Researchers at MIT say the voting app Voatz, which is being used by at least 4 states in the 2020 elections, has major security flaws that could allow an attacker to intercept and alter votes, while making voters think their votes have been cast correctly, or trick the votes server into accepting connections from an attacker.
Here’s the MIT research paper on Voatz.
Excerpt from Kim Zetter’s reporting for VICE:
An attacker would also be able to alter the user’s vote and trick the user into believing their vote was transmitted accurately, researchers from the Massachusetts Technology Institute write in a paper released Thursday.
The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system.
Read the full report at VICE NEWS:
‘Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws
[Kim Zetter Feb 13 2020]
Worth noting that in addition to today's MIT research warning of significant vulns in Voatz, we also have a DHS report that found no evidence of malicious activity but plenty of recs for improved security. Voatz hadn't previously made any reports public.https://t.co/4WEqslXXxp
— Kevin Collier (@kevincollier) February 13, 2020
Calling the app 'Voatz' didn't really inspire confidence to start with. https://t.co/D7AH36w99Z
— Martin SFP Bryant (@MartinSFP) February 13, 2020
Another reminder that in 2018 Voatz boasted on their website that Qualys provided a security audit. For Qualys they linked a free SSL certificate checker as proof they were secure (screenshot) which completely misunderstands third party security auditing. pic.twitter.com/zGKhAIT1gP
— Kevin Beaumont (@GossiTheDog) February 13, 2020
Today, the NYT covered research by @mspecter, @jimmykoppel, and @djweitzner into the security of Voatz, a mobile app that's been used for online voting in US elections:https://t.co/yXd2P6z3D3
This found serious issues, but they're just some of the many problems with @Voatz. 1/
— Eric Mill (@konklone) February 13, 2020
Election security is hard enough without snakeoil salesmen like Voatz trying to distract election officials into buying inherently defective products like Internet voting schemes.
— matt blaze (@mattblaze) February 13, 2020
You can tell more about the security of a product from the reaction by the vendor to a vulnerability than from the vulnerability itself. By this measure, Voatz has failed miserably. They have squandered any reason anyone might have had to trust them.
— matt blaze (@mattblaze) February 13, 2020
So Voatz did a press call this afternoon where they:
* Said paper was "riddled with holes"
* Didn't offer evidence of researchers' supposed malicious agenda
* Declined to name their outside auditors, citing terms of the NDA they wrotehttps://t.co/7xReuDtvFN
— Eric Geller (@ericgeller) February 13, 2020
When an MIT study showed Voatz e-voting software to be a security dumpster fire, the company apparently had the ingenious idea to attack the researchers and accuse them of being publicity hounds. https://t.co/6JtCeaKmfX
— Karl Bode (@KarlBode) February 13, 2020
[via techmeme.com]