Online voting takes another hit
The Voatz blockchain-secured mobile voting app took a shellacking from researchers at MIT, who reported they uncovered several security vulnerabilities.
The MIT researchers said their security analysis pointed to weaknesses that would allow hackers to "alter, stop, or expose how an individual user has voted," poses "potential privacy issues for users" and has limited transparency, limiting security researchers' ability to assure the apps integrity.
"Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections," they wrote in a paper describing their analysis of the Voatz system.
For their analysis, the MIT researchers reversed engineered the app and created a model of the Voatz server. They said the company's "minimal available documentation of the system" prevented them from running tests on the actual voting process, so their study presents "an analysis of the election process as visible from the app itself."
Before releasing the paper, the MIT team took its findings to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, whose Hunt and Incident Response Team (HIRT) investigated whether there was any evidence of current or previous malicious activity in the Voatz network environment.
According to the week-long evaluation conducted in September 2019 focusing on Voatz's corporate and cloud networks, CISA found no evidence of active threats, according to a report by Coindesk. In the HIRT report, investigators said they uncovered some issues that could pose future concerns, but overall they commended the company for its "proactive measures in the use of canaries, bug bounties, Shodan alerts, and active internal scanning and red teaming."
HIRT did not assess the security of the app itself.
In a blog post titled "Voatz Response to Researchers Flawed Report," the company detailed three "fundamental" flaws with the research.
First, company officials said, the MIT team used an Android version of the Voatz app that was "at least 27 versions old at the time of their disclosure and not used in an election." Second, the app never connected to the Voatz servers, which are hosted in Amazon Web Services and Microsoft Azure clouds, making the researchers unable to register with the app, verify their identity or receive or cast a ballot. Third, the company said that rather than accessing the Voatz servers, the researchers "fabricated an imagined version" of the servers, hypothesized as to how they worked and made assumptions "that are simply false."
Addressing the researchers complaints about the company's lack of transparency, Voatz said it works with "qualified, collaborative researchers." It also emphasized that in all the elections that have used the Voatz app which have involved less than 600 voters no issues have been reported.
"The reality is that continuing our mobile voting pilots holds the best promise to improve accessibility, security and resilience when compared to any of the existing options available to those whose circumstances make it difficult to vote," the blog said.
The Voatz app has been used most extensively in West Virginia. Secretary of State Mac Warner first tested the option for qualified overseas military service members to cast absentee ballots in county primary elections in May 2018. It was also used in the state's November 2018 election, where 144 voters in 30 different countries were able to cast their ballots. In February, the app will be made available to absentee voters with physical disabilities.
Users download the app to their smartphones, verify their identities by providing a photo of their drivers license, state ID or passport that is matched to a selfie. Once voters' identities are confirmed, they receive a mobile ballot based on the one that they would receive in their local precinct. The distributed ledger technology ensures the votes cannot be tampered with once they've been recorded. The app has also been used in Colorado and Utah.
One Voatz advocate contacted by CoinDesk said the accessibility benefits of the app far outweigh any security risks. Amelia Powers Gardner, an election auditor in Utah County, Utah, who supervised her use of the Voatz system for disabled voters and service members deployed overseas, said the Voatz system is a much better option than email ballots for otherwise disenfranchised voting groups.
While these concerns of around mobile loading can be valid, they don't rise to a level of security that causes me to even question the use of the mobile app, she told Coindesk.
About the Author
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDGs ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginias Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [emailprotected] or @sjaymiller.
Originally posted here:
Online voting takes another hit - GCN.com
- GIGABYTE Announces Servers are Ready for the 2nd Gen Intel Xeon Scalable Processors - HPCwire - February 25th, 2020
- Alternating Phase PDU as a Solution to Three Power Distribution in Data Centers - Data Center Frontier - February 25th, 2020
- Revolutionary Mellanox ConnectX-6 Dx SmartNICs and BlueField-2 I/O Processing Units Transform Cloud and Data Center Security - Yahoo Finance - February 25th, 2020
- 3 ways AI is transforming the insurance industry - The Next Web - February 25th, 2020
- BeyondTrust Expands Cloud Leadership with Privilege Management Delivered As-A-Service - GlobeNewswire - February 25th, 2020
- Nokia introduces cloud-native Assurance and Experience software to help CSPs move toward experience-driven and automated 5G network operations -... - February 25th, 2020
- Global Virtual Private Server Market (2019 to 2026) - CAGR of 16.2% Expected During the Forecast Period - ResearchAndMarkets.com - Business Wire - February 25th, 2020
- Ride The Tiger: Micron Is Positioned To Become A Powerhouse - Seeking Alpha - February 25th, 2020
- MWC Canceled, GIGABYTE Turns Its Exhibition Digital and Showcases Multi-access Edge Computing Infrastructure to Realize 5G Networks - Yahoo Finance - February 25th, 2020
- TYAN Packs Lots of Performance in a 1U Package - Embedded Computing Design - February 25th, 2020
- Graphcore, the AI chipmaker, raises another $150M at a $1.95B valuation - TechCrunch - February 25th, 2020
- Dell at the Edge: Servers, Data Centers and Software for Deployment Anywhere - EnterpriseAI - February 21st, 2020
- Cohesity branches out data management software to ROBO and the edge - Blocks and Files - February 21st, 2020
- Data Center REITs: Battle Of The Clouds - Seeking Alpha - February 21st, 2020
- High-risk vulnerabilities and public cloud-based attacks on the rise - Help Net Security - February 21st, 2020
- Executive interview: Making IT sustainable - ComputerWeekly.com - February 21st, 2020
- Cloud Server Market Strategies and Insight Driven Transformation 2019-2025 - News Parents - February 21st, 2020
- Save $484 on Dell's PowerEdge small business server with this promo code - ZDNet - February 21st, 2020
- Evolution of Infrastructure as a Service - App Developer Magazine - February 21st, 2020
- Turn government paperwork into efficient workflows heres the proof - ITBusiness.ca - February 21st, 2020
- Locking Down the Kernel and Securing the Container - Container Journal - February 21st, 2020
- 13 Cloud-Based Services Every Tech Department Should Invest In - Forbes - February 19th, 2020
- Cohesity Announces First ROBO Solution That Combines Backup and Recovery, File and Object Services, and Cloud Archival on Certified Servers From Key... - February 19th, 2020
- G-Core spreads its cloud and edge connectivity to London - Data Economy - February 19th, 2020
- Outwood Trust Academies opts for cloud-like technology, without the cost - Diginomica - February 19th, 2020
- Snow Software-Embotics Named a Leader in the 2020 Gartner Magic Quadrant for Cloud Management Platforms for Second Straight Year - Yahoo Finance - February 19th, 2020
- Mapping in the Cloud - Offshore Engineer - February 19th, 2020
- Is there real benefit in cloud for SA businesses? - Bizcommunity.com - February 19th, 2020
- Atos and Microsoft join forces to deliver better SAP cloud performance - Data Economy - February 19th, 2020
- Spikes in High-Risk Vulnerabilities and Public Cloud-Based Attacks Dominate Threat Landscape, Imperva Researchers Find With New Cyber Threat Index -... - February 19th, 2020
- Apple Watch may have saved the life of a 13-year-old in Oklahoma - iMore - February 19th, 2020
- Asian Wealth Management and Asian Private Banking - CJC Expands Cloud Propositions With Launch of DACS in the Cloud Solution - Hubbis - February 19th, 2020
- Cloud misconfigurations expose over 33 billion records in two years - BetaNews - February 19th, 2020
- Veego Home Scoring Delivers Real-Time Evaluations of Connected-Home Quality - PR Web - February 19th, 2020
- Edited Transcript of 4704.T earnings conference call or presentation 18-Feb-20 7:00am GMT - Yahoo Finance - February 19th, 2020
- How Much Does It Cost To Build Cloud Computing Service? - Customer Think - February 15th, 2020
- How to protect against the most pressing threat to healthcare clouds today - Healthcare IT News - February 15th, 2020
- Q&A: Digging Into the Channel Significance of the AppScale-Packet News - Channel Futures - February 15th, 2020
- How AI In Edge Computing Drives 5G And The IoT - SemiEngineering - February 15th, 2020
- Security Researchers Find Flaws in Online Voting System Tested in Five States - Mother Jones - February 15th, 2020
- Five cloud-based tools your business needs - IT PRO - February 15th, 2020
- DDoS report reveals that the complexity and volume of attacks continues to grow - Continuity Central - February 15th, 2020
- How To Fill Your Data Lakes And Not Lose Control Of The Data - Forbes - February 15th, 2020
- The Biometric Threat by Jayati Ghosh - Project Syndicate - February 15th, 2020
- Throwing Down The Gauntlet To CPU Incumbents - The Next Platform - February 15th, 2020
- China retreats online to weather coronavirus storm - The Jakarta Post - Jakarta Post - February 15th, 2020
- Global IT Security Market Size, Share, Growth Rate and Gross Margin, Industry Chain Analysis, Development Trends & Industry Forecast Report 2025 -... - February 15th, 2020
- X-Force Threat Intelligence Index Reveals Top Cybersecurity Risks of 2020 - Security Intelligence - February 15th, 2020
- The APAC data center market is expected to grow at a CAGR of over 3% during the period 20192025 - GlobeNewswire - February 15th, 2020
- Spotting the elephant in the room: Why cloud will not burst colo's bubble just yet - Cloud Tech - February 11th, 2020
- The frequency of DDoS attacks depends on the day and time - Help Net Security - February 11th, 2020
- State and Local Agencies Learn Cloud Strategies from the Feds - StateTech Magazine - February 11th, 2020
- ARMs new edge AI chips promise IoT devices that wont need the cloud - The Verge - February 11th, 2020
- Configuration mistakes blamed for bulk of stolen records last year: IBM - IT World Canada - February 11th, 2020
- IT infrastructure trends 2020 - Verdict - February 11th, 2020
- Why Profits From Amazon's Cloud Business Could Be About to Soar - Motley Fool - February 8th, 2020
- Sophos is named one of the coolest cloud companies - Naked Security - February 8th, 2020
- Interpreting Top Dos and Don'ts While Migrating to the Cloud - Analytics Insight - February 8th, 2020
- EnGenius Cloud-Based Management For Networks Could Save You A Heap Of Time, Money And Carbon - Forbes - February 8th, 2020
- Pillars of AWS Well-Architected Framework - TechiExpert.com - February 8th, 2020
- Enabling the Network Edge With Hardware-Based Acceleration - The Fast Mode - February 8th, 2020
- Global Automotive Telematics Market Industry Analysis, Size, Share, Growth, Trends and Forecast 2019-2026 - Virtual-Strategy Magazine - February 8th, 2020
- The 13 Top Integration Platform as a Service Vendors for 2020 - Solutions Review - February 8th, 2020
- State of the Cloud, February 2020 - Cloudwards - February 8th, 2020
- Microsoft Made The Same Move That Launched Amazon 3,848% - Forbes - February 8th, 2020
- IGEL Teams with AMD to Optimize the UD3 Endpoint for Cloud Workspaces - Yahoo Finance - February 8th, 2020
- Return of the IT architects: how edge computing is unlocking value for global organisations - ITProPortal - February 8th, 2020
- Why we invested in Run - CoinGeek - February 6th, 2020
- Cloud Capex Is Growing Again - But the Spending Is Now More Efficient - TheStreet - February 6th, 2020
- Cloudtech startup Rapyder has partnered with AWS to help clients with digital transformation - YourStory - February 6th, 2020
- Data breach exposes need to secure cloud servers - IT-Online - February 6th, 2020
- DARPA plans shift from AWS and on-prem to multicloud by 2022 - DatacenterDynamics - February 6th, 2020
- What AMD And Intel Quarterly Numbers Say About Datacenter Business - Forbes - February 6th, 2020
- Netskope hauls in another $340M investment on nearly $3B valuation - TechCrunch - February 6th, 2020
- How an Accounting Tweak Will Make Amazon's Most Profitable Business Even More Profitable - The Motley Fool - February 6th, 2020
- Difference Between Authorization and Authentication - Security Boulevard - February 6th, 2020
- Options Partners with Pure, Leverages Pure as-a-Service to Deliver All-NVMe, All Flash Cloud - HPCwire - February 6th, 2020
- IGEL Teams with AMD to Optimize the UD3 Endpoint for Cloud Workspaces - PRNewswire - February 6th, 2020
- Infrastructure-as-code templates are source of cloud infrastructure weaknesses - TechCentral.ie - February 6th, 2020
- Windows Server and the future of file servers in the cloud computing world - TechRepublic - February 4th, 2020