Written by Brett Winterford Apr 13, 2020 | CYBERSCOOP
A common adage in information security is that most startups dont hire their first full-time security engineer until theyve got around 300 employees.
If an app only stores public data and has no need to authenticate users, that might not present much of a problem. But when an app needs to be trusted to protect the confidentiality of a persons political preference, its something else entirely.
Its why Tusk Philanthropies an organization devoted to bringing mobile voting to the masses is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff.
The team at Trail of Bits a boutique software security firm based in New York was commissioned by Tusk in late 2019 to conduct a thorough white box security test of mobile voting app Voatz, an app used in five states. The testers would have full access to all the source code and documentation they required to discover security gaps and recommend fixes.
The code looked sound, as it was clearly written by highly competent engineers. But after waiting over a week for technical documentation they requested from the startup, the Trail of Bits team had nothing to work off beyond a single page that amounted to a security policy.
After several meetings it became clear why we werent getting the documents we wanted, says Trail of Bits CEO Dan Guido. The person preparing them was the CEO.
The companys two co-founders were responsible for maintaining its substantive code base while straddling the complexities of running the Voatz business.
In total, Trail of Bits published 79 vulnerabilities in the app, a third of them high-severity. While some of the more avoidable misconfigurations found in the code became a source of mockery, the folly of any one bug was missing the point, according to Evan Sultanik, the lead tester on the project.
Im less concerned about finding hard-coded encryption keys copied from Stack Overflow in the code base, he told Risky Business. Im more worried that those keys were still in the code base since the last time it was used in 2018. There was a lot of evidence that this company is moving very, very fast and trying to keep up with the new requirements of each new election the app is used in. They are developing features on the fly.
With elections in the United States run and governed separately by each state, the functional requirements for any given voting system vary dramatically. None of the pilots are large enough to generate any meaningful revenue.
All the commercial electronic voting vendors will face the same time and resource constraints, Guido said. Software security and cryptography expertise is rare and expensive. I wish I had more of them.
He credits Tusk Philanthropy for co-funding security reviews for election system startups, some of whom couldnt afford them until they get significant scale. Tusk is doing so with the hope of eventually convincing the world that mobile apps will prove a safe, secure and convenient solution to voting systems that disenfranchise large swaths of the population.
Security testing might be more affordable if there was a global or national standard to test every election app against. But today, none exists. Election security expert Harri Hursti said that there is no criteria that governs the accreditation of voting devices used at polling stations.
They are not tested, Hursti said. In many states, the vendors certify themselves against whatever standard they choose and the evaluators are commissioned by the vendors.
Hursti has spent the better part of 20 years shining a light on the lax security in the voting systems. He co-founded the DEF CON Voting Village in which hackers are encouraged to try and break voting machines picked up off eBay and in government surplus auctions. Hes also been featured in two HBO documentaries Hacking Democracy and Kill Chain.
Hursti credits California and Ohio for setting a tougher testing criteria, but adds that testing spends a disproportionate amount of effort on safeguarding against a voter being electrocuted at the polling place compared to securing the data they submit.
Even with the bar as low as you could set it, there is no meaningful security testing, he said. It doesnt exist.
The federal government does maintain voluntary guidelines for voting machines in the polling place. But these have traditionally covered just about every aspect of the device apart from its security characteristics. A second version released in draft in late February introduced basic requirements around access control, data protection and detection and monitoring.
The revised standard emphatically states, for the first time, that no device or component of an election system should use external network connections. But it excludes any device that allows voters to mark a ballot outside a polling place, leaving very little guidance for election officials that wish to run remote elections.
Hursti believes that a set of federal standards written by security professionals at a body like the National Institute of Standards and Technologies and other election officials should be made mandatory. But he isnt holding his breath.
There is a strong feeling that any federalization of elections is unacceptable even in areas where it makes sense, he said. CISA is offering a lot of free services and tools to the states to help them secure the elections. There are a number of states that refuse to take free help, because their attitude is that this has to remain a state issue.
One of the key selling points for the Voatz app was that it would use the properties of decentralized blockchain to record a voters preference in some immutable yet auditable way.
This was what captured the attention of Mike Specter, a Ph.D. student at Massachusetts Institute of Technology who, unbeknownst to Trail of Bits, had started reverse engineering the Voatz app with one of his peers, with nothing guiding them but their own curiosity.
As academics wed previously explored all the theories of how you might use the blockchain to solve problems at the ballot box, he said. And our conclusion before we had ever studied any implementations in great details was that even at a theoretical level, a blockchain doesnt solve the core technical issues related to voting that would make elections more secure, and could in fact introduce further vulnerabilities.
No matter where their research led, Specter would always return to a basic problem: Couldnt someone just hack your phone and get the key? So why does any of this other stuff matter? The underlying problem is that consumer-grade devices are not that secure and dont stand up to the sort of adversaries that have the capability of buying zero-days and going after devices en masse. There has been insane amounts of losses from digital currency that is inaccessible due to people losing their keys or having their keys stolen.That logically led us down the path of asking ourselves what Voatz was doing, seeing as they make claims to use the blockchain to great effect.
Specter and fellow Ph.D. student James Koppel conducted a two-week black box study of the Voatz app. Without access to the Voatz source code, server or documentation, the two students had to painstakingly reverse-engineer the app to understand how it functioned.
As far as we could tell at the time, no one had ever publicly released a security review of Voatz, Specter said. Any publicly available audits didnt seem like audits in the computer security sense, and more so audits in the user testing sense. The fact the app works as intended is not the same as testing for what an adversary can do with this thing. There was also no whitepaper to explain what their architecture was. They talked of it including a mixnet, hardware-based key storage and lots of other security attributes that put together, you could hallucinate a number of these schemes, but we could find no evidence of it. We started pushing on it and it kept getting a little more weird.
Tellingly, the duo tapped into some of the same misconfigurations and missing features that the Trail of Bits study would later document. In the case of two young Ph.D. students, Voatz was confident it could refute their findings. If they hadnt seen the full picture, its founders reasoned, how could they know whether it was secure?
Specter has huge respect for election officials and the very difficult challenges they face. But he urges them not to be swayed by the big buzzwords like blockchain and AI. They will get far better results if vendors are simply forced to be transparent. They should be held to stronger testing regimes and for their source code to be open for analysis. He remains hopeful that a more rigorous set of security requirements enforced by one or more larger states will become a de facto standard for others to follow.
Jennifer Morell, expert adviser to the Cybersecurity and Infrastructure Security Agency agrees that online voting solutions are not ready for use in the November general election, but also hopes the academic and technology communities will keep pushing the boundaries to find workable solutions for remote voting.
I understand all the security issues around internet voting, but we should always be exploring and pushing for better ways to do this, she told Risky Business. Were not ready for November, but well before the next election we need to sit down with clarity and think about how to solve this together.
The most promising technology that might be applicable to remote marking of ballots would be homomorphic encryption, a form of cryptography in which computation on ciphertext produces the same result as computation on plaintext.
If homomorphic encryption was performant, Hursti says, it could preserve the privacy and secrecy attributes required for elections without compromising on auditability.
Today, homomorphic encryption is used in academic papers more so than in practice. To complicate matters, laws in some states insist that the common person has to be able to understand how votes are counted and how the election is ordered with no special training and tools.
We are lacking fundamentals, Hursti says. We cant lock the 10 smartest people in the world in a room and expect to solve the problem. This is a problem well need to think about for the next 40 years. The good news is [that] if you solve problems like this for elections, you would likely greatly improve the security of a lot of other applications.
There are lots of areas where more security research is more urgently needed, he said. How do we improve the security and usability of online voter registration? How do we improve election night reporting systems?
Guido agrees that some big leaps need to be made before allowing untrusted consumer systems to be used for remote marking of ballots.
There needs to be funding available for fundamental research, he said. The Election Assistance Commission with its two newly appointed security staff is not currently equipped to provide the step-change required. Guido speculates that considering the important nation-building work undertaken by the Department of Defense and Department of State in the aftermath of foreign conflicts, some of these larger bodies may have the right incentives and resources to contribute.
Election security is a hard problem, thats why Im attracted to it, Guido said. But its not an intractable problem. It feels to me like there are too many entrenched interests that want to prevent new entrants in voting technology. We need to bowl over that opposition if were to get this right. As a security community, we need to come at this problem as engineers and do more than just point out flaws. We need fundamental research to be funded and made available as a public resource.
Brett Winterford is an editor with Risky Business. This post was reported by and originally appeared on Risky.Biz, and was produced with support from the William and Flora Hewlett Foundation. You can read part one here.
- IT spending on Internet connectivity, security to rise in India: Report - Business Insider India - July 6th, 2020
- VPNs are the need-of-the-hour for safe and fast connections as we work-from-home - The Hindu - July 6th, 2020
- What is network security in the cloud computing era? - TechRadar - July 6th, 2020
- Revealed: How home router manufacturers dropped the ball on security - TechHive - July 6th, 2020
- Malaysia Internet of Things (IoT) Security Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Akamai Is an Overlooked Web Infrastructure Play. Its a Buy, Analyst Says. - Barron's - July 6th, 2020
- According to Latest Report on Internet of Things (IoT) Security Market to Grow with an Impressive CAGR - 3rd Watch News - July 6th, 2020
- Enterprise Firewall Market Overview and Regional Outlook with Research Study 2019 2026 - 3rd Watch News - July 6th, 2020
- How Have I Been Pwned became the keeper of the internets biggest data breaches - TechCrunch - July 6th, 2020
- Global Internet of Things (IoT) Security Market Trends, Opportunities, Key Players, Growth, Analysis, Outlook & Forecasts To 2026 - Daily Research... - July 6th, 2020
- WISeKey develops WIShelter Covid-19 secured smartphone app, using digital IDs and blockchain protocols, to certify users that are not infected with... - July 6th, 2020
- Cryptocurrencies Adding to the Safety and Security in the UK Gambling Industry - London Post - July 6th, 2020
- Voice recordings from domestic violence alerting app exposed on the internet - Security Boulevard - June 30th, 2020
- The lack of women in cybersecurity puts us all at greater risk - The Next Web - June 30th, 2020
- Cascading Security Through the Internet of Things Supply Chain - Lawfare - June 30th, 2020
- How to Build the Right Security Assessment - Security Boulevard - June 30th, 2020
- Apple may have just changed a key part of how the internet works - TechRadar - June 30th, 2020
- Indians most concerned about identity theft - Fortune India - June 30th, 2020
- Deeper Connect Mini: Decentralized, Private and Secure Internet for the People, launching June 30th on Indiegogo. - Yahoo Finance - June 30th, 2020
- Internet of Things (IoT) Security: Technologies and Global Markets - Yahoo Finance - June 30th, 2020
- Could Donald Trump claim a national security threat to shut down the internet? - Brookings Institution - June 30th, 2020
- Internet of Things Security Market Strategic Insights 2020 with analysis of Leading players: Check Point Security Software Technologies, Cisco... - June 30th, 2020
- Global IT Security Market is accounted for xx USD million in 2019 and is expected to reach xx USD million by 2025 growing at a CAGR of xx% : Blue... - June 30th, 2020
- Internet of Things (IoT) Security Market Size, Share, Growth, Revenue, Global Industry Analysis and Future Demand |Globalmarketers.biz - Cole of Duty - June 30th, 2020
- Surge in encrypted malware prompts warning about detection strategies - SecurityBrief Europe - June 30th, 2020
- NexTech AR to supply its video conferencing and virtual events platform to Dallas Independent School District - Proactive Investors UK - June 30th, 2020
- Dutch people are least concerned about safety, survey reveals - IamExpat in the Netherlands - June 30th, 2020
- Only 31% of Americans concerned with data security, despite 400% rise in cyberattacks - TechRepublic - June 24th, 2020
- WatchGuard Technologies Report Finds Two-Thirds of Malware is Encrypted, Invisible Without HTTPS Inspection - GlobeNewswire - June 24th, 2020
- How To Turn Off Firewall In Windows And Mac - Ubergizmo - June 24th, 2020
- OTF's Work Is Vital for a Free and Open Internet - EFF - June 24th, 2020
- Microsoft acquires CyberX to bolster Azure IoT security - Internet of Things News - IoT Tech News - June 24th, 2020
- Partner Content: ESET and Spire Technology on why you need a Password Manager - PCR-online.biz - June 24th, 2020
- Internet of Things (IoT) Security Market to Witness Robust Expansion Throughout the Forecast Period 2020 2025 - 3rd Watch News - June 24th, 2020
- Google is on a mission to stop you from reusing passwords - The Verge - June 24th, 2020
- Marking the 30th Anniversary of the Internet and Cybersecurity Treaty - CircleID - June 24th, 2020
- The Cyberlaw Podcast: Using the Internet to Cause Emotional Distress is a Felony? - Lawfare - June 24th, 2020
- DDoS Protection Market 2020 | How The Industry Will Witness Substantial Growth In The Upcoming Years | Exclusive Report By MRE - Cole of Duty - June 24th, 2020
- Julian Assange Extradition and the Freedom of Bitcoin Bitcoin... - Bitcoin Magazine - June 24th, 2020
- How to become a web developer? - The Tribune - June 24th, 2020
- Frost & Sullivan Report Finds BlackBerry Solutions Address 96% of the Enterprise Threat Landscape - PRNewswire - June 24th, 2020
- EAC to evaluate testing and certification of non-voting equipment - Politico - June 24th, 2020
- Global IT Security Spending Market Projected to Reach USD XX.XX billion by 2025- Check Point Software Technologies, Cisco Systems, EMC, Fortinet,... - June 24th, 2020
- OPAQ Webinar to Share Lessons Learned and Best Practices from Zero Trust Migration Project with TTX Company - Business Wire - June 24th, 2020
- Global Internet of Things (IoT) Security Technology Market 2020 Analysis, Types, Applications, Forecast and COVID-19 Impact Analysis 2025 - NJ MMA... - June 24th, 2020
- Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security - Hashed Out by The SSL Store - Hashed Out by The SSL Store - June 24th, 2020
- NetNumber Expands Industry Recognized Signaling Firewall to Protect SIP Connections - GlobeNewswire - June 24th, 2020
- How to fight back against Covid-19 scams - Global Banking And Finance Review - June 24th, 2020
- What Will The Crypto Market Look Like In A Post COVID-19 Economy? | Coin Insider - Coin Insider - June 24th, 2020
- US: Congress Should Back Open Technology Fund - Human Rights Watch - June 21st, 2020
- David Pratt: Will the next global pandemic take place online? - The National - June 21st, 2020
- Global Internet of Things (IoT) Security Industry Market Insights, Opportunity, Analysis, Market Shares & Forecast 2020 2027 - 3rd Watch News - June 21st, 2020
- Facial recognition to play key role in travel reopening as biometrics industry weighs social responsibility - Biometric Update - June 21st, 2020
- 'IT Act does not protect freedom of speech' - The Sunday Guardian - June 21st, 2020
- In Depth Analysis and Survey of COVID-19 Pandemic Impact on Global Distributed Denial Of Service (DDoS) Protection Market 2020 Key Players A10... - June 21st, 2020
- Cyber Liability Insurance Market (USD 4.6 Billion) Will Grow At A CAGR of 11.12% During Forecast Period 2020-2025 (Impact Analysis of COVID-19) - 3rd... - June 21st, 2020
- Internet of Things Security Market research report presents a thorough study on the overall market by Application Forecast To 2020 - Surfacing... - June 21st, 2020
- Global Internet of Things (IoT) Security Product Market 2020 SWOT Analysis & Key Business Strategies by Leading Industry Players and Forecast 2025... - June 21st, 2020
- Knoxville still quiet on ransomware attack and what's being done to fix it - Knoxville News Sentinel - June 21st, 2020
- Indias digital workforce needs secure software. Testing, not banning apps, is the answer - ThePrint - June 21st, 2020
- Bolton book can be released, but conduct 'raises grave national security concerns' - ABC News - June 21st, 2020
- Broadband Connection Disconnected: Things You Can Do To Fix It - TelecomTalk - June 21st, 2020
- Former Google CEO Eric Schmidt says there's 'no question' Huawei routed data to Beijing - CNBC - June 21st, 2020
- Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More - WIRED - June 21st, 2020
- Internet Security Software Market: Qualitative Analysis of the Leading Players - News by aeresearch - June 11th, 2020
- Global Internet Security Market 2020 by Manufacturers, Size, Development Analysis, Applications and Forecast to 2025 - Cole of Duty - June 11th, 2020
- Internet Security Software Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole of... - June 11th, 2020
- Internet Security Software Market Impact Of Covid-19 And Benchmarking. - Personal Injury Bureau UK - June 11th, 2020
- Drivers is Responsible to for Increasing Internet Security Software Market Share, Forecast 2027 - Cole of Duty - June 11th, 2020
- Webroot Internet Security with Antivirus Protection Software | 3 Device | 1 Year Subscription | PC Download - The Report - June 11th, 2020
- Endpoint Security Market to Cross US$ 10,026 MN by 2026, Growing Adoption of Work from Home Services to Favor Growth: Fortune Business Insights -... - June 11th, 2020
- Internet of Things (IoT) Security Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole... - June 11th, 2020
- Yukon's Gurdeep Pandher tries to spread some joy on social media - Lindsay Advocate - June 11th, 2020
- Microsoft Windows users in UAE advised to install security updates - Khaleej Times - June 11th, 2020
- Clear guidelines for remote work will boost security and control access - TechRepublic - June 5th, 2020
- Mozilla Funds Meething to Help Fix the Internet - GlobeNewswire - June 5th, 2020
- The Internet of Bodies is here. This is how it will change our lives - World Economic Forum - June 5th, 2020
- Crowdstrike CEO explains how the future of remote work and security will look - CNBC - June 5th, 2020
- Mocana Recognized as Industry Leader in Cybersecurity and the Industrial Internet of Things - GlobeNewswire - June 5th, 2020
- SC Awards Europe 2020 - CISO/CSO of the Year - SC Magazine UK - June 5th, 2020