Just two weeks after the meltdown of the Iowa Democratic Party’s caucuses because of a mobile app, mobile apps and election security are in the news again, this time with a Pacific Northwest angle.
Voatz is a Boston-based mobile voting app maker “on a mission to make voting safer and more accessible.” Some counties in Washington and Oregon have used or are planning to use Voatz in primaries elections, including the 2020 election. King County Elections, who oversee elections for Seattle, currently do not plan to use Voatz. Mason County in Washington and Jackson and Umatilla Counties in Oregon are planning on using Voatz.
Three academic researchers at the Massachusetts Institute of Technology (MIT), Michael A. Specter, James Koppel and Daniel Weitzner, have just released a research paper that outlines numerous security and privacy concerns with the app. They consider these so serious that they say that their “findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections.”
This report is notable because, despite reports of possible problems in the past, this is the first detailed, academic analysis. And it’s a thorough analysis. As the authors say, “we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a clean- room reimplementation of Voatz’s server and present an analysis of the election process as visible from the app itself.”
The authors outline in a simple chart (below) the key security and privacy problems they’ve found.
Put simply, the protections meant to ensure the confidentiality and integrity of the votes and voter information are flawed. As the authors put it, these can “allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot.”
In other words, attackers can see your vote, change your vote, even suppress your vote and you may never know.
In addition to the security issues with the app, the researchers call out another important area of concern: Voatz’s transparency and engagement with the security community, or the lack thereof.
Throughout the paper, the authors take Voatz to task for their lack of transparency and engagement with the broader security community. Regarding transparency they note:
Unfortunately, the public information about Voatz’s system is incomplete. Voatz’s FAQ, blog, and white paper provide only a vague description of their overall system and threat model…despite calls to release a more detailed analysis and concerns raised by many in the election security community, as well as elected representatives,, Voatz has declined to provide formal details, citing the need to protect their intellectual property.
Which they contrast with other security reviews of voting technology:
Methodologically, our analysis was significantly complicated by Voatz’s lack of transparency — to our knowledge, in previous security reviews of deployed Internet voting systems (see Switzerland, Moscow, Estonia, and Washington D.C), researchers enjoyed significant information about the voting infrastructure, often including the system’s design and source code of the system itself.
And in terms of engagement, they recall a recent incident where Voatz took a hostile stance towards security research that ultimately led to the FBI being called:
Worse, when a University of Michigan researcher conducted dynamic analysis of the Voatz app in 2018, the company treated the researcher as a malicious actor and reported the incident to authorities. This resulted in the FBI conducting an investigation against the researcher.
Within the world of security research, this kind of hostility is viewed negatively and is widely considered a way to ensure that security vulnerabilities are not reported to the vendor for fixing.
Voatz’s approach to vulnerability research can also be seen when looking at their public bug bounty program which shows only 9 resolved issues and a bounty of US$2,000 max. By comparison, Microsoft offers up to $15,000 for security bugs in its ElectionGuard program.
Voatz has responded to the report on their blog, calling into question the researchers’ methodology and blasting their “bad faith recommendations.” Regarding transparency and outreach, Voatz says that “[w]ith qualified, collaborative researchers we are very open” and also notes that they have worked with “nearly 100 other researchers, to test and verify their claims using the latest version of our platform via our public bug bounty program on HackerOne.” This last point appears at odds with their HackerOne page which lists thanks to 13 researchers, seven bounties awarded and nine resolved issues.
Voatz is already facing questions and concern about the security of its app in the Northwest. Senator Ron Wyden (D-OR) recently wrote a letter to Oregon election officials to express his reservations.
This latest report comes on the heels of another twist in the Iowa Democratic Party app: days after the caucuses, ProPublica released research from Vercacode, a Boston-based security company, that detailed numerous security issues with that app.
In an interview with Vice Motherboard, Alex Halderman, an export on election security and a professor of computer science at the University of Michigan, said the research appears to have been done “meticulously” and the findings “make Voatz seem like a sham.”
These findings are new: there’s not been time for election officials to take action. But the concerns outlined mean that the story around Votaz and concerns around mobile voting is only just beginning, both nationally and here in the Northwest. In a Tweet, Halderman pulls no punches on what he thinks should happen next: “In my view, based on MIT’s findings, no responsible jurisdiction should use Voatz in real elections any time soon. It will take major advances in security technology before Internet voting is safe enough.”
In my view, based on MIT’s findings, no responsible jurisdiction should use Voatz in real elections any time soon. It will take major advances in security technology before Internet voting is safe enough. 11/11
— J. Alex Halderman (@jhalderm) February 13, 2020