Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities
from the bringing-new-attack-vectors-to-previously-excluded-voters dept
Mobile voting app Voatz is still a mess. Two years ago, West Virginia decided to give the app a spin to allow some voters to vote from home during the midterm elections. Nobody in the security world thought this was a good idea. The only people who did feel this was a safe, secure way to collect votes were state legislators and Voatz itself. Some early poking and prodding by security researchers immediately found problems with Voatz's handling of votes, including out-of-date SSH and unproven facial recognition tech that was supposed to verify voters by matching their selfies to their government IDs.
Two-and-a-half years later, not much has improved. Voatz is still courting state governments, trying to talk them into using its app to allow the housebound and those overseas to vote in their elections. An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes -- and alter or trash them -- without anyone on either end realizing they'd been hacked.
Voatz responded badly, insulting the researchers and claiming its server-side software would miraculously prevent the described attack from happening. When the researchers pointed out Voatz was wrong about its own software, it published a blog post attacking the researchers as "publicity hounds" seeking to disrupt the election process.
Another month has passed and it's more bad news for Voatz. Voatz and Tusk Philanthropies hired cybersecurity firm Trail of Bits to perform a security audit of its software. Guess what? It's still a mess.
Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.
More specifically, it's pretty much everything about the entire system:
Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).
This is software that's been used by governments to collect more than 80,000 votes in more than 50 elections. This is the software Sen. Ron Wyden has called "snake oil." When Voatz actually attempts to fix something, it sometimes makes it worse. From Motherboard's report on the Trail of Bits audit:
In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target's phone number could hijack the target's Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that "can allow an attacker to bypass SMS verification during pre- and re-registration." Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.
Voatz continues to seek shelter in the comforting embrace of denial, even when faced with findings from researchers it hired to audit its software. The company's CEO, Nimit Sawheny, told Motherboard that while he didn't dispute any of the technical details, Voatz is still safe to use because the deficiencies highlighted were "theoretical" and that he had not seen any proof yet that Voatz has been hacked.
Even theoretical holes can do real damage, once attackers figure out how to exploit the flaw. Just because Voatz hasn't been hacked yet doesn't mean it won't be. And it won't get more hack-proof if the company continues to downplay researchers' findings or -- in the case of the MIT study -- publicly attack people who are doing everything they can to ensure elections aren't disrupted (or hijacked) by malicious parties.
Worse, even as Trail of Bits was confirming the findings of the MIT report, the company's CEO continued to claim MIT's findings were mere "opinion" and that this report was filled with errors. This led to the following statement from the MIT team:
"It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public," the authors of the MIT report told Motherboard in a statement.
Bringing voting options to people who previously had no choice but to sit out elections is important. But that doesn't mean the American public should be forced to settle for half-assed solutions just because something better isn't available at the moment. No parent wants to hear their child is ugly and full of security flaws, but Voatz's insistence on attacking researchers and their findings does not make the company seem any more trustworthy or capable of providing a secure mobile voting option.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blockchain, cybersecurity, electronic voting, mobile voting, security
Companies: voatz
Reader Comments
Subscribe: RSS
View by: Time | Thread
Don't worry
Your Voatz are safe with us!
[ link to this | view in chronology ]
When Sawheny says they don't have to worry because they haven't been hacked yet, I'm minded of:
[ link to this | view in chronology ]
Re:
Oh it's actually even worse.
An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes -- and alter or trash them -- without anyone on either end realizing they'd been hacked.
Assuming that is correct then the claim that 'they haven't been hacked yet' is one that simply cannot be assumed to be correct, as they could very well have been and simply don't know it.
[ link to this | view in chronology ]
Re:
My first thought was "seatbelts". I guess Sawheny doesn't use them because he hasn't crashed his car yet, and argues that you should put on a seatbelt after you crash.
[ link to this | view in chronology ]
Re: Re:
Crashes are after all merely 'theoretical' hazards, as while they may have happened to other people they most certainly would never happen to him, and clearly all those fearmongering people trying to tell him otherwise are just doing it for the attention.
[ link to this | view in chronology ]
How many people are in this situation, where voting at the normal and advance polls isn't an option, voting at special polls (eg. hospital polls) won't work, and mail voting isn't available? And do the people in that group have the required electronic devices?
[ link to this | view in chronology ]
I dont know..
But considering all that programming can do, a remote access type is going to be plagued with problems.
Person and device verification.
Loss prevention
Location ID
But even this, at the polls isnt being done.
They arnt using any resource at the polls, LIKE DMV/DOT pictures. Most just ask for a drivers license.. Which we KNOW can be faked. Anything can be faked.
I wont even go into being PART of the system, and being able to fake Whole personalities..
[ link to this | view in chronology ]
Re: I dont know..
From VerifiedVoting.org:
Their Computer Technologists’ Statement on Internet Voting is a good, fairly short (< 1 page) read on the subject.
[ link to this | view in chronology ]
Re: Re: I dont know..
There is 1 major fault, not flaw...
Its the interaction of humans, and verification of such.
How do you stop a group from falsifying, data to create persona to use in voting??
There are not any formats we have to stop this. i can even express how its done, from the past and upto about 2000. Not sure of the possibility at this time, but with a little money, could keep this rolling.
There was a way expressed in the Anarchist cookbook, that worked until they started giving SS# at birth. Before that time we only got them in middle teens.
For a very long time, keeping records for Birth/death/marriage/... in the states REALLY sucked, and with computers at least there is abit better coverage of this.
If someone was shown to move out of a state it was not easy to Find their DATA to match up to records IN the original state. Let alone trying to find a persons SS# after death, because few carry a card with them. its only been enforced by the corps and insurance corps..
In all of this, it would not take much to get a Doctor to Falsify a birth. Esp in rural area. Get the SS#, and creat false history.
Unless you want a Tattoo or Chip in everyone, its not that easy to KEEP Identity safe or private.
[ link to this | view in chronology ]
"I reject your reality and substitute my own!"
There's confidence in your product, and then there's willful blindness, hiring experts to check your product to rebut the people calling it full of holes only to ignore those experts when they confirm the original assessment.
You wouldn't trust a car maker who said that they don't need to worry about claims that their car designs are horribly unsafe because crashes are 'theoretical'...
You wouldn't trust your money to bank that responded to claims that they don't use encryption to protect accounts because security breaches are 'theoretical' and the people pointing that out are only doing so 'for the attention'...
And you shouldn't trust a voting app company who is told about security problems with their product, has those problems confirmed, and then proceeds to dismiss all concerns by claiming that there's no proof (yet) that those security problems have been exploited.
[ link to this | view in chronology ]
Re: "I reject your reality and substitute my own!"
how about the Only warranty the car maker tries to give you..
10 years 100,000 miles..on the DRIVE TRAIN..
Ever wonder about that??
OH! its now a shorter time??
5 years and 60,000 miles?
"A drivetrain warranty includes the transmission, driveshaft, axles, and wheels, but it does not include the engine. A powertrain warranty covers everything that makes a vehicle move, from the engine to the transmission to the parts that allow power to travel from the engine to the wheels."
https://www.carchex.com/content/what-does-a-powertrain-warranty-cover
Dont read the EXCLUSION section..its all the plastic and rubber on the engines, including Wires.
[ link to this | view in chronology ]
Nimit (?) Sawheny
Nope, I won't even think about going there.
[ link to this | view in chronology ]
The Benefit of the Doubt.
I am constantly amazed by the way people always consider that code companies like this are incompetent, or uncaring, and absolutely never consider that they are deliberately creating flaws in order to serve a less than altruistic purpose - in this case, insuring that the election results CAN be altered externally, on the fly, by those that know the means/flaws provided by the software manufacturer in the code.
I ask myself this question: is there more money to be made by selling software to the combined states of America that gets used once every four years, or by offering a private deal to the billionaires that run the country, that will insure the candidate they desire will win the election - any election that uses that company's code.
"Never attribute to malice that which can be explained by incompetence."
Indeed. One wonders Who actually created and disseminated that saying.
The Why seems pretty obvious now. I've no doubt however that people will consider that the originator of the statement did so out of incompetence, rather than malice.
[ link to this | view in chronology ]
Re: The Benefit of the Doubt.
Hanlon’s Razor might not be so sharp after all.
Hanlon was a blind ostrich who wore rose colored glasses and persistently whistled the theme song to Annie. Unfortunately, applying Hanlon’s Razor often results in giving someone a pass, or a psuedo-legitimate excuse, when it is not warranted.
In the case of Voatz, it is definitely a stretch to think that their responses to revelations of serious security problems with their product are the result of incompetence or ignorance. It also seems unlikely that the security problems themselves are the result of incompetence or ignorance.
Just because the security holes were not clearly labeled "Back Door to Alter Election Results" does not mean that they were not intended to be exactly that.
[ link to this | view in chronology ]