Vulnerabilities in a voting app
could be exploited by hackers

Researchers at the Minnesota Institute of Technology (MIT) have discovered a number of vulnerabilities in a voting app that could be exploited by hackers looking to commit electoral fraud. Voatz, a mobile voting platform launched in 2016, was the subject of a reverse engineering project carried out with the aim of pinpointing security weaknesses. The researchers found that attackers could theoretically access information about users’ voting preferences and even modify or suppress their votes.

Online voting has sparked significant interest in the past few years as a vehicle for increasing voter participation and streamlining electoral processes. Voatz was deployed as a means of ballot casting at the 2016 Massachusetts Democratic Convention, the 2016 Utah Republican Convention and the 2018 West Virginia elections. Users download the app from the App Store and are then instructed to verify their identities by uploading a photo of their ID and video footage of their faces. Once registered, they can use the app to submit their voting preferences. A number of additional security features including end-to-end encryption and two-factor authentication purport to minimize the risks of hacking.

MIT graduate students Michael Specter and James Koppel carried out an analysis of the Voatz platform’s security under the supervision of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL). They reverse engineered the application and created a model of the server with which to conduct their research.

Their findings were alarming: An attacker who successfully hacked the server could view and/or modify a user’s ballot without arousing suspicion. Furthermore, traffic from internet service providers or unencrypted WiFi networks could be intercepted; potentially allowing hackers to establish how a user was intending to vote and prevent the ballot from being registered via a DDoS attack.

Voatz’s use of an external vendor to process ID verification also raises privacy concerns: An unsecured vendor platform runs the risk of data breaches by third parties. According to Specter, “Voatz’s privacy policy does talk about sending some information to third parties, [but] as far as we can tell the fact that any third party is getting the voter’s driver’s license and selfie isn’t explicitly mentioned.”

Specter and Koppel’s findings not only provide a robust defense for advocates of a paper-only voting system; they also call into question the feasibility of contracting private organizations to provide election software. Specter urges caution when using applications like Voatz that do not release source code. “When you have part of the election that is opaque, that is not viewable, that is not public, that has some sort of proprietary component, that part of the system is inherently suspect and needs to be put under a lot of scrutiny”.

However, he goes on to add that the founders of the app had “many good intentions”, despite the potential security risks to users’ data. Voatz’s website states that the company remains “committed to providing as much transparency as possible” and is actively engaging with the research community to help detect and patch any vulnerabilities. The hope is that mobile and internet voting platforms can be made even more secure in the future to facilitate citizen participation and further prevent the disenfranchisement of those unable to attend their local polling station.

At Soteria, we keep pace with all the latest evolutions in the digital threat landscape and offer a range of products designed to mitigate cybersecurity risks. Our SoteriaCODE solution allows you to assess the vulnerability of written-code programs so that you can enhance their security during the development phase rather than patching them later on. We also offer a comprehensive penetration testing platform that simulates common cyberattacks to help you detect and identify weaknesses in data systems and processes. Contact us today to find out more.



Mobile voting applications are secure?