Audit finds severe vulnerabilities in Voatz mobile voting app
An extensive audit published Friday of Voatz, the mobile app that’s been used to collect live ballots from overseas voters in multiple states since early 2018, revealed 16 “severe” technical vulnerabilities. These include sensitive user data being exposed to the company’s developers and improper use of cryptographic algorithms, a blow to a company that has staked its reputation on its use of blockchain technology.
The audit confirmed the findings revealed last month by researchers at the Massachusetts Institute of Technology who found, among other flaws, that Voatz’s use of third-party vendor to authenticate the identity of its users could compromise the anonymity of ballots the app collects.
But unlike other reviews of Voatz’s technology, including the MIT study, the new audit, which was prepared by the cybersecurity firm Trail of Bits, was authorized by the company and Tusk Philanthropies, the venture capital-backed foundation that’s been promoting online voting by funding pilot uses of Voatz around the United States for nearly two years.
Among the most glaring vulnerabilities Trail of Bits found was that Voatz had been storing authentication key passwords, which are required to release new versions of the app and could give an attacker an opening to masquerade as Voatz to distribute malware. Researchers also criticized Voatz for its reliance on unvalidated client data and weak security procedures, including a lack of insufficient continuous monitoring and risk-assessment plans.
The audit’s executive summary chalks up Voatz’s flaws as a result of the company’s rush to get its app to market.
“Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles,” it reads. “The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET” — a common data-request method — “information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development.”
‘Eternally grateful’
Unlike previous teams that have tried to pick apart Voatz’s technology, Trail of Bits had access to the company’s server and source code. But despite relying on a different methodology its team said it confirmed the findings of the MIT study, which was conducted with a reverse-engineered mock-up of Voatz’s system.
Voatz has continued to object to the MIT report, but Trail of Bits upheld key discoveries, including vulnerabilities that could allow a hacker to prevent users from accessing their ballots or preventing votes for certain candidates being transmitted back to the Voatz server to be counted.
One of the authors of the MIT report, Michael Specter, told StateScoop he is “eternally grateful” for the Trail of Bits audit.
“There’s a lot of things they had access to that we didn’t,” he said. “But as expected, there turns out to be a lot more vulnerabilities.”
In particular, Specter, a graduate student pursuing a doctorate in computer security, noted that Trail of Bits confirmed one of his own findings. Both reviews found that Voatz uses a third-party server to authenticate user uploads of driver’s licenses and other forms of identification without explicit notification, jeopardizing voter anonymity.
“This vulnerability would’ve allowed anyone to re-identify all voters and the way they cast their ballot,” he said.
Public inspection
According to Trail of Bits, Voatz has begun to address some of the vulnerabilities that were discovered, and the company says it’s trying to become more transparent, after being criticized for not letting third parties inspect its technology.
“We consider today to be an important milestone as part of our ongoing efforts to chart a new, forward approach to transparency in our elections infrastructure,” reads a post on Voatz’s corporate blog. “We recognize that transparency in our critical infrastructure is both desired and not always championed across the industry.”
The post goes on to state that more audits are in the works, including one by the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security unit that leads federal election-security efforts.
“We absolutely cannot take an election software company at their word,” said Specter. “Voting systems should be subject to public inspection before they’re used. We have no idea if or when these flaws [in Voatz] will be fixed.”
But the MIT report has already had some impacts. The office of West Virginia Secretary of State Mac Warner, who was Voatz’s earliest government adopter when he offered it to military and overseas voters in a May 2018 primary election, said last month that it will move its online-voting experiment to Democracy Live, which gives users the option of printing out ballots and mailing them home or submitting them electronically in a browser interface, though Specter called that latter feature “unfortunate.”
Like many other election-security advocates, Specter holds that hand-marked paper ballots offer the most reliability in ensuring that votes are casted and counted accurately. But the officials who’ve tried out online voting, he said, don’t always comprehend the complexity of these new technologies.
“I’m getting a Ph.D. from MIT and sometimes I don’t even get it all,” he said. “The people who are buying and using these tools, there is so much asymmetric information. It’s incredibly hard to understand, even for experts.”
