{"id":17724,"date":"2020-02-13T18:50:17","date_gmt":"2020-02-14T02:50:17","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/02\/13\/news-11459\/"},"modified":"2020-02-13T18:50:17","modified_gmt":"2020-02-14T02:50:17","slug":"news-11459","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/02\/13\/news-11459\/","title":{"rendered":"MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities"},"content":{"rendered":"

<\/p>\n

Credit to Author: Lucas Mearian| Date: Thu, 13 Feb 2020 13:30:00 -0800<\/strong><\/p>\n

Elections officials in numerous states have piloted various mobile voting applications as a method of expanding access to the polls, but MIT researchers say one of the more popular apps has security vulnerabilities that could open it up to tampering by bad actors.<\/p>\n

The MIT analysis of the application, called Voatz<\/a>, highlighted a number of weaknesses that could allow hackers to \u201calter, stop, or expose how an individual user has voted.\u201d<\/p>\n

Additionally, the researchers found that Voatz\u2019s use of Palo Alto-based vendor Jumio<\/a> for voter identification and verification poses potential privacy issues for users.<\/p>\n

The study comes on the heels this month’s trouble-plagued Iowa Democratic Presidential Caucus, which used an online app to store votes<\/a> but failed to do so accurately because of a coding flaw and insufficient testing.<\/p>\n

Some security experts have long argued that the only secure form of voting is paper ballots.<\/p>\n

Voatz iPhone mobile voting application.<\/p>\n

The Voatz mobile voting application has been used in small pilots involving \u00a0only about 600 voters total in Denver, West Virginia<\/a>, five counties in Oregon, Utah<\/a> and Washington State, where the main focus was on inclusivity for absentee voters living overseas.<\/p>\n

In response, Voatz\u00a0called the MIT report \u201cflawed\u201d because it based its analysis on a long-outdated Android version of the app.<\/p>\n

\u201cHad the researchers taken the time, like nearly 100 other researchers, to test and verify their claims using the latest version of our platform via our public bug bounty program on HackerOne<\/a>, they would not have ended up producing a report that asserts claims on the basis of an erroneous method,\u201d Voatz stated in a blog post<\/a>\u00a0today.<\/p>\n

\u201cWe want to be clear that\u00a0all nine\u00a0of our governmental pilot elections conducted to date, involving\u00a0less than 600 voters, have been conducted safely and securely with no reported issues,\u201d Voatz said.<\/p>\n

In 2018, West Virginia piloted<\/a> Voatz’s mobile voting app for resident service members and family living overseas who wanted to vote in the midterm general election.\u00a0<\/p>\n

West Virginia Secretary of State’s office pointed to a Department of Homeland Security security assessment of the 2018 Voatz pilots indicating there was “no threat actor behaviors or artifacts of past nefarious activities were detected in the vendor\u2019s networks.”<\/p>\n

Audits of paper ballots created by the Voatz plaform on election day also confirmed the results were accurate, according to the Secretary of State’s office.<\/p>\n

“We want to get the word out to media outlets like Computerworld<\/em> to ensure WV voters that we are taking every possible precaution to balance election security and integrity with WV requirement to provide absentee ballots electronically to overseas, military and absentee voters living with physical disabilities,” Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said via email.<\/p>\n

The\u00a0MIT study, however,\u00a0<\/a>underscored the need for Voatz\u2019s mobile app design to be more transparent because public information about the technology is \u201cvague\u201d at best.<\/p>\n

Voatz\u2019s platform uses a combination of biometrics, such as mobile-phone based facial recognition, and hardware-backed keystores to provide end-to-end encrypted and voter-verifiable ballots. It also uses blockchain as an immutable electronic ledger to store voting results.<\/p>\n

Voatz has declined to provide formal details about its platform, citing the need to protect intellectual property, the researchers said in their paper.<\/p>\n

In a blog post today, Voatz called the researchers\u2019 approach \u201cflawed,\u201d which \u201cinvalidates any claims about their ability to compromise the overall system.<\/p>\n

“In short, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers,\u201d Voatz said.<\/p>\n

The researchers also called Voatz out for reporting a University of Michigan researcher who in 2018 conducted an analysis of the Voatz app. \u201cThis resulted in the FBI conducting an investigation against the researcher,\u201d the MIT researchers said.<\/p>\n

It\u2019s not the first time Voatz has been criticized for not being more open about its technology. Last May,\u00a0computer scientists from Lawrence Livermore National Laboratory and the University of South Carolina, along with election oversight groups, published a paper<\/a> that criticized Voatz for not releasing any “detailed technical description” of its technology.<\/p>\n

\u201cThere are at least four companies attempting to offer internet or mobile voting solutions for high-stakes elections, and one 2020 Democratic presidential candidate has included voting from a mobile device via the blockchain in his policy plank,\u201d the MIT researchers said in their paper. \u201cTo our knowledge, only Voatz has successfully fielded such a system.\u201d<\/p>\n

Along with Voatz, Democracy Live<\/a>, Votem<\/a>,\u00a0SecureVote<\/a>\u00a0and\u00a0Scytl<\/a> have all piloted mobile or online voting technology in various public or private balloting that included company stockholder and college board elections. Most recently, a Seattle district piloted the Democracy Live technology<\/a>\u00a0in a board of supervisors election that was open to 1.2 million registered voters.<\/p>\n

Tusk Philanthropies, a nonprofit focused on promoting mobile voting as a way to increase voter turnout, has helped fund and promote Voatz and Democracy Live.<\/p>\n

In a statement to Computerworld<\/em>, Tusk said it feels confident in the results of all the pilot elections because it conducted independent, third-party audits \u201cwhich showed that votes cast over the blockchain were recorded and tabulated accurately.\u201d<\/p>\n

\u201cWith that being said, we always welcome new security information and will work with security experts to review this paper,\u201d Tusk said. \u201cSecurity is an iterative process that can only get better over time. There is no room for error in our elections, especially when it comes to data leakage, compromised encryption, broken authentication, or denial-of-service attacks.\u201d<\/p>\n

Medici Ventures, the wholly-owned investment subsidiary of Overstock.com, has also backed Voatz, whose application has mainly been used to allow absentee voter service members and their families to cast their ballots via their smartphones from anywhere in the world.<\/p>\n

Jonathan Johnson, CEO of Overstock and president of Medici Ventures, responded in a statement<\/a> to a New York Times<\/em> article<\/a>\u00a0about the MIT study, saying he believes the Voatz technology is responsible and safe.<\/p>\n

\u201cIt not only prevents voting fraud, but it also protects the privacy of each voter. The Voatz app even generates a paper ballot that can be audited to guarantee the fidelity of the vote,\u201d Johnson said. \u201cThis is, we believe, the right path forward to safe innovation in election technology. We should not let ourselves derail the future of voting.”<\/p>\n

Critics of mobile or online voting,\u00a0including security experts<\/a>, believe it opens up the prospect of server penetration attacks, client-device malware, denial-of-service attacks and other disruptions \u2014 all associated with infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots.<\/p>\n

Jeremy Epstein, vice chair of the Association for Computing Machinery\u2019s US Technology Policy Committee (USTPC), has been a vocal critic of mobile voting platforms, including Voatz. He said the MIT study was \u201cvery thorough\u201d and demonstrates exactly what experts have been saying for years.<\/p>\n

\u201cInternet voting is risky. It’s no surprise that the Voatz system is vulnerable to many kinds of attacks, even to an attacker with no access to source code or other inside information,\u201d Epstein said via email. \u201cThe attacks demonstrated by MIT are well within the capabilities of nation-state adversaries who are interested in manipulating US elections, and such an adversary won’t publish their results as the MIT team has done, leaving us with an election that may be undetectably manipulated.\u201d<\/p>\n

The five-year-old Voatz slammed the MIT researchers for never connecting even the outdated app they used to the company\u2019s servers, which are hosted by Amazon AWS and Microsoft Azure.<\/p>\n

In the absence of connecting to the actual servers recording public votes, \u201cthe researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false,\u201d Voatz said.<\/p>\n

Epstein retorted that Voatz’s comments \u201cdemonstrate that they don’t understand either the severity of the attacks or the way security works in general.<\/p>\n

\u201cAny election official using Voatz products would be well advised to cancel their plans, before a stealthy attack in a real election compromises democracy,\u201d Epstein said.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Lucas Mearian| Date: Thu, 13 Feb 2020 13:30:00 -0800<\/strong><\/p>\n

\n
\n

Elections officials in numerous states have piloted various mobile voting applications as a method of expanding access to the polls, but MIT researchers say one of the more popular apps has security vulnerabilities that could open it up to tampering by bad actors.<\/p>\n

The MIT analysis of the application, called Voatz<\/a>, highlighted a number of weaknesses that could allow hackers to \u201calter, stop, or expose how an individual user has voted.\u201d<\/p>\n

Additionally, the researchers found that Voatz\u2019s use of Palo Alto-based vendor Jumio<\/a> for voter identification and verification poses potential privacy issues for users.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11526,11070,11067,10554,5897,714],"class_list":["post-17724","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-blockchain","tag-emerging-technology","tag-government-it","tag-mobile","tag-privacy","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17724"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17724\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17724"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}