Security Researchers Find Flaws in Online Voting System Tested in Five States

They say the vulnerabilities could allow hackers to manipulate voting data.

Jaap Arriens/NurPhoto via ZUMA Press

For indispensable reporting on the coronavirus crisis and more, subscribe to Mother Jones' newsletters.

An online voting technology that has been tested in five states can be hacked to alter, block, or expose voters’ ballots, according to research published Thursday by a trio of MIT researchers.

Voatz, a Boston-based company, claims its app allows for widely accessible and secure voting from smartphones by relying on security features built into the phones themselves. It has run pilots in several states including West Virginia, where the technology was used during the 2018 midterms to facilitate online voting for Americans living overseas, including military personnel. The app has also been used in various elections in Denver, Oregon, and Utah. In 2016, the Massachusetts Democratic Convention and Utah Republican Convention relied on this technology. This year, thousands more people in West Virginia were set to use the app under expanded access laws in the state designed to help absentee voters with disabilities, but now officials there are reconsidering their options.

The MIT researchers—graduate students Michael Specter and James Koppel and their adviser Daniel Weitzner—claim in their new paper that they found the vulnerabilities and disclosed them to the Department of Homeland Security in order to alert election administrators in the jurisdictions using the app.

Voatz is not a stranger to national headlines. In October 2019, then-CNN reporter Kevin Collier reported that a student from the University of Michigan had been referred to the FBI for investigation after the company claimed the student tried to break into its systems during the 2018 election. Last week, information security journalist Yael Grauer took a deeper look at the case, reporting how the company may have changed the terms of its bug bounty program—which offers rewards to researchers who find and report vulnerabilities—after the news broke, suggesting it may have sought to deter research on its tech.

Last November, Sen. Ron Wyden (D-Ore.) called for the Department of Defense and the NSA to audit Voatz, after complaining the company wouldn’t release security audits and wouldn’t identify the security researchers it claimed to be working with.

“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe,” Wyden said in a statement Thursday. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system. It is long past time for Republicans to end their election security embargo and let Congress pass mandatory security standards for the entire election system.”

In a response posted to its blog—”Chronicles of an Audacious Experiment”—Voatz called the MIT report “flawed.” The company claimed the researchers tested the company’s Android app “that was at least 27 versions old.” And it said the “outdated app” was never connected to the company’s servers but rather to simulated servers, and therefore made false “assumptions” about how the back end of the system works. “In short,” the company said, “to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers.”

The company claimed that past elections using its technology had run smoothly, and it attacked the MIT researchers for seeking “media attention,” contending their “true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”

Alex Halderman, an election security expert at the University of Michigan, tweeted Thursday that the findings show “there’s a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatz’s private key, impersonate the Voatz API server, and then intercept and change votes.” He said it was “shocking” how “primitive” the app is and that “no responsible jurisdiction should use Voatz in real elections any time soon.”

Of Voatz’s rebuttal to the MIT report, Halderman said: “The Voatz response doesn’t seem to dispute any of the specific technical claims in the MIT paper. That’s very telling, in my view. If any of it is wrong, Voatz should say what, specifically, that is. They don’t seem to even say the more recent version of the app works differently.”

The researchers claim that their analysis shows the app could allow an adversary to see a user’s vote or disrupt the transmission of voting data. An attacker could “control their vote,” the researchers claim, and if someone controls of the back-end server they’d have “full power to observe, alter, and add votes as they please.” This table outlines the researchers’ summary findings based on the level of access the adversary gains.

A summary of potential attacks a hacker could launch against the Voatz app, according to the MIT researchers.

Michael Specter, James Koppel, Daniel Weitzner

The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) worked with the MIT researchers to alert election officials, a CISA spokesperson told Mother Jones, and shared relevant information with Voatz as well. The election officials “were able to speak with the researchers and CISA to understand and manage risks to their systems,” the spokesperson said, adding that “there is no known exploitation of the vulnerabilities to the bring-your-own-device mobile voting system described in the research.”

Donald Kersey, general counsel for West Virginia Secretary of State Mac Warner, said in a statement provided to Mother Jones that the state appreciates “the responsible and ethical reporting of this research through the Department of Homeland Security by the research team at MIT,” and that Warner hasn’t decided which technology to use for the May 12 primary election or the general election in November. Warner’s office also provided a copy of a declassified DHS assessment of the Voatz network. The audit, conducted in Voatz headquarters last fall, found some security gaps but “did not identify any threat actor activity within Voatz’s network environment.”

The report doesn’t examine the app directly, but it does cover the cloud servers used to support it. While the team saw “no evidence of malicious activity,” it did find determine some server settings could “unintentionally lead to a reduced security posture.” Voatz reported to DHS that those concerns had been addressed.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

We have a new comment system! We are now using Coral, from Vox Media, for comments on all new articles. We'd love your feedback.