A new report by researchers at the Massachusetts Institute of Technology (MIT) and University of Michigan discusses the cybersecurity vulnerabilities associated with OmniBallot, a web-based system for blank ballot delivery, ballot marking and (optionally) online voting. 

Three states - Delaware, West Virginia and New Jersey - recently announced they would allow certain voters to cast votes using OmniBallot. Researcher Michael A. Specter at MIT and J. Alex Halderman at the University of Michigan reverse engineered the client-side e portion of OmniBallot, as used in Delaware, in order to detail the system’s operation and analyze its security.

"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," the researchers explain.

In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information— including the voter’s identity, ballot selections, and browser fingerprint— that could be used to target political ads or disinformation campaigns, the report says.

"Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter’s identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot. We recommend changes to make the platform safer for ballot delivery and marking. However, we conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection," the researchers claim. 

Brendan O’Connor, CEO of AppOmni a San Francisco, Calif.-based provider of Cloud Security Posture Management (CSPM) for SaaS, notes that online voting has been a topic of discussion for the past several years even before the recent pandemic. "The pandemic, however, has moved the discussion from a nice-to-have to a must-have item. There is a lot we can learn from the recent shift of enterprises to support remoter and virtual workforce. We can no longer control the location or the network where we access information nor the device being used  whether they are company-issued laptops, personal PCs, or mobile devices. Much of the security measures enterprises are adopting today with the shift in their business can be applied to online voting solutions," explains O'Connor. 

Of course, we need to secure the solution with the latest cybersecurity and analytics tools, O'Connor contends. "However, as with enterprises today, we need to employ tools to make sure the online services are configured correctly and maintained in a secure state," he adds. "Based on the current trend, the majority of security issues in cloud services, such as the ones online voting solutions are based on, are due to user error. It is very common today for organizations to suffer data exposure due to misconfigurations and settings that do not follow best practices. Many have also not yet employed solutions to continuously monitor such configurations and when necessary, revert them back to a secure state. These and other practices followed by enterprises today, along with the lessons learned, can and should be employed to secure online voting services later this year."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, claims that if at-home voting becomes a reality, malicious actors will take note and adjust their efforts to exploit the uncertainty of the new process. Lookout, Schless notes, saw a 37% increase in mobile phishing encounters globally from 4Q2019 to 1Q2020 as a result of more employees working remotely, most of those new phishing campaigns leveraged COVID-19 in one way or another. 

"Mobile phishing campaigns constantly evolve to take advantage of emotional uncertainty," Schless says. "They can also be adjusted to target people in particular geographies based on information they share on social media platforms or just their phone number."

Schless notes Lookout also observed an example of this when a mobile phishing campaign targeted users of North American banks, where the threat actor adjusted the fake login page sent to the user based on their phone number’s area code and aligning that with the most popular banks in the area. 

"By the same token," Schless says, "someone building a mobile phishing campaign targeting voters could use particular language in their message that would appeal to the political climate of that area. This could increase the chances that the targeted population would log in to a fake voting portal or download a fake voting application. "

In order to better prepare, the developers of these at-home voting platforms need to build security into the development process, he claims. "They cannot rely on the individual citizens to have proper security tools in place on mobile phones or computers. By using embedded security, developers for states can be proactive in building protective measures directly into mobile voting apps. This enables them to protect applications and infrastructure used for voting, and if any malware is detected on the voter’s device, states can provide steps to help citizens remove malware and more safely cast their vote," Schless concludes. 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes, on the other hand, for any voting or elections, the first priority should always be the health and safety of both voters and electoral staff. 

"Given the COVID-19 pandemic, this raises the importance of voting while social distancing, meaning that it should open the door to new secure methods of voting digitally. I have always seen technology as an enabler of democracy, however, we must always approach it with responsibility and accountability. The supervisors of elections and secretaries of state should be immediately looking for safe new innovative solutions that will allow elections to occur in November while protecting the safety of voters and the security of the election," Carson says.  

Trust is the utmost importance and this means transparency is needed, Carson explains. "COVID-19 could force internet-based voting but this means voter registration becomes extremely critical with Identity and Access Management (IAM) vital to ensuring only valid voters can participate. It might be worth doing this on those who wish to opt in. Voting methods should never be restricted to a single method therefore several options should be available."

Estonia, where Carson lives, has a great model for voting, he notes. "However nothing is ever perfect. If Estonia needed to vote today, everyone could do so in the safety of their own home while social distancing maintaining the health and safety of its citizens. We should embrace technology and move forward. But, it should be done with accountability and responsibility, solutions we trust with governments who provide transparency."

For the full report, visit https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf