UPDATED 22:24 EDT / FEBRUARY 13 2020

3003311383_6fa6e69193_c SECURITY

Researchers say US voting app flaw could let attackers change votes

Researchers at the Massachusetts Institute of Technology say a voting app used in four states in the U.S. has some serious security flaws, including a vulnerability that would allow an attacker to change someone’s vote.

On Thursday, the researchers published a lengthy paper on the matter. The app in question, called Voatz, is said to be the first internet voting application used in U.S. federal elections.

Since it uses blockchain technology, the system was supposed to be secure, but after reverse-engineering the app, the researchers concluded that this was far from the truth. Not only could votes be changed, they said, but attackers could even stop votes from being put into the app — and if that sounds bad, they said it was possible for an attacker to input data into the app.

“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” the researchers concluded.

The app has been used before, so far only in minor elections for people who found it difficult to get to a voting machine. But soon after it got its first contract, a number of people raised security concerns. Still, Voatz recently received $7 million in a Series A round of funding, and it was widely believed that the app would be used for the 2020 primaries.

In a blog post published on Thursday, Voatz fired back at the MIT researchers, saying much of the paper was untrue. First, the company said, the version that the researchers tested was 27 versions old. Had they tested the newest version, those vulnerabilities wouldn’t have been there, said Voatz.

“Second, as the researchers admitted, the outdated app was never connected to the Voatz servers, which are hosted on Amazon AWS and Microsoft Azure,” said Voatz. “This means that they were unable to register, unable to pass the layers of identity checks to impersonate a legitimate voter, unable to receive a legitimate ballot and unable to submit any legitimate votes or change any voter data.”

The company added that the researchers didn’t actually use Voatz servers and in fact “hypothesized” servers, which they said led to a bunch of assumptions that are false. “We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” said Voatz.

Photo: samantha celera/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.