Researchers Find Security Flaws in Mobile Voting App

A man takes a Democratic ballot to vote in the New Hampshire Primary at Parker-Varney Elementary School, Tuesday, Feb. 11, 2020, in Manchester, N.H.

A man takes a Democratic ballot to vote in the New Hampshire Primary at Parker-Varney Elementary School, Tuesday, Feb. 11, 2020, in Manchester, N.H. AP Photo/Andrew Harnik


Connecting state and local government leaders

Hackers could detect how people voted and potentially change their votes on the Voatz mobile voting app tested by West Virginia and jurisdictions in Utah, Oregon, Colorado and Washington.

A mobile voting app used by West Virginia and several local governments in the 2018 midterm elections contains vulnerabilities that could allow hackers to determine how someone voted or even change their vote, according to a report released Thursday by security researchers.

Researchers from the Massachusetts Institute of Technology found the security flaws in the Voatz voting app, which was originally designed as a way for overseas service members to cast ballots. The researchers said their findings underscore prior security recommendations that the internet not be used for voting.  

“Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election,” said Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science.

 “Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.”

In addition to West Virginia, several local governments, including ones in Washington state, Colorado, Utah and Oregon, have conducted their own pilots with the Voatz system. Additional states are also considering whether to use the app to assist absentee voters in upcoming elections.

Voatz has defended those pilot projects, saying it has made open audit tools available to the public so that vote tallies can be independently verified and said that so far  there have been no reported issues with the technology.

The company pushed back against the MIT findings, calling the report’s methodology “flawed.” The MIT researcher did not have access to the voting system’s design and source code and instead reverse-engineered the app and recreated what they could of the company’s server from information that was publicly available.

Voatz said the Android version of the app that researchers used was old, with 27 newer versions released since then, and never used in an election. Further, the company said by reverse engineering the system, the researchers “made assumptions about the interactions between the system components that are simply false.”

The West Virginia Secretary of State’s Office said Thursday that the state will go forward with using an electronic ballot delivery system in the upcoming 2020 primary and general elections, which it plans to extend mobile voting capabilities to severely disabled voters. But the state has not decided whether to continue using Voatz or to utilize another vendor, said spokesman Mike Queen. 

“We’re concerned about the technology but we are not scared of it,” Queen said, adding that his office is closely monitoring research like MIT’s on mobile voting system technology. 

Software issues with a smartphone app delayed the tally of results in the Iowa Democratic Party’s caucuses last week, underscoring the perils of using untested new technology in local elections. To mitigate issues with new tech, David Levine, an elections expert with the Alliance for Securing Democracy, said local elections officials should try to vet any major changes by holding a mock election.

“It becomes more important to try to go to a mock election as you are trying to make a bigger change,” said Levine, who recently authored a guidebook for local elections officials offering tips on securing election infrastructure. “If you are talking about mobile voting, that is a substantial change.”

Mobile voting is still not a mainstream endeavor, Levine said. While it remains a fringe practice, he said Voatz and other companies looking to offer the same services should engage researchers in the security community. That would enable future dynamic testing of mobile voting technology during a mock election. 

Earlier concerns about the security of the Voatz app led a U.S. senator to ask the Department of Defense and National Security Agency to conduct a full cybersecurity audit of the technology used by the company. In a letter sent to the agencies in November, Sen. Ron Wyden, an Oregon Democrat, said the company has not been sufficiently transparent about its efforts to vet and safeguard the voting app to inspire confidence in its technology.

The MIT researchers reported their findings to the Department of Homeland Security, which said it shared the information with state and local election officials who plan to pilot or use this technology in 2020 elections. A spokeswoman for DHS’s Cybersecurity and Infrastructure Security Agency said there is “no known exploitation of the vulnerabilities” and that potentially affected election officials were able to speak with researchers to understand and manage risks to their systems.

Andrea Noble is a staff correspondent with Route Fifty.

NEXT STORY: With Cybercriminals on the Attack, States Help Cities Punch Back