Researchers uncover security vulnerabilities in mobile voting app 'Voatz'

A team of researchers at the Massachusetts Institute of Technology  (MIT) has disclosed security vulnerabilities in Voatz, a mobile voting application that has been used several times including during the 2018 midterm elections in West Virginia, the 2016 Massachusetts Democratic Convention, and the 2016 Utah Republican Convention.

The findings of the research led by Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) are described in a new technical paper published by the team. The findings were also disclosed to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). 

According to the researchers, the vulnerabilities could allow hackers to alter, stop, or expose how an individual user has voted. Apart from these security loopholes, the application could also pose potential privacy issues for users as it uses a third-party vendor for voter identification and verification.

The findings, as the researchers' said, highlight the need for openness in the design of voting systems to ensure the integrity of the election process. 

We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field. We cannot experiment on our democracy.

In response to the report, Voatz said: "Our review of their report found three fundamental flaws with their method of analysis, their untested claims, and their bad faith recommendations." 

According to Voatz, the MIT research team has analyzed an outdated version of the Voatz mobile voting app, at least 27 versions old at the time of their disclosure and not used in an election. Secondly, the outdated Android version of the app was never connected to the Voatz servers, which are hosted on Amazon AWS and Microsoft Azure, which means they were unable to register and pass the layers of identity checks to impersonate a legitimate voter or submit any vote.

Voatz also dismissed the researchers' claim that its app and infrastructure were completely closed-source, saying that the platform is very open with qualified and collaborative researchers.

It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.

The mobile-focused voting application, according to Voatz, uses biometrics, encryption and blockchain technology to increase convenience and make remote voting more accessible and safe. Voatz says that all of the nine governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues.