Posted on February 14, 2020 at 4:20 PM
Researchers at Massachusetts Institute of Technology (MIT) recently revealed that Oregon and West Virginia voting app Voatz could have a major vulnerability that may allow hackers to manipulate results.
The MIT researchers pointed out that the new bugs could give the attacker the space to manipulate votes, block the submission of votes, or even reveal someone’s votes.
This recent development is coming at a time where the U.S. is dealing with election security issues, and whether mobile voting could expand voters’ accessibility while remaining safe.
Security experts are warning that there is no way safe mobile voting can be guaranteed, considering the numerous flaw possibilities from mobile apps. However, Votoaz and other firms argued that technologies and biometric authentication systems could make the process safe.
Researchers say Voatz lacks transparency
MIT researchers Daniel Weitzner, James Koppel, and Michael Specter have a different opinion. They said that with the numerous security challenges of voter apps like Voatz, it will be better to discontinue any use of such apps because of the high stakes involved in an election of this magnitude. They said voter apps have a lot of setbacks, which includes the risk of voter attack, and lack of transparency.
They also pointed out that the credentials of Voatz are still questionable, which makes it very difficult to use it for the upcoming election. According to them, the present evidence suggests that allowing voters to make use of Voatz to vote in the upcoming election may be fatal to the credibility of the election.
Voatz has different vulnerability issues
The group discovered that there are different types of vulnerabilities, which depend on the level of access the hacker has on Voatz servers or the voter’s device.
According to the group, the hackers could bypass the defense protocol of Voatz and gain access to voters’ data, including the pin they used to access the servers. They will also have access to control of how the voters voted and block them from sending their votes.
If the attacker is able to access the Voatz system, they can expose data meant for what was supposed to be blocked by the platform’s blockchain system. It will allow the attackers to manipulate the votes in favor of those they are supporting for the election.
The researchers also discovered vulnerabilities in the manner the Voatz app delivers votes to the servers. They said such votes can be exploited if the user voted through an insecure network or through W-F- network.
Questions raised about Voatz poor security defenses
Although it’s only the MIT researchers who have produced the first piece of clear evidence against the security of Voatz, other researchers have previously lodged a complaint.
Their complaints are based on the fact that the methods of the company and its app lack transparency, which makes it very difficult to find out whether the app is actually secured.
Senator Ron Widen previously raised a question last November in a letter to the defense department at NSA. He asked the agency to carry out a strong security audit on the Voatz systems. He said although the company has claimed that it hired experts to audit its systems, there hasn’t been any published record on the outcome of the audit. He further pointed out that Voatz has not even identified its auditors yet, which means the transparency of the system is very porous, he stated.
However, in response to the senator’s statement, Voatz said it’s true that the company has not published the results of the audit. It pointed out that at the time of the disclosure, the researchers used an outdated version of the Voatz app used in the elections. And for some of the audits, the researchers needed to create a cope of some parts of Voatz infrastructure that they could not access.
Voatz stated that the findings of the researchers do not reflect the present infrastructure of Voatz. The company also reiterated that the researchers would have carried out their research on Voatz through the Hackone Voatz bug program, which would have given them an accurate reflection of the Voatz infrastructure.
However, the researchers refused to accept the company’s claims. They stated that their information and data on Voatz app was accessed via Google Play in December. And contrary to the company’s claims, the researchers said the company had only made 5 updates instead of 27 it has reported.