freshidea - Fotolia
The first mobile e-voting application to be used in a U.S. federal election has come under fire after a team of security researchers discovered several vulnerabilities and security issues with the app.
The Voatz mobile app was used by select voters in West Virginia for the 2018 midterm elections and has since been deployed for pilots in other states, including Utah and Colorado. The e-voting platform vendor, headquartered in Boston, says it combines "the latest versions of smartphone technology, and the immutability of the blockchain" to make mobile voting safe.
But a team of researchers from the Massachusetts Institute of Technology (MIT) published a technical paper Thursday that contested those claims and revealed several vulnerabilities and security weaknesses with Voatz's platform that can allow threat actors to obtain private data on voters and, more importantly, prevent or change users' votes through the app.
Michael Specter and James Koppel, graduate students in MIT's Department of Electrical Engineering and Computer Science (EECS), and Daniel Weitzner, a principal research scientist at MIT's Computer Science and Artificial Intelligence Lab (CSAIL), reverse-engineered a version of Voatz's Android app used in the field and built a "a cleanroom reimplementation" of the platform's backend server.
According to the research team's findings, the Voatz app is vulnerable to passive attacks that can expose a user's secret ballot or prevent the ballot from being submitted; on-device attacks that allow a threat actor with root access to disable all built-in security protections on the app and control users' ballots; and API server attacks that also suppress and alter votes.
"Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned," the researchers wrote in their technical paper.
But perhaps the most serious revelation in the technical paper involves blockchain -- the researchers' claim votes generated by the app aren't actually submitted to any blockchain system and instead go to an API server.
"We have no visibility into the Voatz backend, so it's possible that a blockchain is used in vote storage," the research team wrote. "However, we found no reference to the blockchain within the app itself. Further, given the attacks we have outlined, it is unclear if the immutability provided by the blockchain is particularly helpful."
According to the technical paper, Voatz confirmed the existence of several of the vulnerabilities but "dispute[d] the severity of the issues."
Following the disclosure of the vulnerabilities, several infosec and e-voting experts echoed the MIT researchers' concerns about Voatz. Election security expert J. Alex Halderman, director of the Center for Computer Security & Society at the University of Michigan, said via Twitter that the research showed "there's a much greater risk than there should be that a network-based attacker" could access Voatz's private keys, impersonate the API server and possibly intercept and change votes.
Kevin Beaumont, a U.K.-based security researcher who in 2018 discovered other security issues with Voatz, said via Twitter the MIT research raised serious concerns about the e-voting vendor. He also criticized Voatz for its history of downplaying and even blocking vulnerability research; Beaumont said he experienced such pushback from Voatz in 2018, and he noted the MIT research paper.
Voatz responded to the MIT researchers Thursday with a scathing blog post that accused the researchers of attempting to "deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."
The e-voting company said the researchers were using an Android app that was "at least 27 versions old at the time of their disclosure and not used in an election," and much different than the current version of the app, which is covered by Voatz's bug bounty program on HackerOne. Voatz also said the reverse-engineered test app never connected to its backend severs, which are hosted on AWS and Microsoft Azure and have several layers of identity checks to prevent any alterations of voting data.
In a conference call with reporters Thursday, Voatz executives said several vulnerabilities have already been addressed and patched in newer versions of the app, and characterized other attack scenarios described in the paper as unrealistic.
Executives also responded to other allegations from the MIT researchers. Voatz CEO Nimit Sawhney said all election pilots since the third in Denver have used "the blockchain infrastructure to process the data for post-election audit," though he did not directly dispute the researchers' claim that blockchain technology was not used for vote submissions from the app.
"This claim is completely inaccurate. Right from our very first election, we have used the HyperLedger blockchain framework with every pilot. We've enhanced it, made improvements to it and continued to do so post-election pilots ever since the third pilot," Sawhney said. "This claim is completely baseless. If they had tried to dig in more, into the system, into the reports, which are available on our website, they would not have made this claim that we don't use the blockchain."
Sawhney was also asked if the researchers' test servers were similar to Voatz's actual backend servers.
"They missed a lot of things. They were not accurate," he said. "They could not even reverse-engineer all the code of the Android app, so they missed some pieces in the Android app itself. I would say they probably missed 50% of our server architecture information as well, and that's why we called it very flawed because if they had gone through the bug bounty program or collaborated with us through other means, they could have gotten access to the full infrastructure and had a more accurate view of how our system works."
According to the technical paper, the research team declined to use the current version of the Voatz app in the HackerOne bug bounty because "the differences between this version and the ones that have been fielded are unclear." The researchers also said the bounty did not include other information about Voatz's backend infrastructure, which is another reason they chose to reverse-engineer the app, and that several of the attacks and issues the team discovered were out of scope for the HackerOne program.
Sawhney said Voatz offered the researchers access to their servers to replicate the tests, but the researchers never responded.
SearchSecurity contacted MIT for comment, but the research team had not responded at press time.