The voting app Voatz has come under increased scrutiny following a Feb. 13 report from Massachusetts Institute of Technology (MIT) researchers.
The report identified security vulnerabilities in Voatz, a voting app being used by multiple states to enable voting via smartphones. Specifically, MIT researchers say that hackers could compromise the app to alter individual apps and there are privacy issues for users.
In response to MIT’s report, Voatz published a blog on Feb. 13 saying that Voatz found “fundamental flaws with [MIT’s] method of analysis, their untested claims, and their bad faith recommendations.”
The MIT researchers released their own response to Voatz on Feb. 14 defending their research and challenging Voatz’s response.
In their report, the MIT researchers used the Android version of Voatz that was used in West Virginia’s 2018 midterm election. Voatz said that version is “at least 27 versions old at the time of their disclosure.”
The researchers countered that the app they used was “the most recent version of the Android app as of January 14, 2020.” The researchers did note that around the time their findings were submitted to the Cybersecurity and Infrastructure Security Agency (CISA) in January, Voatz submitted four new versions of the app to the Google Play store. MIT researchers further said that “nothing in the Voatz blog post has indicated how any of the later versions address the vulnerabilities we identify.”
Voatz said that since the “outdated” version of the app used by MIT was never connected to the Voatz servers, researchers were “unable to register, unable to pass the layers of identity checks to impersonate a legitimate voter, unable to receive a legitimate ballot and unable to submit any legitimate votes or change any voter data.” Voatz then argued that “this flawed approach invalidates any claims about their ability to compromise the overall system.”
Addressing this concern, MIT researchers argued that “Nothing done by the server – e.g., printed receipts, emailed receipts, or the use of a blockchain – changes this analysis, because the tampering will occur before the vote reaches this part of the process.” The researchers continued, “Attackers are able, through the exploits we describe, to manipulate the information that is recorded on the blockchain in just the same way as they can interfere with the ballot information itself.”
This is not the first time Voatz has come under scrutiny for security and privacy concerns. In a Nov. 7 letter, Sen. Ron Wyden, D-Ore., urged Secretary of Defense Mark Esper and National Security Agency (NSA) Director Gen. Paul Nakasone to conduct a cybersecurity audit of mobile voting app Voatz to “determine whether it can reliably protect the votes of U.S. servicemembers against foreign hacking.”
