Security Researchers Find Flaws in Online Voting System Tested in Five States – Mother Jones

admin on February 15, 2020 Leave a Comment

An online voting technology that has been tested in five states can be hacked to alter, block, or expose voters ballots, according to research published Thursday by a trio of MIT researchers.

Voatz, a Boston-based company, claims its app allows for widely accessible and secure voting from smartphones by relying on security features built into the phones themselves. It has run pilots in several states including West Virginia, where the technology was used during the 2018 midterms to facilitate online voting for Americans living overseas, including military personnel. The app has also been used in various elections in Denver, Oregon, and Utah. In 2016, the Massachusetts Democratic Convention and Utah Republican Convention relied on this technology. This year, thousands more people in West Virginia were set to use the app under expanded access laws in the state designed to help absentee voters with disabilities, but now officials there are reconsidering their options.

The MIT researchersgraduate students Michael Specter and James Koppel and their adviser Daniel Weitznerclaim in their new paper that they found the vulnerabilities and disclosed them to the Department of Homeland Security in order to alert election administrators in the jurisdictions using the app.

Voatz is not a stranger to national headlines. In October 2019, then-CNN reporter Kevin Collier reported that a student from the University of Michigan had been referred to the FBI for investigation after the company claimed the student tried to break into its systems during the 2018 election. Last week, information security journalist Yael Grauer took a deeper look at the case, reporting how the company may have changed the terms of its bug bounty programwhich offers rewards to researchers who find and report vulnerabilitiesafter the news broke, suggesting it may have sought to deter research on its tech.

Last November, Sen. Ron Wyden (D-Ore.) called for the Department of Defense and the NSA to audit Voatz, after complaining the company wouldnt release security audits and wouldnt identify the security researchers it claimed to be working with.

I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isnt safe, Wyden said in a statement Thursday. Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system. It is long past time for Republicans to end their election security embargo and let Congress pass mandatory security standards for the entire election system.

In a response posted to its blogChronicles of an Audacious ExperimentVoatz called the MIT report flawed. The company claimed the researchers tested the companys Android app that was at least 27 versions old. And it said the outdated app was never connected to the companys servers but rather to simulated servers, and therefore made false assumptions about how the back end of the system works. In short, the company said, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers.

The company claimed that past elections using its technology had run smoothly, and it attacked the MIT researchers for seeking media attention, contending their true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.

Alex Halderman, an election security expert at the University of Michigan, tweeted Thursday that the findings show theres a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatzs private key, impersonate the Voatz API server, and then intercept and change votes. He said it was shocking how primitive the app is and that no responsible jurisdiction should use Voatz in real elections any time soon.

Of Voatzs rebuttal to the MIT report, Halderman said: The Voatz response doesnt seem to dispute any of the specific technical claims in the MIT paper. Thats very telling, in my view. If any of it is wrong, Voatz should say what, specifically, that is. They dont seem to even say the more recent version of the app works differently.

The researchers claim that their analysis shows the app could allow an adversary to see a users vote or disrupt the transmission of voting data. An attacker could control their vote, the researchers claim, and if someone controls of the back-end server theyd have full power to observe, alter, and add votes as they please. This table outlines the researchers summary findings based on the level of access the adversary gains.

A summary of potential attacks a hacker could launch against the Voatz app, according to the MIT researchers.

Michael Specter, James Koppel, Daniel Weitzner

The Department of Homeland Securitys Cybersecurity and Infrastructure Agency (CISA) worked with the MIT researchers to alert election officials, a CISA spokesperson told Mother Jones, and shared relevant information with Voatz as well. The election officials were able to speak with the researchers and CISA to understand and manage risks to their systems, the spokesperson said, adding that there is no known exploitation of the vulnerabilities to the bring-your-own-device mobile voting system described in the research.

Donald Kersey, general counsel for West Virginia Secretary of State Mac Warner, said in a statement provided to Mother Jones that the state appreciates the responsible and ethical reporting of this research through the Department of Homeland Security by the research team at MIT, and that Warner hasnt decided which technology to use for the May 12 primary election or the general election in November. Warners office also provided a copy of a declassified DHS assessment of the Voatz network. The audit, conducted in Voatz headquarters last fall, found some security gaps but did not identify any threat actor activity within Voatzs network environment.

The report doesnt examine the app directly, but it does cover the cloud servers used to support it. While the team saw no evidence of malicious activity, it did find determine some server settings could unintentionally lead to a reduced security posture. Voatz reported to DHS that those concerns had been addressed.

Read the original:
Security Researchers Find Flaws in Online Voting System Tested in Five States - Mother Jones

Related Posts
Posted in Cloud Servers

Comments are closed.