Security researchers are reporting flaws in a smartphone-based voting app that’s been used by military voters overseas and piloted for use domestically.
The vulnerabilities could allow nation-state hackers to view, block or even change smartphone ballots before they’re counted, according to a new paper written by three researchers at the Massachusetts Institute of Technology.
The app is designed by the company Voatz, whose technology has been piloted so far in West Virginia, Colorado and Utah.
“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” Voatz said in the statement. “The researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
The report comes amid rising concern about the use of apps and online voting tools in the 2020 election following the failure of reporting tools in the Iowa caucuses.
Last year, Utah County, Utah, began using Voatz for disabled and military voters based overseas. In an interview, County Clerk Amelia Powers Gardner said Voatz made more sense than the previous system, which required remote voters to submit their ballots by email.
A review of Utah County’s implementation of Voatz — prior to the MIT report’s publication — did not uncover any problems, Gardner told CNN. Gardner said that in phone conversations with the MIT researchers, it became clear they preferred voting to be done the traditional way, by pencil and paper. But Gardner said that isn’t feasible for Utahns living abroad.
“I have a legal obligation to provide our military members overseas an electronic form of a ballot,” she said, “and if it’s not this, it’s email — which they agreed is not as secure.”
The researchers’ conclusions about security risks in the app were based on a reverse-engineered version of Voatz’s Android app, which they ran in a simulated environment. According to the study, a hacker who gains control of a smartphone with the app installed could interfere in the voting process by altering ballots or figuring out which candidate a voter supports.
“Which means they could stop your ballot if they knew you were going to vote for someone they didn’t like,” Mike Specter, one of the authors of the report, told CNN.
Other election security experts who have reviewed the MIT paper say it appears solid.
“This study from MIT appears to have been structured with care in the way that the analysis was conducted,” said Andrea Matwyshyn, an election security expert at Penn State University.
On a conference call with reporters Thursday, however, Voatz criticized the report’s methodology. Company executives said the researchers had used an outdated version of the software and that some of the issues they found had already been patched. Voatz also accused the researchers of making “hypothetical” claims based on their simulation, rather than having the app interact with an actual Voatz server.
“We already have this server available,” said Nimit Sawhney, Voatz’s CEO. “It’s to our public bug bounty program. Anybody who wishes to sign up, test the apps over there, against the real server with full functionality, is able to do that.”
The company declined to comment further.
While participating in the bug bounty program would allow researchers to verify how Voatz’s app interacts with the company’s servers, the law largely prohibits researchers from testing the servers themselves, said Eric Mill, a cybersecurity expert who has administered technology programs for the federal government.
“The fact that the app happens to talk to the server isn’t the same as giving permission to research the real server,” said Mill.
Critics say Voatz should be more transparent about its technology and those it has tapped to perform independent audits. They also say Voatz previously reported a University of Michigan researcher to the FBI for conducting similar tests of the technology, and the report’s authors cited that episode as a reason they did not contact the company directly.
They instead reported their findings to the Department of Homeland Security, which routinely acts as a clearinghouse for election integrity information.
Voatz said Thursday that the MIT researchers should have reached out to them, in spite of their concerns about Voatz’s handling of prior research attempts. It also said it has signed non-disclosure agreements that prevent the company from discussing many of its past audits, though it did acknowledge that DHS has done its own review.
The technology news site Coindesk said it obtained a copy of the DHS review and reported it on Friday, adding that while US officials found few major issues with Voatz, the review focused primarily on the company’s internal network and servers — not the app that was the subject of the MIT report.
The tension between Voatz and independent security experts is not surprising, Mill said. But he added that the trend in the industry in recent years has tended toward greater disclosure and openness, not less — making Voatz’s reaction to the report stand out. It also highlights a common misperception that greater secrecy leads to stronger security, he said.
“That basic feeling of security through obscurity, that you want to release as few details as possible to give your attacker as little information as possible, is a very common gut instinct for a lot of lay folks and in some cases by technologists,” said Mill. “It comes from fear and also maybe not understanding or appreciating the public’s role in ensuring defense.”