New research published by the Massachusetts Institute of Technology (MIT) uncovered security vulnerabilities in a mobile voting application that was used during the 2018 midterm elections in West Virginia.
The mobile voting application, Voatz, has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot. The researchers, Michael A. Specter, James Koppel and Daniel Weitzner, say that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality.
"Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections," they note.
In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot through Voatz. Voatz has been used in federal, state, and municipal elections in Denver, Oregon, and Utah, as well as the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention.
According to an MIT report, after uncovering these security vulnerabilities, the researchers disclosed their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). The researchers, along with the Boston University/MIT Technology Law Clinic, worked in close coordination with election security officials within CISA to ensure that impacted elections officials and the vendor were aware of the findings before the research was made public. This included preparing written summaries of the findings with proof-of-concept code, and direct discussions with affected elections officials on calls arranged by CISA.
To read the full report and analysis, visit MIT.edu.