{"id":30515,"date":"2020-02-13T10:36:18","date_gmt":"2020-02-13T15:36:18","guid":{"rendered":"https:\/\/statescoop.com\/?p=30515"},"modified":"2020-02-13T12:05:05","modified_gmt":"2020-02-13T17:05:05","slug":"mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app","status":"publish","type":"post","link":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","title":{"rendered":"MIT researchers find vulnerabilities in Voatz mobile voting app"},"content":{"rendered":"

Researchers at the Massachusetts Institute of Technology said Thursday they’ve found security flaws in Voatz, the mobile app that since 2018 has been used to collect ballots from overseas voters in several states. According to a new technical paper, the researchers found bugs that could be exploited to “alter, stop, or expose how an individual user has voted.”<\/p>\n

The researchers also found that Voatz’s reliance on a third-party vendor to authenticate the identity of its users raises potential privacy issues that could compromise the anonymity of ballots, which Voatz has previously said its technology ensures.<\/p>\n

“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,”\u00a0Daniel Weitzner, the director of MIT’s\u00a0Internet Policy Research Initiative and who supervised the research, said in a press release<\/a>.<\/p>\n

The research comes after several pilot projects by states and counties to use Voatz to increase participation by deployed military service members and other overseas voters, who have some of the lowest turnout rates in elections. So far, the app has been used by West Virginia; Denver County, Colorado; Utah County, Utah; and Oregon’s Jackson and Umatilla counties.<\/p>\n

MIT said the discoveries in Thursday’s report were shared with the Cybersecurity and Infrastructure Security Agency, which oversees the federal government’s election-security efforts.<\/p>\n

The research team, which was led by graduate students\u00a0Michael Specter and\u00a0James Koppel, said they were only able to conduct their research on the Voatz app itself, and not any of the underlying source code. But to test the app, Specter and Koppel “reverse-engineered” the app to build a mock-up of\u00a0Voatz\u2019s server. That server was never connected to Voatz’s system itself or any government organization that conducts elections, they wrote.<\/p>\n

Specter and Koppel wrote that the resulting examinations of the app and their model server led them to find that an actor with\u00a0remote access to a Voatz user’s device could discover or even potentially alter that person’s vote. They also found that by accessing the server, they could change votes as well.<\/p>\n

\u201cIt does not appear that the app\u2019s protocol attempts to verify [genuine votes] with the back-end blockchain,\u201d Specter said in the MIT press release. “Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you\u2019re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election. Worse, more aggressive attackers could potentially detect which way you\u2019re going to vote and then stop the connection based on that alone.\u201d<\/p>\n

But in a blog post Thursday morning, Voatz said the MIT paper is based on three “fundamental flaws,” accusing the researchers of making recommendations in bad faith. First, the company said, the researchers used an Android edition of its app that is at least 27 versions old, and not being used in elections. Voatz added that the current version of its app has been tested by nearly 100 independent researchers through a bug-bounty program<\/a> run by the white-hat hacking firm HackerOne.<\/p>\n

Voatz also said that because the app researchers used was connected to the company’s servers, which run on Amazon Web Services and Microsoft Azure, they could not actually register as a qualified voter or pass its layers of identity screening, which includes photos compared against government-issued identifications, and biometric thumbprints on an individual’s device.<\/p>\n

The company also took issue with MIT’s mock server. “[I]n the absence of trying to access the Voatz servers, the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false,” the blog post states.<\/p>\n

Voatz has rebuffed other recent criticism, including from Sen. Ron Wyden<\/a>, D-Ore., who has asked officials in his home state to reconsider their upcoming use of the app, but whom Voatz accused of stoking “the fear of technology.” The company struck a similar tone Thursday, arguing that “the researchers and the community to which they belong have waged a systematic effort to dismantle any online voting pilots.”<\/p>\n

But Wyden welcomed the MIT research, saying it confirms his misgivings about mobile app-based voting.<\/p>\n

“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn\u2019t safe,” Wyden said. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system.”<\/p>\n

The MIT team says its work was rooted in previous warnings against online voting, which numerous other academic researchers and scientific collectives<\/a>\u00a0have argued is fundamentally insecure.<\/p>\n

“Our findings serve as a concrete illustration of the common wisdom against internet voting, and of the importance of transparency to the legitimacy of elections,” they wrote.<\/p>\n

CyberScoop’s Sean Lyngaas contributed reporting.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers claimed they found flaws that allowed them to alter ballots or compromise voters’ anonymity, but Voatz said their findings were based on an outdated version of the app.<\/p>\n","protected":false},"author":200,"featured_media":30532,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"disable_grayscale_images":true,"grayscale_contrast":0,"sponsored_content":false,"display_author_bio":true,"story_type":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4677],"tags":[125,4895,6100],"people":[],"special-report":[],"authors":[4697],"class_list":["post-30515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-state","tag-election-security","tag-voatz","tag-massachusetts-institute-of-technology","author-benjamin-freed"],"yoast_head":"\nMIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop\" \/>\n<meta property=\"og:description\" content=\"Researchers claimed they found flaws that allowed them to alter ballots or compromise voters' anonymity, but Voatz said their findings were based on an outdated version of the app.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/\" \/>\n<meta property=\"og:site_name\" content=\"StateScoop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/StateScoop\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-13T15:36:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-02-13T17:05:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1621\" \/>\n\t<meta property=\"og:image:height\" content=\"976\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Benjamin Freed\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@brfreed\" \/>\n<meta name=\"twitter:site\" content=\"@State_Scoop\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/\",\"url\":\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/\",\"name\":\"MIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop\",\"isPartOf\":{\"@id\":\"https:\/\/statescoop.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg\",\"datePublished\":\"2020-02-13T15:36:18+00:00\",\"dateModified\":\"2020-02-13T17:05:05+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage\",\"url\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg\",\"contentUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg\",\"width\":1621,\"height\":976,\"caption\":\"(Scoop News Group)\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/statescoop.com\/#website\",\"url\":\"https:\/\/statescoop.com\/\",\"name\":\"StateScoop\",\"description\":\"Latest news and events in state and local government technology\",\"publisher\":{\"@id\":\"https:\/\/statescoop.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/statescoop.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/statescoop.com\/#organization\",\"name\":\"StateScoop\",\"url\":\"https:\/\/statescoop.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/statescoop.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png\",\"contentUrl\":\"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png\",\"width\":1470,\"height\":186,\"caption\":\"StateScoop\"},\"image\":{\"@id\":\"https:\/\/statescoop.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/StateScoop\/\",\"https:\/\/x.com\/State_Scoop\",\"https:\/\/www.linkedin.com\/company\/statescoop\/\",\"https:\/\/www.youtube.com\/@StateScoop\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"MIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","og_locale":"en_US","og_type":"article","og_title":"MIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop","og_description":"Researchers claimed they found flaws that allowed them to alter ballots or compromise voters' anonymity, but Voatz said their findings were based on an outdated version of the app.","og_url":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","og_site_name":"StateScoop","article_publisher":"https:\/\/www.facebook.com\/StateScoop\/","article_published_time":"2020-02-13T15:36:18+00:00","article_modified_time":"2020-02-13T17:05:05+00:00","og_image":[{"width":1621,"height":976,"url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg","type":"image\/jpeg"}],"author":"Benjamin Freed","twitter_card":"summary_large_image","twitter_creator":"@brfreed","twitter_site":"@State_Scoop","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","url":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","name":"MIT researchers find vulnerabilities in Voatz mobile voting app | StateScoop","isPartOf":{"@id":"https:\/\/statescoop.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage"},"image":{"@id":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage"},"thumbnailUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg","datePublished":"2020-02-13T15:36:18+00:00","dateModified":"2020-02-13T17:05:05+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/#primaryimage","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg","contentUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg","width":1621,"height":976,"caption":"(Scoop News Group)"},{"@type":"WebSite","@id":"https:\/\/statescoop.com\/#website","url":"https:\/\/statescoop.com\/","name":"StateScoop","description":"Latest news and events in state and local government technology","publisher":{"@id":"https:\/\/statescoop.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/statescoop.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/statescoop.com\/#organization","name":"StateScoop","url":"https:\/\/statescoop.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/statescoop.com\/#\/schema\/logo\/image\/","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png","contentUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/StateScoop-Black.png","width":1470,"height":186,"caption":"StateScoop"},"image":{"@id":"https:\/\/statescoop.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/StateScoop\/","https:\/\/x.com\/State_Scoop","https:\/\/www.linkedin.com\/company\/statescoop\/","https:\/\/www.youtube.com\/@StateScoop"]}]}},"parsely":{"version":"1.1.0","canonical_url":"https:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","smart_links":{"inbound":0,"outbound":0},"traffic_boost_suggestions_count":0,"meta":{"@context":"https:\/\/schema.org","@type":"NewsArticle","headline":"MIT researchers find vulnerabilities in Voatz mobile voting app","url":"http:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/","mainEntityOfPage":{"@type":"WebPage","@id":"http:\/\/statescoop.com\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\/"},"thumbnailUrl":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg?w=150&h=150&crop=1","image":{"@type":"ImageObject","url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg"},"articleSection":"State","author":[{"@type":"Person","name":"Benjamin Freed","url":"https:\/\/statescoop.com\/author\/benjamin-freed\/"}],"creator":["Benjamin Freed"],"publisher":{"@type":"Organization","name":"StateScoop","logo":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2023\/01\/cropped-ss_favicon.png"},"keywords":["election security","massachusetts institute of technology","voatz"],"dateCreated":"2020-02-13T15:36:18Z","datePublished":"2020-02-13T15:36:18Z","dateModified":"2020-02-13T17:05:05Z"},"rendered":"<script type=\"application\/ld+json\" class=\"wp-parsely-metadata\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"NewsArticle\",\"headline\":\"MIT researchers find vulnerabilities in Voatz mobile voting app\",\"url\":\"http:\\\/\\\/statescoop.com\\\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\\\/\",\"mainEntityOfPage\":{\"@type\":\"WebPage\",\"@id\":\"http:\\\/\\\/statescoop.com\\\/mit-researchers-find-vulnerabilities-in-voatz-mobile-voting-app\\\/\"},\"thumbnailUrl\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2020\\\/02\\\/IMG_9769.jpg?w=150&h=150&crop=1\",\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2020\\\/02\\\/IMG_9769.jpg\"},\"articleSection\":\"State\",\"author\":[{\"@type\":\"Person\",\"name\":\"Benjamin Freed\",\"url\":\"https:\\\/\\\/statescoop.com\\\/author\\\/benjamin-freed\\\/\"}],\"creator\":[\"Benjamin Freed\"],\"publisher\":{\"@type\":\"Organization\",\"name\":\"StateScoop\",\"logo\":\"https:\\\/\\\/statescoop.com\\\/wp-content\\\/uploads\\\/sites\\\/6\\\/2023\\\/01\\\/cropped-ss_favicon.png\"},\"keywords\":[\"election security\",\"massachusetts institute of technology\",\"voatz\"],\"dateCreated\":\"2020-02-13T15:36:18Z\",\"datePublished\":\"2020-02-13T15:36:18Z\",\"dateModified\":\"2020-02-13T17:05:05Z\"}<\/script>","tracker_url":"https:\/\/cdn.parsely.com\/keys\/statescoop.com\/p.js"},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/statescoop.com\/wp-content\/uploads\/sites\/6\/2020\/02\/IMG_9769.jpg","distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"StateScoop","distributor_original_site_url":"https:\/\/statescoop.com","push-errors":false,"_links":{"self":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/30515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/users\/200"}],"replies":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/comments?post=30515"}],"version-history":[{"count":13,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/30515\/revisions"}],"predecessor-version":[{"id":30539,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/posts\/30515\/revisions\/30539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/media\/30532"}],"wp:attachment":[{"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/media?parent=30515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/categories?post=30515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/tags?post=30515"},{"taxonomy":"people","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/people?post=30515"},{"taxonomy":"special-report","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/special-report?post=30515"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/statescoop.com\/wp-json\/wp\/v2\/authors?post=30515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}