Voatz of no confidence: MIT boffins eviscerate US election app, claim fiends could exploit flaws to derail democracy

Shoddy code allegations are just FUD, software maker insists


Only a week after the mobile app meltdown in Iowa's Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia's 2018 midterm election.

They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state.

Based on their findings, published today in a paper [PDF] titled, "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections," researchers Michael Specter, James Koppel, and Daniel Weitzner conclude that internet voting has yet to meet the security requirements of safe election systems.

"We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot," their paper states.

"We additionally find that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality."

Specifically, the researchers discovered that malware or some miscreant with root access to a voter's mobile device can bypass the host protection provided by mobile security software known as the Zimperium SDK.

The SDK, incorporated into the app, is designed to detect debugging attempts and efforts to modify the app. However, it can be disabled via the Xposed Framework and four lines of code, using a hooking utility to alter the application's control flow. After that, an attacker with root access can commandeer the app, to alter the interface for example to divert votes, and can also leak ballot and personal data to an outside server.

That may sound far-fetched, because most people don't have malicious stuff on their phones with root access, consider that if you wanted to rig an American election, and you were well organized, you could develop malware specifically customized to target Voatz and alter citizens' ballots. Even infecting just a few could be enough to swing a close-run race.

Plaintext

The boffins also found the app's networking implementation can expose details of a user's vote. The app, it's claimed, leaks plaintext metadata associated with candidates, which can then be compared to the length of the accompanying ciphertext to infer the chosen candidate's concealed name.

What's more, though Voatz, the company behind the app, boasts its app data is secured by blockchain technology, the researchers say that when they examined the code, they found "no indication that the app receives or validates any record that has been authenticated to, or stored in, any form of a blockchain." And they found "no reference to hash chains, transparency logs, or other cryptographic proofs of inclusion."

Whatever blockchain implementation may exist, they conclude, occurs on the servers supporting the app.

Also, they express concern about the privacy of user data, because the app implements third-party services like identity-verification service Jumio and crash reporting service Crashlytics, in addition to Zimperium. And Jumio, they point out, integrates its own third-party, Facetec, to analyze the video selfies. The potential issue here is that these services may handle data insecurely or in a way that's not disclosed.

On Thursday, Voatz responded to the report in a blog post that "seems to avoid actually refuting any of the findings, and [concentrates] on vaguely attacking the research methods," as Matthew Green, the Associate Professor of Computer Science at the Johns Hopkins Information Security Institute, put it on Twitter.

The company, defending its app, contends it found "three fundamental flaws with [the researchers'] method of analysis, their untested claims, and their bad faith recommendations."

Democrat presidential hopefuls in Iowa

Iowa has already won the worst IT rollout award of 2020: Rap for crap caucus app chaps in vote zap flap

READ MORE

The app biz claims the researchers looked at an old version of Voatz, one that has since been updated at least 27 times. The company argues that the app research never connected to backend servers on Amazon AWS and Microsoft Azure, meaning it missed server-side security measures.

It also contends that the researchers' speculation about the app's backend "invalidates any claims about their ability to compromise the overall system" and undermines their credibility.

Voatz assails the researchers, asserting that their true goal is "to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."

Matt Blaze, professor of computer science and law at Georgetown University, observed that what's surprising is not that a mobile internet voting system has flaws, but that Voatz would claim otherwise.

"When someone like Voatz comes offering a 'secure online voting solution,' officials should react approximately as they would if someone suggests cold fusion as the basis for our national energy policy," he wrote in a Twitter post.

Or as the researchers conclude, "It remains unclear if any electronic-only mobile or internet voting system can practically overcome the stringent security requirements on election systems." ®

Similar topics


Other stories you might like

  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading
  • Visiting a booby-trapped webpage could give attackers code execution privileges on HP network printers

    Patches available for 150 affected products

    Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers.

    The Finland-headquartered infosec firm said it had found "exploitable" flaws in the HP printers that allowed attackers to "seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of other objectives such as stealing or changing other data" – and, inevitably, "spreading ransomware."

    "In all likelihood, a lot of companies are using these vulnerable devices," said F-Secure researchers Alexander Bolshev and Timo Hirvonen.

    Continue reading

Biting the hand that feeds IT © 1998–2021