Surprise! MIT Study Claims Voatz E-Voting Technology Is A Security Dumpster Fire

You'd be pretty hard pressed to find a single respected cybersecurity expert that thinks voting via smartphone is a good idea. There's just too many potential attack vectors as your voting data floats from your personal device, across the internet, and into the final tally repository. Despite this there's an endless chorus of political leaders, cities, and states who continue to insist they know better. From West Virginia to Washington State, the quest for great inclusivity in voting access often results in people ignoring these warnings in the belief that they're helping.

The West Virginia effort has been handed over to internet voting vendor Voatz, whose smartphone voting system had already been criticized for being risky and insecure. Last November, Senator Ron Wyden wrote to the Pentagon to raise concerns about Voatz's security and to ask for a full audit of the app.

Criticism of the company grew much louder this week after MIT researchers released a paper (pdf) showing how Voatz's technology has some fairly basic problems that would let an attacker intercept votes as they're transmitted from mobile phones to the voting company's server -- without anybody being the wiser:

"We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user's secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections."

While Voatz has repeatedly complained that its blockchain technology should have protected this from happening, the researchers found said implementation wasn't actually implemented in the way the company claimed, providing no additional security protection to the vote transmissions. On top of those issues, computer science professor Alex Halderman found other issues with the certificate pinning and servers Voatz implemented:

To protect the connection, Voatz uses certificate pinning. That means the app will only trust a specific HTTPS certificate to authenticate the server. For maximal security, the app should pin to a cert that is used only on a specific well hardened server. 3/

- J. Alex Halderman (@jhalderm) February 13, 2020

The New York Times, which first reported the research, notes that a copy of the findings had already been submitted to the Department of Homeland Security and the various election officials who've signed off on the platform. Like many e-voting companies, Voatz claims transparency isn't really necessary because it utilizes an array of anonymous experts to audit the company's systems. But the findings of those audits have yet to be made public, even to the officials using the systems. See the problem yet?

Unlike voting machines used in elections, mobile voting apps like Voatz don't undergo testing and certification by the labs that test voting machines. So there is no oversight of apps like this - yet states are opting to them despite this.

- Kim Zetter (@KimZetter) February 13, 2020

For its part, Voatz's response has been to double down on its previous positions while insulting the researchers that disclosed the problem, insisting that server-side protections would thwart the theoretical attack (cybersecurity experts were quick to disagree). The company issued a blog post in which it accused the researchers (MIT's Michael Specter, James Koppel and Daniel Weitzner) of being publicity hounds and attempting to "deliberately disrupt the election process":

"It is clear that from the theoretical nature of the researchers' approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers' true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."

When every single respected infosec researcher and journalist is telling you e-voting can't be adequately secured and your solution to that problem is flawed and will only make that problem worse, insulting and ignoring researchers isn't a great look. Compounded by the GOP's refusal to pass any election security bills of note, and you can start to see how we're just begging for problems on what could potentially someday be a catastrophic scale.