Funnily enough, no, infosec bods aren't mad keen on W. Virginia's vote-by-phone-app plan

The US state of West Virginia plans to allow some of its citizens to vote in this year's midterm elections via a smartphone app – and its seemingly lax security is freaking out infosec experts.

Voters living overseas, including military personnel and their spouses, will, in theory, be able to install and use the Voatz mobile application to submit their ballots electronically over the internet. Voatz, founded in 2014, is a Boston-based startup that specializes in "mobile focused election voting and citizen engagement." It recently nabbed $2.2m in a seed funding round, and its software is available for Android and iOS.

West Virginia officials conducted a pilot project using Voatz with a handful of overseas voters in its primary elections earlier this year, and with that having been judged a success, they now want to expand the program for the November midterm elections.

A spokesperson for West Virginia's Secretary of State told The Register today officials are "aware" of the security concerns regarding Voatz, adding: "It's nothing we haven't considered before." We're told this pilot program will involve up to 10 of the state's 55 counties, which have to opt into the project. The previous test involved two counties.

According to state bureaucrats, Voatz uses a combination of blockchain ledgers and biometrics: a scan of the photo on your government ID has to match a selfie taken by your phone before a ballot can be cast, and the data is stored in a blockchain held on distributed backend servers. That's supposed to stop miscreants from voting as someone else, voting multiple times, tampering with tallies, and so on.

Voters participating in the midterms will still have the option to send in paper ballots and, judging by this week's response from the infosec community, that may be a good idea.

Criticisms

Security experts are not convinced the startup's system will be secure enough to ensure nobody can mess with the submitted election results, especially with Russian and other hackers taking a keen interest in America's democratic processes.

UK-based computer security bod Kevin Beaumont outlined on Monday a list of red flags that he spotted.

We're told the Voatz website needs patching: it is powered by an out-of-date version of the Apache web server on a box with an out-of-date SSH service and PHP installation. It also apparently exposes NTP, POP3, PHP3, and a 2009-era edition of Plesk to the internet. The site's database, hosted on Azure, has a remote administration panel exposed on port 8080 with no HTTPS protection, according to Beaumont.

This does not inspire confidence that Voatz can keep miscreants out of its servers, and prevent them from potentially meddling with election results.

Some of the Voatz source code also appears to have ended up on GitHub complete with Yodlee account login credentials and the keys to one of the upstart's MongoDB databases. Yodlee is used to identify voters' identities via their bank account details.

An earlier attempt to use Voatz in a Utah county election allegedly went awry, and officials had to fall back to paper ballots, according to the app's reviews.

Beaumont also argued that the security audits carried out on Voatz by external outfits were not particularly thorough, and one of the listed auditors has apparently claimed it hasn't had anything to do with the biz. Meanwhile, Unix systems administrator David Gerard has picked apart Voatz's use of a private blockchain, which is basically not much more than a single-user append-only database.

The United States needs some form of vetting process for online voting in elections. I’m a foreign dude with an avatar of a cowboy porg riding a porg dog on Twitter who appears to have done more investigation of the security implications of this than anybody. Bonkers, America.

— kevin (@GossiTheDog) August 6, 2018

Voatz told The Register the source code on GitHub is no longer used, and the MongoDB database in question was handled years ago by an intern. "Those are from a summer project which an intern worked on as a test project two-plus years ago," a spokesperson for Voatz said. "It doesn't have anything to do with our system deployed currently."

Voatz also disputed claims its systems are vulnerable and untested, adding that its use of a blockchain ledger is legit. It has popped more information about its West Virginia project on its website, here and here.

"After authentication, the Voatz app encrypts the voter’s identity, ties the phone to the voter via their fingerprint, and then deletes all identifying information (photo, identity record)," the biz explained.

"This process ensures that any identifying information is not stored. Once authenticated, voters can vote on mobile ballots they receive from their jurisdiction. If, for any reason, the voter falls off the voter registration rolls, the jurisdiction will no longer send a mobile ballot and the voter must restart the process of registration and authentication.

"The Voatz app is built with security measures embedded in qualified smartphones and employs blockchain technology to ensure that, once submitted, votes are verified and immutably stored on multiple, geographically diverse verifying servers. Before going into the pilot, Voatz submitted the smartphone voting app to an independent security firm for review. Beyond the pilot, the Voatz voting app undergoes frequent rigorous 'red-team' testing by independent, qualified third parties."

One big worry is the upstart's staggering reliance on its blockchain backend.

The idea is that election officials send a token to each voter, which is credited to the ledger in their smartphone app.

Then, when a vote is submitted over the internet from the application, Voatz's servers verify the action, and if all is well, the token is debited from the voter's ledger and credited to the selected candidate's ledger. Finally, you total up all the tokens, and the winning candidate is the one with the most.

This verification of the submitted votes, and assignment of tokens, relies on the backend servers being clean and not compromised by hackers – otherwise ballot tokens could end up in the wrong ledgers, and Voatz is not particularly open about how its system works under the hood.

Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology in Washington, DC, summed it up to CNN: "Mobile voting is a horrific idea. It's internet voting on people's horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote." ®