Application Security & Online Fraud , Next-Generation Technologies & Secure Development

MIT Researchers: Online Voting App Has Security Flaws

Voatz Smartphone App Used in 2018 Vulnerable to Hacking, Report Alleges
MIT Researchers: Online Voting App Has Security Flaws
Source: Voatz

Security researchers at the Massachusetts Institute of Technology have published a technical paper that describes several security flaws in Voatz, a smartphone app used for limited online voting during the 2018 U.S. midterm elections.

But the maker of the app contend the research is flawed. The company, also known as Voatz, says it cannot comment on any plans for use of the app in this year's presidential primaries, with any announcements coming from the states.

See Also: A Case Study in API Security for AppSec Developers

The researchers say vulnerabilities in the app could allow a hacker to "alter, stop, or expose a user's vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user's secret ballot.” In addition, the company behind Voatz relies on a number of third-party services for its app, which could further expose a user's data, according to the research report released Thursday.

Voatz, which is based in Boston, created its smartphone voting app for the 2018 elections, when it was deployed for limited use in West Virginia, Denver, Oregon and Utah. The app, which reportedly uses a combination of biometrics, real-time identification and blockchain technologies, also was used by overseas military personnel to record their votes during the 2018 elections, according to the New York Times.

The findings published by MIT Thursday come a few weeks after the IowaReporterApp, which was used to tally the results of the Democratic presidential caucuses in Iowa, malfunctioned and caused significant confusion for voters and candidates.

Some lawmakers are expressing concerns about the safety of using online tools for voting without a paper backup.

A spokesperson for Voatz could not be reached for comment. But the company refuted the researchers' claims in a blog post.

"Our review of their report found three fundamental flaws with their method of analysis, their untested claims, and their bad faith recommendations," according to Voatz.

Research Methodology

In their paper, the MIT researchers note that they were unable to obtain complete information about how Voatz engineers developed the company's voting application, nor were they able to access the full backend of the company's infrastructure to investigate how the app checks and verifies identity. Instead, the researchers used a "black-box" approach and reversed engineered the app, which is built off of the Android operating system, according to the paper.

The Voatz app used for testing came from the Google Play store version that was available on Jan. 1, according to the report.

Because connecting to a server that contains voters' information can involve legal and ethical concerns, the researchers note that they only connected to their own server in the lab and avoided trying to connect to Voatz's infrastructure. "Special care was taken to ensure that our static and dynamic analysis techniques could never directly interfere with Voatz or any related services, and we went through great effort so that nothing was intentionally transmitted to Voatz's servers," according to the paper.

The MIT researchers say they found several vulnerabilities within the Voatz app. For instance, an attacker who can gain root access to a device running the app can "easily" evade security defenses and learn about the user's voting choice - even after the event is over - and alter that vote, the researchers say.

The paper also says that the application's network protocol can leak details of a user's vote. And even though the company says it uses blockchain technology to help protect information, the researchers say that this is unlikely to protect the user against a server-side attack, which can open the door to a larger data breach. When Capital One was breached in 2019, the alleged hacker in that case used a version of a server-side attack to bypass security controls.

Research Methods Questioed

In responding the MIT report, Voatz says that because the researchers did not have complete access to the company's backend operations and all the technical details, the research is flawed.

"In the absence of trying to access the Voatz servers, the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false," Voatz says in its blog.

Over the last few years, Voatz has been aggressive in pushing back against researchers who have found flaws in the company's app. Independent security researcher Kevin Beaumont noted on Twitter a similar exchange when he pointed out a flaw two years ago.

In 2018, Beaumont said he found unpatched servers and discovered several Voatz service-related credentials on Github. At the time, Voatz downplayed the incident as part of its "honeypot operation."

Push for Paper Ballots

In their study, the MIT researchers contend that internet-connected voting systems remain susceptible to various online attacks and reiterate the need to rely on paper ballots to ensure transparency in the election process.

"Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections," the researchers add. "Software independent systems using voter-verified paper ballots and risk limiting audits remain the most secure option."

An earlier report by Def Con Voting Village also concluded that paper ballots are more secure from malicious hacks as well as other security vulnerabilities. In its September 2019 report, Def Con said that several voting machines in the U.S remained susceptible to tampering, hacking and other security vulnerabilities (see: Report: US Voting Machines Still Prone to Hacking)

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.