Researchers at the Massachusetts Institute of Technology said Thursday they’ve found security flaws in Voatz, the mobile app that since 2018 has been used to collect ballots from overseas voters in several states. According to a new technical paper, the researchers found bugs that could be exploited to “alter, stop, or expose how an individual user has voted.”
The researchers also found that Voatz’s reliance on a third-party vendor to authenticate the identity of its users raises potential privacy issues that could compromise the anonymity of ballots, which Voatz has previously said its technology ensures.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” Daniel Weitzner, the director of MIT’s Internet Policy Research Initiative and who supervised the research, said in a press release.
The research comes after several pilot projects by states and counties to use Voatz to increase participation by deployed military service members and other overseas voters, who have some of the lowest turnout rates in elections. So far, the app has been used by West Virginia; Denver County, Colorado; Utah County, Utah; and Oregon’s Jackson and Umatilla counties.
MIT said the discoveries in Thursday’s report were shared with the Cybersecurity and Infrastructure Security Agency, which oversees the federal government’s election-security efforts.
The research team, which was led by graduate students Michael Specter and James Koppel, said they were only able to conduct their research on the Voatz app itself, and not any of the underlying source code. But to test the app, Specter and Koppel “reverse-engineered” the app to build a mock-up of Voatz’s server. That server was never connected to Voatz’s system itself or any government organization that conducts elections, they wrote.
Specter and Koppel wrote that the resulting examinations of the app and their model server led them to find that an actor with remote access to a Voatz user’s device could discover or even potentially alter that person’s vote. They also found that by accessing the server, they could change votes as well.
“It does not appear that the app’s protocol attempts to verify [genuine votes] with the back-end blockchain,” Specter said in the MIT press release. “Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election. Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.”
But in a blog post Thursday morning, Voatz said the MIT paper is based on three “fundamental flaws,” accusing the researchers of making recommendations in bad faith. First, the company said, the researchers used an Android edition of its app that is at least 27 versions old, and not being used in elections. Voatz added that the current version of its app has been tested by nearly 100 independent researchers through a bug-bounty program run by the white-hat hacking firm HackerOne.
Voatz also said that because the app researchers used was connected to the company’s servers, which run on Amazon Web Services and Microsoft Azure, they could not actually register as a qualified voter or pass its layers of identity screening, which includes photos compared against government-issued identifications, and biometric thumbprints on an individual’s device.
The company also took issue with MIT’s mock server. “[I]n the absence of trying to access the Voatz servers, the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false,” the blog post states.
Voatz has rebuffed other recent criticism, including from Sen. Ron Wyden, D-Ore., who has asked officials in his home state to reconsider their upcoming use of the app, but whom Voatz accused of stoking “the fear of technology.” The company struck a similar tone Thursday, arguing that “the researchers and the community to which they belong have waged a systematic effort to dismantle any online voting pilots.”
But Wyden welcomed the MIT research, saying it confirms his misgivings about mobile app-based voting.
“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe,” Wyden said. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system.”
The MIT team says its work was rooted in previous warnings against online voting, which numerous other academic researchers and scientific collectives have argued is fundamentally insecure.
“Our findings serve as a concrete illustration of the common wisdom against internet voting, and of the importance of transparency to the legitimacy of elections,” they wrote.
CyberScoop’s Sean Lyngaas contributed reporting.