Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities

from the bringing-new-attack-vectors-to-previously-excluded-voters dept

Mobile voting app Voatz is still a mess. Two years ago, West Virginia decided to give the app a spin to allow some voters to vote from home during the midterm elections. Nobody in the security world thought this was a good idea. The only people who did feel this was a safe, secure way to collect votes were state legislators and Voatz itself. Some early poking and prodding by security researchers immediately found problems with Voatz's handling of votes, including out-of-date SSH and unproven facial recognition tech that was supposed to verify voters by matching their selfies to their government IDs.

Two-and-a-half years later, not much has improved. Voatz is still courting state governments, trying to talk them into using its app to allow the housebound and those overseas to vote in their elections. An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes -- and alter or trash them -- without anyone on either end realizing they'd been hacked.

Voatz responded badly, insulting the researchers and claiming its server-side software would miraculously prevent the described attack from happening. When the researchers pointed out Voatz was wrong about its own software, it published a blog post attacking the researchers as "publicity hounds" seeking to disrupt the election process.

Another month has passed and it's more bad news for Voatz. Voatz and Tusk Philanthropies hired cybersecurity firm Trail of Bits to perform a security audit of its software. Guess what? It's still a mess.

Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.

More specifically, it's pretty much everything about the entire system:

Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).

This is software that's been used by governments to collect more than 80,000 votes in more than 50 elections. This is the software Sen. Ron Wyden has called "snake oil." When Voatz actually attempts to fix something, it sometimes makes it worse. From Motherboard's report on the Trail of Bits audit:

In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target's phone number could hijack the target's Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that "can allow an attacker to bypass SMS verification during pre- and re-registration." Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.

Voatz continues to seek shelter in the comforting embrace of denial, even when faced with findings from researchers it hired to audit its software. The company's CEO, Nimit Sawheny, told Motherboard that while he didn't dispute any of the technical details, Voatz is still safe to use because the deficiencies highlighted were "theoretical" and that he had not seen any proof yet that Voatz has been hacked.

Even theoretical holes can do real damage, once attackers figure out how to exploit the flaw. Just because Voatz hasn't been hacked yet doesn't mean it won't be. And it won't get more hack-proof if the company continues to downplay researchers' findings or -- in the case of the MIT study -- publicly attack people who are doing everything they can to ensure elections aren't disrupted (or hijacked) by malicious parties.

Worse, even as Trail of Bits was confirming the findings of the MIT report, the company's CEO continued to claim MIT's findings were mere "opinion" and that this report was filled with errors. This led to the following statement from the MIT team:

"It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public," the authors of the MIT report told Motherboard in a statement.

Bringing voting options to people who previously had no choice but to sit out elections is important. But that doesn't mean the American public should be forced to settle for half-assed solutions just because something better isn't available at the moment. No parent wants to hear their child is ugly and full of security flaws, but Voatz's insistence on attacking researchers and their findings does not make the company seem any more trustworthy or capable of providing a secure mobile voting option.

Filed Under: blockchain, cybersecurity, electronic voting, mobile voting, security
Companies: voatz

Surprise! MIT Study Claims Voatz E-Voting Technology Is A Security Dumpster Fire

from the we've-kinda-been-over-this dept

You'd be pretty hard pressed to find a single respected cybersecurity expert that thinks voting via smartphone is a good idea. There's just too many potential attack vectors as your voting data floats from your personal device, across the internet, and into the final tally repository. Despite this there's an endless chorus of political leaders, cities, and states who continue to insist they know better. From West Virginia to Washington State, the quest for great inclusivity in voting access often results in people ignoring these warnings in the belief that they're helping.

The West Virginia effort has been handed over to internet voting vendor Voatz, whose smartphone voting system had already been criticized for being risky and insecure. Last November, Senator Ron Wyden wrote to the Pentagon to raise concerns about Voatz’s security and to ask for a full audit of the app.

Criticism of the company grew much louder this week after MIT researchers released a paper (pdf) showing how Voatz's technology has some fairly basic problems that would let an attacker intercept votes as they’re transmitted from mobile phones to the voting company’s server -- without anybody being the wiser:

"We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections."

While Voatz has repeatedly complained that its blockchain technology should have protected this from happening, the researchers found said implementation wasn't actually implemented in the way the company claimed, providing no additional security protection to the vote transmissions. On top of those issues, computer science professor Alex Halderman found other issues with the certificate pinning and servers Voatz implemented:

The New York Times, which first reported the research, notes that a copy of the findings had already been submitted to the Department of Homeland Security and the various election officials who've signed off on the platform. Like many e-voting companies, Voatz claims transparency isn't really necessary because it utilizes an array of anonymous experts to audit the company's systems. But the findings of those audits have yet to be made public, even to the officials using the systems. See the problem yet?

For its part, Voatz's response has been to double down on its previous positions while insulting the researchers that disclosed the problem, insisting that server-side protections would thwart the theoretical attack (cybersecurity experts were quick to disagree). The company issued a blog post in which it accused the researchers (MIT's Michael Specter, James Koppel and Daniel Weitzner) of being publicity hounds and attempting to "deliberately disrupt the election process":

"It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."

When every single respected infosec researcher and journalist is telling you e-voting can't be adequately secured and your solution to that problem is flawed and will only make that problem worse, insulting and ignoring researchers isn't a great look. Compounded by the GOP's refusal to pass any election security bills of note, and you can start to see how we're just begging for problems on what could potentially someday be a catastrophic scale.

Filed Under: blockchain, e-voting, mobile voting, research, security
Companies: voatz

Voting By Cell Phone Is A Terrible Idea, And West Virginia Is Probably The Last State That Should Try It Anyway

from the industrialized-incompetence dept

So we've kind of been over this. For more than two decades now we've pointed out that electronic voting is neither private nor secure. We've also noted that despite this several-decade long conversation, many of the vendors pushing this solution are still astonishingly-bad at not only securing their products, but acknowledging that nearly every reputable security analyst and expert has warned that it's impossible to build a secure fully electronic voting system, and that if you're going to to do so anyway, at the very least you need to include a paper trail system that's not accessible via the internet.

Having apparently learned nothing, reports emerged this week that West Virginia is considering launching an initiative that would let some state residents vote via cellphone. To be clear, the effort initially appears focused on letting troops stationed overseas vote. Not surprisingly, more than a few folks were quick to highlight to CNN how this would be an arguably terrible idea:

"Mobile voting is a horrific idea," Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told CNN in an email. "It's internet voting on people's horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote."

Marian K. Schneider, president of the election integrity watchdog group Verified Voting, was even more blunt. Asked if she thought mobile voting is a good idea, she said, "The short answer is no."

Given security analysts routinely aren't sure whether or not our existing voting systems may have been compromised by actors foreign and/or domestic, and the federal government just got done making it clear election security isn't a priority with an idiotically-partisan vote, it seems like a pretty terrible time to begin trying to implement new online voting efforts. And if you've watched West Virginia's blistering corruption when it comes to sectors like the telecom industry, the state is probably the last state in the union that should be attempting such a voting system overhaul.

Judging from online conversations, the company that's building the new West Virginia system (Voatz) may not be the best choice either, since it doesn't appear capable of securing its own website:

Comforting. Ideally, the system would involve a user first registering by taking a photo of their government-issued ID and a selfie-video of their face, which are then registered via the app. Voatz claims the company's facial recognition software will then ensure the photo and video submitted are of the same person, with users then able to cast their ballot using the Voatz app. Documents the company circulates at trade shows indicate the company utilizes the blockchain to ensure its systems are more secure and "fundamentally different than touchscreen or online voting." But the company has failed to clarify how.

There's roughly a million and one ways this entire process could go to hell, from SS7 vulnerabilities to man in the middle attacks everywhere along the chain between your device and the Voatz database. And if there's not a hard paper trail, it opens the door to any number of undetectable changes that could happen during transit. Of course this has all been repeatedly stated countless times over the last few decades, but it's a message that's still not apparently getting through.

Filed Under: blockchain, e-voting, electronic voting, mobile voting, security, west virginia
Companies: voatz