#cybersecurity | hacker | Voatz mobile voting app vulnerable, MIT researchers say

On the heels of the voting app debacle during the Iowa Democratic caucuses, researchers at MIT have found multiple security- and privacy-related vulnerabilities in an online voting app, Voatz, used in West Virginia during the 2018 midterm elections and on track to be used again for the 2020 contests, according to a security audit released this week.

West Virginia stepped out in front of other states by being
the first to use an online voting app, but Voatz, which now also has been used
in federal, state and municipal elections in West Virginia, Denver, Oregon, and
Utah – and in the 2016 Massachusetts Democratic Convention and the 2016 Utah
Republican Convention – “has vulnerabilities that allow different kinds of
adversaries to alter, stop, or expose a user’s vote, including a sidechannel
attack in which a completely passive network adversary can potentially recover
a user’s secret ballot,” the MIT audit found.

Privacy issues abound as well through the use of third-party
services to provide functionality crucial to the app, which targets overseas
military and other absentee voters.

“The app
itself relies on third party services for user identification, and while modern
applications often employ third party services, jurisdictions globally are
enacting privacy regulations like GDPR and CCPA in an effort to better inform
their citizens on how their data is being collected, processed and retained,”
said Tim Mackey, principal security strategist at Synopsys CyRC. “When you
consider that casting a vote is an incredibly personal decision for many,
collecting excessive voter data or disclosing any aspect of the voting process
to a third party should be minimized.”

Voatz took issue with the researchers’ findings, noting that they used an aged Android version of the mobile app (“at least 27 versions old”) that was never used in an election; never connected the app to Voatz servers hosted by Amazon AWS and Microsoft Azure; and “fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components,” according to a blog post.

“We want to be clear that all nine of our
governmental pilot elections conducted to date, involving less than 600
voters, have been conducted safely and securely with no reported issues,” Voatz

“As with the
Iowa Caucus app, the Voatz app operates with an assumption that lack of
transparency around its operations is a positive trait,” said Mackey. “MIT
researchers found that the Voatz development team employed custom encryption
strategies which primarily served to obfuscate data flows, but worse enabled a
situation where it would be possible to identify which candidate a user voted for.”

The MIT academics point out that they are not the first to
raise issues about the app’s security, but that their report represents the
first audit of Voatz and that the results paint a bleak picture of the security
of online voting. “Our findings serve as a concrete illustration of the common
wisdom against internet voting, and of the importance of transparency to the
legitimacy of elections,” they said.

experts caution that securing online voting technologies is paramount to safe
and trusted elections. “When you have a significant portion of the technical
sector calling for the use of paper ballots in order to ensure the integrity of
election results, it’s a good indicator that there’s a real problem to address,”
said Tim Erlin, vice president, product management and strategy at Tripwire. “We
simply cannot ignore the clear security risks presented by these new voting
technologies. The research is clear and the necessary level of assurance isn’t.”

Original Source link

Leave a Reply

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.