Vulnerabilities in American election app made it possible to adjust votes

The Voatz app, which several US states used in smartphone voting pilot projects, has multiple vulnerabilities that allow voting customization. Also, researchers were unable to find blockchain security through the app.

Researchers at MIT gained insight into how the Voatz app works by downloading it from the Play Store and reverse engineering it. The app made headlines in 2018 when the US state of West Virginia used it in midterm elections to allow military personnel to vote abroad. Since then, there have been field trials in Washington State, parts of Oregon, Utah and Denver.

The researchers were able to analyze the election process from the app’s point of view, by mimicking Voatz’s servers. Analysis of that server infrastructure itself was not possible. Voatz reports regular audits by independent third parties, but they are not public. For upcoming releases, Voatz wants to enable HackerOne.

The MIT researchers have already found vulnerabilities that allow attackers to alter, prevent or publicly disclose votes. Among other things, they describe a side-channel attack with which a voice could be traced by observing the network over which it was sent. One of the features that Voatz advertises is the use of the blockchain. However, the researchers couldn’t find any evidence that the app is receiving or validating data from a blockchain: “We found no reference to hash chains, transparency logs, or other cryptographic evidence.”

In terms of network connectivity, the connection is secured by an https connection, one of the researchers told Motherboard. The app does encrypt outgoing data, but does so before the data reaches the https layer. As a result, the size of the encrypted packets remains proportional to the size of the plain text, which is a security risk.

The researchers call Voatz’s method very sloppy and believe that their research shows the risks of internet voting. Voatz himself claims that the researchers did not use the latest version of the app and that they cannot know how it works because they have not investigated the back-end servers for receiving the votes.