UPDATED 22:24 EDT / FEBRUARY 13 2020

SECURITY

Researchers say US voting app flaw could let attackers change votes

Researchers at the Massachusetts Institute of Technology say a voting app used in four states in the U.S. has some serious security flaws, including a vulnerability that would allow an attacker to change someone’s vote.

On Thursday, the researchers published a lengthy paper on the matter. The app in question, called Voatz, is said to be the first internet voting application used in U.S. federal elections.

Since it uses blockchain technology, the system was supposed to be secure, but after reverse-engineering the app, the researchers concluded that this was far from the truth. Not only could votes be changed, they said, but attackers could even stop votes from being put into the app — and if that sounds bad, they said it was possible for an attacker to input data into the app.

“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” the researchers concluded.

The app has been used before, so far only in minor elections for people who found it difficult to get to a voting machine. But soon after it got its first contract, a number of people raised security concerns. Still, Voatz recently received $7 million in a Series A round of funding, and it was widely believed that the app would be used for the 2020 primaries.

In a blog post published on Thursday, Voatz fired back at the MIT researchers, saying much of the paper was untrue. First, the company said, the version that the researchers tested was 27 versions old. Had they tested the newest version, those vulnerabilities wouldn’t have been there, said Voatz.

“Second, as the researchers admitted, the outdated app was never connected to the Voatz servers, which are hosted on Amazon AWS and Microsoft Azure,” said Voatz. “This means that they were unable to register, unable to pass the layers of identity checks to impersonate a legitimate voter, unable to receive a legitimate ballot and unable to submit any legitimate votes or change any voter data.”

The company added that the researchers didn’t actually use Voatz servers and in fact “hypothesized” servers, which they said led to a bunch of assumptions that are false. “We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” said Voatz.

Photo: samantha celera/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU