A smartphone app that some Americans are using to vote in the 2020 presidential election has some serious security flaws, according to a new paper by researchers at the Massachusetts Institute of Technology.
The app, which was created by the Boston-based mobile voting company Voatz, is currently available to some overseas and military voters registered in states that allow for the electronic return of absentee ballots through fax and email. Counties in Utah, Oregon, and other states are giving military and overseas voters the additional option of casting ballots in the primaries and the presidential election through the Voatz app.
While paper ballots are widely considered the gold standard from an election security perspective, election officials say that option is not always available to overseas and military voters who live in remote areas without reliable and consistent postal service. And they say the Voatz app is more secure than other electronic ballot return options — especially email.
Today, @mspecter, @jimmykoppel, and @djweitzner released a detailed security analysis of Voatz, a blockchain-based Internet voting app that's used in West Virginia and other states. Their findings are devastating, https://t.co/3vBXE4RT5U. But Voatz has even more problems! 1/— J. Alex Halderman (@jhalderm) February 13, 2020
According to MIT researchers, though, the Voatz app is riddled with security vulnerabilities, including ones that could “allow different kinds of adversaries to alter, stop, or expose a user’s vote,” the researchers wrote in the paper released on Thursday. Those vulnerabilities are not believed to have been exploited.
The researchers also criticized Voatz for what they described as a lack of transparency around its app and systems.
“The biggest, the most important thing that I can say for election security is that the first thing that you should worry about is when things are opaque,” said Michael A. Specter, one of the report’s researchers, adding that Voatz hasn’t shared its source code or a detailed technical description of its product publicly — something the company has been criticized for in the past.
“When things are opaque — when you can't verify, when you can't see what the code is doing there is no way of vetting that it's doing the right thing.”
“When things are opaque — when you can't verify, when you can't see what the code is doing, there is no way of vetting that it's doing the right thing.”
Because they did not have full access to Voatz systems, MIT researchers said they had to take a black-box approach to their review. They reverse-engineered the app and re-created the company’s server to the best of their ability, using the information that was publicly available.
Following the conclusion of their review, MIT researchers shared their findings with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The agency notified officials in the states and localities where the app is expected to be used.
At least one county that signed up to use the app has since dropped out. Officials in Mason County, Washington, abandoned plans to use the Voatz app in the state’s primary, but not for security reasons, according to the county’s top election official.
Paddy McGuire, Mason County’s chief election official, explained the rationale for the move in an email last week to Matthew Masterson, a senior cybersecurity adviser in the Department of Homeland Security.
“Let me be absolutely clear. I have complete confidence in the Voatz software and technology,” McGuire wrote in the email to Masterson, which he shared with The World. McGuire went on to write that he was concerned about unfair media coverage of mobile voting initiatives.
Mason County, WA has pulled out of its Voatz pilot—but not because of security concerns.— Lydia Emmanouilidou (@lydiaemman) February 13, 2020
Here’s the letter the county’s top election official Paddy McGuire sent to DHS senior advisor on election security @mastersonmv last week: pic.twitter.com/1CnkgsLzDi
“We are monitoring the situation … The security/integrity of election is of utmost importance to us and all of our electorate.”
Jackson County, Oregon, says it's still planning to let overseas and military voters use Voatz in the state’s upcoming primary. “We are monitoring the situation … The security/integrity of election is of utmost importance to us and all of our electorate,” Jackson County Clerk Christine Walker wrote in an email to The World.
Election security experts say the report is significant because it is the first independent security review of the app to be made public. Voatz says its systems have been reviewed by third-party security firms, but the company has not shared any of the results.
In a blog post, Voatz said MIT’s report was flawed and that researchers reviewed an outdated version of the app. “The reality is that continuing our mobile voting pilots holds the best promise to improve accessibility, security and resilience when compared to any of the existing options available to those whose circumstances make it difficult to vote,” the Voatz blog post says.
Separately, on Thursday, NBC published a 2019 DHS analysis of Voatz it obtained. The DHS review noted the proactive security measures Voatz has taken, and identified multiple areas where the company’s security could be improved.