Only a week after the mobile app meltdown in Iowa’s Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia’s 2018 midterm election. They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state. Based on their findings, published today in a paper [PDF] titled, “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” researchers Michael Specter, James Koppel, and Daniel Weitzner conclude that internet voting has yet to meet the security requirements of safe election systems. “We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” their paper states. “We additionally find that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.” Specifically, the researchers discovered that malware or some miscreant with root access to a voter’s mobile device can bypass the host protection provided by mobile security software known as the Zimperium SDK.
The SDK, incorporated into the app, is designed to detect debugging attempts and efforts to modify the app. However, it can be disabled via the Xposed Framework and four lines of code, using a hooking utility to alter the application’s control flow. After that, an attacker with root access can commandeer the app, to alter the interface for example to divert votes, and can also leak ballot and personal data to an outside server.
That may sound far-fetched, because most people don’t have malicious stuff on their phones with root access, consider that if you wanted to rig an American election, and you were well organized, you could develop malware specifically customized to target Voatz and alter citizens’ ballots. Even infecting just a few could be enough to swing a close-run race.
The boffins also found the app’s networking implementation can expose details of a user’s vote. The app, it’s claimed, leaks plaintext metadata associated with candidates, which can then be compared to the length of the accompanying ciphertext to infer the chosen candidate’s concealed name.
What’s more, though Voatz, the company behind the app, boasts its app data is secured by blockchain technology, the researchers say that when they examined the code, they found “no indication that the app receives or validates any record that has been authenticated to, or stored in, any form of a blockchain.” And they found “no reference to hash chains, transparency logs, or other cryptographic proofs of inclusion.”
Whatever blockchain implementation may exist, they conclude, occurs on the servers supporting the app.
Also, they express concern about the privacy of user data, because the app implements third-party services like identity-verification service Jumio and crash reporting service Crashlytics, in addition to Zimperium. And Jumio, they point out, integrates its own third-party, Facetec, to analyze the video selfies. The potential issue here is that these services may handle data insecurely or in a way that’s not disclosed.
On Thursday, Voatz responded to the report in a blog post that “seems to avoid actually refuting any of the findings, and [concentrates] on vaguely attacking the research methods,” as Matthew Green, the Associate Professor of Computer Science at the Johns Hopkins Information Security Institute, put it on Twitter.
The company, defending its app, contends it found “three fundamental flaws with [the researchers’] method of analysis, their untested claims, and their bad faith recommendations.”
The app biz claims the researchers looked at an old version of Voatz, one that has since been updated at least 27 times. The company argues that the app research never connected to backend servers on Amazon AWS and Microsoft Azure, meaning it missed server-side security measures.
It also contends that the researchers’ speculation about the app’s backend “invalidates any claims about their ability to compromise the overall system” and undermines their credibility.
Voatz assails the researchers, asserting that their true goal is “to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
Matt Blaze, professor of computer science and law at Georgetown University, observed that what’s surprising is not that a mobile internet voting system has flaws, but that Voatz would claim otherwise.
“When someone like Voatz comes offering a ‘secure online voting solution,’ officials should react approximately as they would if someone suggests cold fusion as the basis for our national energy policy,” he wrote in a Twitter post.
Or as the researchers conclude, “It remains unclear if any electronic-only mobile or internet voting system can practically overcome the stringent security requirements on election systems.”