ES / EN
ARTICLES &
EVENTS
Vulnerabilities in a voting app
could be exploited by hackers

Researchers at the Minnesota Institute of Technology (MIT) have discovered a number of vulnerabilities in a voting app that could be exploited by hackers looking to commit electoral fraud. Voatz, a mobile voting platform launched in 2016, was the subject of a reverse engineering project carried out with the aim of pinpointing security weaknesses. The researchers found that attackers could theoretically access information about users’ voting preferences and even modify or suppress their votes.

Online voting has sparked significant interest in the past few years as a vehicle for increasing voter participation and streamlining electoral processes. Voatz was deployed as a means of ballot casting at the 2016 Massachusetts Democratic Convention, the 2016 Utah Republican Convention and the 2018 West Virginia elections. Users download the app from the App Store and are then instructed to verify their identities by uploading a photo of their ID and video footage of their faces. Once registered, they can use the app to submit their voting preferences. A number of additional security features including end-to-end encryption and two-factor authentication purport to minimize the risks of hacking.

MIT graduate students Michael Specter and James Koppel carried out an analysis of the Voatz platform’s security under the supervision of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL). They reverse engineered the application and created a model of the server with which to conduct their research.

Their findings were alarming: An attacker who successfully hacked the server could view and/or modify a user’s ballot without arousing suspicion. Furthermore, traffic from internet service providers or unencrypted WiFi networks could be intercepted; potentially allowing hackers to establish how a user was intending to vote and prevent the ballot from being registered via a DDoS attack.

Voatz’s use of an external vendor to process ID verification also raises privacy concerns: An unsecured vendor platform runs the risk of data breaches by third parties. According to Specter, “Voatz’s privacy policy does talk about sending some information to third parties, [but] as far as we can tell the fact that any third party is getting the voter’s driver’s license and selfie isn’t explicitly mentioned.”

Specter and Koppel’s findings not only provide a robust defense for advocates of a paper-only voting system; they also call into question the feasibility of contracting private organizations to provide election software. Specter urges caution when using applications like Voatz that do not release source code. “When you have part of the election that is opaque, that is not viewable, that is not public, that has some sort of proprietary component, that part of the system is inherently suspect and needs to be put under a lot of scrutiny”.

However, he goes on to add that the founders of the app had “many good intentions”, despite the potential security risks to users’ data. Voatz’s website states that the company remains “committed to providing as much transparency as possible” and is actively engaging with the research community to help detect and patch any vulnerabilities. The hope is that mobile and internet voting platforms can be made even more secure in the future to facilitate citizen participation and further prevent the disenfranchisement of those unable to attend their local polling station.

At Soteria, we keep pace with all the latest evolutions in the digital threat landscape and offer a range of products designed to mitigate cybersecurity risks. Our SoteriaCODE solution allows you to assess the vulnerability of written-code programs so that you can enhance their security during the development phase rather than patching them later on. We also offer a comprehensive penetration testing platform that simulates common cyberattacks to help you detect and identify weaknesses in data systems and processes. Contact us today to find out more.

 

Source: http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213

Mobile voting applications are secure?
New study reveals the passwords hackers can easily guess
The coronavirus pandemic has exacerbated the risk of cyberattacks due to the huge number of people working from home on unsecured endpoint devices. If you’re concerned about data breaches, Soteria can help. Get in touch with us today for further information. Read more
CORONAVIRUS: CYBERSECURITY BEST PRACTICES
The number of workers doing home office has increased dramatically over the past month and is expected to continue rising. With remote working comes new challenges; not only in terms of logistics and communication, but also in relation to information and cybersecurity. Read more
Soteria in Cyber Security in the Age of Industry 4.0 Conference
Soteria was proud to hold a conference on Cybersecurity in the Age of Industry 4.0 in Torino, Italy. We presented CYWARIA, Soteria’s Next Generation Cyber Range, as a means to empower large companies in the face of cybersecurity threats. Read more
Cyber Arena - the Modern Battlefield
A new World War has been raging on an unseen battlefield, claiming casualties with greater ease than ever before.   This war has no clear battle lines and few rules of engagement. The enemy is invisible and there is no end in sight. At Soteria, we believe that education is the antidote to this insidious cyber war we have been fighting. Read more
Soteria on White-Hat Conference Colombia 13-14 of March
We were very proud to have participated in the cybersecurity conference in Bogota organized by the National Police of Colombia and the ESTIC (Escuela de Tecnologías de la Información y las Comunicaciones) and were delighted by the enthusiasm with which we were received. Read more
Hack of the Month: Using Wifi to "See"
At Soteria, we take cyber security seriously. We combat even the most cutting-edge privacy breaches to keep your personal information safe. New evidence proves that WiFi signals can show what’s going on behind closed doors Read more
Is Your Internet Router Under Attack?
Soteria wants you to know about your cybersecurity risks at home.  Have you heard about the router-attacking malware VPNFilter? Read more
A Safer Cyberspace in 2019
Soteria is helping organizations to prepare for future compliance and certification. Read on the upcoming regulations ENISA is formulating. Read more
The Big Hack: Tiny Chip, Huge Impact
Soteria's experts are always on the look-out for new risks. The concept of a hardware cyberattack is so potentially devastating and far-reaching that many cyber security experts didn’t believe it would be possible. How was it done? Can we avoid such risks in the future? Read more
CONTACT US