Jaap Arriens/NurPhoto via ZUMA Press
An online voting technology that has been tested in five states can be hacked to alter, block, or expose voters’ ballots, according to research published Thursday by a trio of MIT researchers.
Voatz, a Boston-based company, claims its app allows for widely accessible and secure voting from smartphones by relying on security features built into the phones themselves. It has run pilots in several states including West Virginia, where the technology was used during the 2018 midterms to facilitate online voting for Americans living overseas, including military personnel. The app has also been used in various elections in Denver, Oregon, and Utah. In 2016, the Massachusetts Democratic Convention and Utah Republican Convention relied on this technology. This year, thousands more people in West Virginia were set to use the app under expanded access laws in the state designed to help absentee voters with disabilities, but now officials there are reconsidering their options.
The MIT researchers—graduate students Michael Specter and James Koppel and their adviser Daniel Weitzner—claim in their new paper that they found the vulnerabilities and disclosed them to the Department of Homeland Security in order to alert election administrators in the jurisdictions using the app.
Voatz is not a stranger to national headlines. In October 2019, then-CNN reporter Kevin Collier reported that a student from the University of Michigan had been referred to the FBI for investigation after the company claimed the student tried to break into its systems during the 2018 election. Last week, information security journalist Yael Grauer took a deeper look at the case, reporting how the company may have changed the terms of its bug bounty program—which offers rewards to researchers who find and report vulnerabilities—after the news broke, suggesting it may have sought to deter research on its tech.
Last November, Sen. Ron Wyden (D-Ore.) called for the Department of Defense and the NSA to audit Voatz, after complaining the company wouldn’t release security audits and wouldn’t identify the security researchers it claimed to be working with.
“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe,” Wyden said in a statement Thursday. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system. It is long past time for Republicans to end their election security embargo and let Congress pass mandatory security standards for the entire election system.”
In a response posted to its blog—”Chronicles of an Audacious Experiment”—Voatz called the MIT report “flawed.” The company claimed the researchers tested the company’s Android app “that was at least 27 versions old.” And it said the “outdated app” was never connected to the company’s servers but rather to simulated servers, and therefore made false “assumptions” about how the back end of the system works. “In short,” the company said, “to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers.”
The company claimed that past elections using its technology had run smoothly, and it attacked the MIT researchers for seeking “media attention,” contending their “true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
Alex Halderman, an election security expert at the University of Michigan, tweeted Thursday that the findings show “there’s a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatz’s private key, impersonate the Voatz API server, and then intercept and change votes.” He said it was “shocking” how “primitive” the app is and that “no responsible jurisdiction should use Voatz in real elections any time soon.”
Of Voatz’s rebuttal to the MIT report, Halderman said: “The Voatz response doesn’t seem to dispute any of the specific technical claims in the MIT paper. That’s very telling, in my view. If any of it is wrong, Voatz should say what, specifically, that is. They don’t seem to even say the more recent version of the app works differently.”
The researchers claim that their analysis shows the app could allow an adversary to see a user’s vote or disrupt the transmission of voting data. An attacker could “control their vote,” the researchers claim, and if someone controls of the back-end server they’d have “full power to observe, alter, and add votes as they please.” This table outlines the researchers’ summary findings based on the level of access the adversary gains.
A summary of potential attacks a hacker could launch against the Voatz app, according to the MIT researchers.
The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) worked with the MIT researchers to alert election officials, a CISA spokesperson told Mother Jones, and shared relevant information with Voatz as well. The election officials “were able to speak with the researchers and CISA to understand and manage risks to their systems,” the spokesperson said, adding that “there is no known exploitation of the vulnerabilities to the bring-your-own-device mobile voting system described in the research.”
Donald Kersey, general counsel for West Virginia Secretary of State Mac Warner, said in a statement provided to Mother Jones that the state appreciates “the responsible and ethical reporting of this research through the Department of Homeland Security by the research team at MIT,” and that Warner hasn’t decided which technology to use for the May 12 primary election or the general election in November. Warner’s office also provided a copy of a declassified DHS assessment of the Voatz network. The audit, conducted in Voatz headquarters last fall, found some security gaps but “did not identify any threat actor activity within Voatz’s network environment.”
The report doesn’t examine the app directly, but it does cover the cloud servers used to support it. While the team saw “no evidence of malicious activity,” it did find determine some server settings could “unintentionally lead to a reduced security posture.” Voatz reported to DHS that those concerns had been addressed.
