Vulnerabilities in the Voatz Internet voting app could allow adversaries to alter, stop, or expose a user’s vote, security researchers from the Massachusetts Institute of Technology (MIT) have discovered. The vendor, however, has disputed their findings.
The application was used during the 2018 midterm elections in West Virginia, and was also deployed in elections in Denver, Oregon, and Utah. It was also used at the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention.
Developed by the private Boston-based Voatz, the application is the first Internet voting app to have been used in high-stakes U.S. federal elections and is “on track to be used in the 2020 Primaries,” the researchers point out.
Voatz claims blockchain is used to ensure validity of votes, that votes are encrypted end-to-end and the identity of voters is anonymized. The company also says it can detect device compromise via jailbreak or malware, and that a cryptographically-signed digital receipt is delivered to the voter after the ballot has been submitted.
In their whitepaper (PDF), the researchers say that, due to a lack of transparency from Voatz, they “cannot make assumptions about what Voatz logs to their blockchain, the operational security of their servers, blockchain, or cryptographic keys used.”
Thus, the research focused on specific attacks that assumed the role of an adversary with control over parts of the election system, such as an individual’s device or Voatz’s API server, or the network activity between the voter’s device and the API server.
An attacker with root privileges on the device could disable Voatz’s host-based protections and alter the user’s vote without their knowledge, expose their private ballot, and exfiltrate the user’s authentication data, the researchers say.
Despite the optimistic use of blockchain (where all necessary security mechanisms are employed), Voatz’s API server could surreptitiously alter, view, or “invent” communications with the user’s device, and could execute man-in-the-middle attacks.
The researchers also claim that an adversary able to view the user’s network activity, without access to any key material, may at least learn how the user voted, because the app leaks the length of the plain-text.
Additionally, the researchers explain that both Voatz and Jumio are provided with user information that includes their email, physical address, birth date, IP address, a current photo, device model and OS version, and preferred language.
MIT researchers claim that, because Voatz restricts the use of their app on certain device models, adversaries may trick owners of unsupported devices into installing malicious apps via legitimate-looking websites. They also note that the app leaves users vulnerable to coercion attacks, as it does not require them to re-enter their PIN at login, after registration.
The researchers reported their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). They also worked with election security officials within CISA and the vendor to ensure that all parties were aware of the discovered issues before the research was made public.
For their analysis, the MIT researchers reverse engineered the Voatz Android application and used a clean-room reimplementation of Voatz’s server. They chose not to dissect the application version offered through Voatz’s bug bounty program on HackerOne, saying the differences between the two versions were unclear.
The researchers also mention the company’s unwillingness to provide details on their system and threat model, despite calls from security researchers and elected representatives. In 2018, Voatz contacted the FBI after a researcher from the University of Michigan performed a dynamic analysis of their application.
“This opaque stance is a threat to the integrity of the electoral process. Given the contentious nature of high-stakes elections, the stringent security requirements of voting systems, and the possibility of future interference by foreign government intelligence agencies, it is crucial that the details of any fielded election system be analyzable by the public,” the researchers note in their whitepaper.
Voatz, however, claims that the MIT research is flawed to the bone. The company says the analyzed application is old and was never used in elections and that, because the app never connected to a Voatz servers, the researchers make “assumptions about the interactions between the system components that are simply false.”
The company also claims that it has been very open with “qualified, collaborative researchers,” which it educates “on the critical demands of election security.” While saying that it encountered no issues in the governmental pilot elections conducted to date, Voatz has attempted to smear MIT’s analysis, saying the researchers acted in bad faith.
“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” Voatz says.
Related: Firm Analyzes China, Russia-based Supply Chain Risks of Electronic Voting Machines
Related: Second Critical Crypto Flaw Found in Swiss E-Voting System