SECURITY
SECURITY
SECURITY
Researchers say US voting app flaw could let attackers change votes
Researchers at the Massachusetts Institute of Technology say a voting app used in four states in the U.S. has some serious security flaws, including a vulnerability that would allow an attacker to change someone’s vote.
On Thursday, the researchers published a lengthy paper on the matter. The app in question, called Voatz, is said to be the first internet voting application used in U.S. federal elections.
Since it uses blockchain technology, the system was supposed to be secure, but after reverse-engineering the app, the researchers concluded that this was far from the truth. Not only could votes be changed, they said, but attackers could even stop votes from being put into the app — and if that sounds bad, they said it was possible for an attacker to input data into the app.
“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” the researchers concluded.
The app has been used before, so far only in minor elections for people who found it difficult to get to a voting machine. But soon after it got its first contract, a number of people raised security concerns. Still, Voatz recently received $7 million in a Series A round of funding, and it was widely believed that the app would be used for the 2020 primaries.
In a blog post published on Thursday, Voatz fired back at the MIT researchers, saying much of the paper was untrue. First, the company said, the version that the researchers tested was 27 versions old. Had they tested the newest version, those vulnerabilities wouldn’t have been there, said Voatz.
“Second, as the researchers admitted, the outdated app was never connected to the Voatz servers, which are hosted on Amazon AWS and Microsoft Azure,” said Voatz. “This means that they were unable to register, unable to pass the layers of identity checks to impersonate a legitimate voter, unable to receive a legitimate ballot and unable to submit any legitimate votes or change any voter data.”
The company added that the researchers didn’t actually use Voatz servers and in fact “hypothesized” servers, which they said led to a bunch of assumptions that are false. “We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” said Voatz.
Photo: samantha celera/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
