A voting app used in multiple states during the 2018 midterms elections to allow for more accessible voting has cyber vulnerabilities that could allow for votes to be changed or exposed, researchers at the Massachusetts Institute of Technology (MIT) found.
In a paper published Thursday, three MIT researchers found that Voatz had vulnerabilities that “allow different kinds of adversaries to alter, stop, or expose a user’s vote” and that the app also had several privacy issues due to the use of third-party services to ensure the app functioned.
The researchers found that if an individual were able to gain remote access to the device used to vote on the Voatz app, vulnerabilities could have allowed that person to discover and change the votes cast.
The researchers described their findings as being part of the first “public security analysis of Voatz” and noted that they used reverse engineering of the Android Voatz app to come to their conclusions.
The Voatz app was used during the 2018 midterms in some municipal, state or federal elections in West Virginia, Colorado, Oregon and Utah. The company allows voters to cast their votes via an app and was rolled out in West Virginia as a way for overseas military personnel and other voters unable to physically go to the polls to cast their votes.
It was also used during the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention. The Voatz app was not used during the recent Iowa caucuses, which were thrown into chaos when a separate app used by the Iowa Democratic Party for vote tabulation suffered a “coding issue” that slowed down the count.
Before going public with their findings, the MIT researchers contacted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in order to work with election officials impacted by the findings to address the vulnerabilities.
Voatz pushed back strongly against the findings, describing the research as “untested claims” and “bad faith recommendations.”
Voatz wrote in a blog post that it disputed three key portions of the research, including that the MIT researchers used an Android version of the Voatz app that was “at least 27 versions old” at the time of testing and that the app was never connected to Voatz servers, meaning the app tested would have been unable to change any votes or receive a real ballot.
The company also argued that their app gave users greater accessibility to voting and that the MIT researchers were working to “spread fear” around the election process.
“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” Voatz wrote.
The researchers pointed to the vulnerabilities they discovered as supporting the need to move away from online voting and back toward paper ballots, which cannot be hacked.
“This work adds to the litany of serious flaws discovered in electronic approaches, and supports the conclusion that the current standard — software independent systems using voter-verified paper ballots and Risk Limiting Audits — remain the most secure option,” the researchers wrote.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee who has pushed hard for movement on legislation to increase election security, tweeted Thursday that as a result of the findings around Voatz, “Congress needs to pass security standards to end the use of this unsafe technology.”
Wyden sent a letter to Defense Secretary Mark Esper and National Security Agency Director Paul Nakasone in November asking them to conduct a security audit of Voatz to ensure the safety of votes cast through the app by overseas military personnel. Wyden also sent a separate letter earlier this month to officials in Oregon urging them not to allow use of the Voatz app in the upcoming 2020 elections.
In the wake of the Iowa caucuses debacle, experts and officials alike have severely criticized the use of apps during the voting process, with the Democratic National Committee banning the use of the app built by Shadow Inc. that was used in Iowa from being used in other states.