Federal investigators looking into an alleged hacking attempt against the mobile app that West Virginia officials used to collect ballots from overseas voters in the 2018 election are determining if the incident was the result of computer-science students at the University of Michigan testing for vulnerabilities.
CNN reported Friday that the FBI is investigating “a person or people” who attempted to access the app — Voatz — as part of a cybersecurity course at University of Michigan, which is one of a handful of universities with a curriculum focused on election security.
Mike Stuart, the U.S. attorney for West Virginia, revealed the investigation last Tuesday, saying that during the 2018 election cycle his office was alerted by West Virginia Secretary of State Mac Warner that there was an “attempted intrusion by an outside party” to access the Voatz app. According to state officials and the app’s developers, Voatz is designed only to grant ballot access to qualified voters who go through multiple layers of biometric identification, including facial-recognition and fingerprint scanning.
But according to CNN, Warner’s office detected activity from IP addresses associated with the University of Michigan, prompting an investigation.
“The Voatz system worked as designed and intended,” Voatz chief executive Nimit Sawhney told StateScoop last week. “The attempt was detected, thwarted at the gate and reported to the authorities.”
Voatz has come under widespread scrutiny from the cybersecurity community, especially for encrypting the votes it collects using blockchain technology. A paper last year from the National Academies of Sciences, Engineering, and Medicine suggested a moratorium on all forms of internet-based voting. Other than an eight-page white paper published earlier this year, Voatz has been reluctant to have its platform more closely examined, though it does participate in the cybersecurity firm HackerOne‘s bug bounty program, which offers cash payments to people who identify programming flaws.
To date, Voatz has paid out $950 for six reported flaws, according to HackerOne.