corporate’s servers, that are hosted by Amazon AWS and Microsoft Azure.Within the absence of connecting to the precise servers recording public votes, “the researchers fabricated an imagined model of the Voatz servers, hypothesized how they labored, after which made assumptions in regards to the interactions between the system elements which are merely false,” Voatz stated.Epstein retorted that Voatz’s feedback “exhibit that they do not perceive both the severity of the assaults or the way in which safety works basically.“Any election official utilizing Voatz merchandise can be properly suggested to cancel their plans, earlier than a stealthy assault in an actual election compromises democracy,” Epstein stated.
Copyright © 2020 IDG Communications, Inc.