In an assessment of the voting app’s internal programming, paid for by Voatz, a security firm validated MIT researchers' concerns, including the possibility that hackers could change votes cast through the app.
Add security consulting firm Trail of Bits to the growing list of technology experts with concerns about the mobile voting app Voatz.
Voatz itself, together with mobile-voting advocate Tusk Philanthropies, hired the New York-based firm in December 2019 to conduct what claims to have been the first “white box” assessment of the voting app, looking inside its programming and code as opposed to only testing it from the outside. According to Trail of Bits’ blog post last week, this was the most complete security assessment of the platform to date, yielding 79 findings, a third of which are called high-severity, a third medium-severity, and the remainder a combination of low, undetermined and informational severity.
“Our assessment confirmed the issues flagged in previous reports by MIT and others, discovered more, and made recommendations to fix issues and prevent bugs from compromising voting security,” the blog post says.
That includes the assertion that hackers could potentially change or discard votes.
"In order to alter a vote that has already been cast, the attacker would also need to have control over the Hyperledger Fabric blockchain" the audit report reads. "The credentials for accessing the blockchain are stored on the API server. An attacker who can modify the software running in the API server can alter, expose, or discard any user’s vote. The clients do not interact with the blockchain directly, so there is no blockchain verification code in the client."
According to Voatz’ own FAQ, more than 80,000 votes have already been cast on the Voatz platform across more than 50 elections since June 2016. The company has piloted its app with select groups of voters in the state of West Virginia; the city of Denver; Utah County, Utah; and both Jackson and Umatilla counties in Oregon.
Both volumes of the new Trail of Bits assessment, including 116 pages focused on technical findings and 73 pages of threat model findings, are available on GitHub. Technical findings covered everything from data storage and tamper protection to account security, unattended devices, authentication, encryption, verifiability and receipts. The threat model report found weaknesses which it broke down into six sections: governance and compliance, internal processes, voting processes, external storage, infrastructure and administration, and mobile application.
In an executive summary of the almost 200-page assessment, Trail of Bits engineers said Voatz' code was written intelligibly and free of many common security foibles, but added “it is clear that the Voatz codebase is the product of years of fast-paced development.” The summary goes on to list several technical flaws, such as a lack of test coverage and documentation, infrastructure provisioned manually without the aid of infrastructure-as-code tools, vestigial features that have yet to be deleted, and nonstandard cryptographic protocols.
Beyond the report’s specific recommendations to Voatz programmers, Trail of Bits recommended in its blog that election officials pay for qualified public reviews of mobile voting systems, and require language that nontechnical audiences can understand.
“It’s easy to get confused by non-commissioned reports,” the blog said. “For example, an August 2019 report by the National Cybersecurity Center seemed to address the platform’s security issues, but the NCC doesn’t employ any security experts. Their report validated that Voatz’ features and operation meet the needs of the user, not that the Voatz system is secure.”
In some ways, the Voatz app has been widely and constantly vetted. The Trail of Bits report mentions five prior “black-box” audits and another concurrent with their own “white-box” one. These include a review by a private security vendor in July 2018 who found low-severity configuration issues; a review by TLDR Security in October 2018 that found four high-severity issues; a post-election review by ShiftState Security in December 2018; a 10-page outline of questions about the app signed in May 2019 by researchers from Lawrence Livermore National Laboratory, the University of South Carolina, Citizens for Better Elections, Free & Fair, and the U.S. Vote Foundation; a one-week review in October 2019 by the Department of Homeland Security's Cybersecurity and Infrastructure Agency; letters of concern in November 2019 from members of Congress, sent to Voatz, the National Security Agency and the U.S. Department of Defense; and a 20-page report from MIT researchers in February 2020.
Voatz took issue with some of those, and reacted to the Trail of Bits assessment in a blog post on March 13, calling the Trail of Bits report “the first of many to come in the next several months.” That's part of the company's overall goal of "continuous security."
“We analyze the probability of risk around each issue by attempting to reproduce the issue from a real-world perspective and prepare a mitigation strategy accordingly,” the Voatz blog said.
To many experts in the field of voting or mobile technology, the race to build a truly secure online voting platform is a fool’s errand. One of those experts is Michael Fernandez, director of the Center for Scientific Evidence in Public Issues, a division of the American Association for the Advancement of Science, who responded at length to Government Technology’s questions by email. Fernandez cited the unambiguous opinion of the 2018 National Academies report Securing the Vote — which he called the most definitive and comprehensive report on U.S. voting security — that “insecure Internet voting is possible now, but the risks currently associated with Internet voting are more significant than the benefits.”
“There is no scientific evidence suggesting that mobile voting will be a viable option at any point in the near future," Fernandez wrote. "Although experts may debate a number of issues around election security, the insecurity of mobile voting is not up for debate among computer scientists. Despite the narrative and continued expectation by many that technology would eventually render Internet voting a reliably secure and effective method of voting, the scientific evidence has provided little backing for that belief both now and in the near future.”
Fernandez went on to explain that the challenge of mobile voting is not only about security, but also secrecy and verifiability of each vote — maintaining a system in which every ballot can be audited but no one can know how any specific person voted.
For state and local governments evaluating new tools and proposals from voting-technology vendors, Fernandez recommended those governments consult independent experts instead of the vendors themselves. He also pointed out that voting systems many jurisdictions were certified to 2005 standards, and that newer federal guidelines, Voluntary Voting System Guidelines Version 2.0, are worth checking before making purchasing decisions.
For additional information, he recommended that government officials look at resources offered by the National Institute of Standards and Technology and the Brennan Center for Justice. Above all, Fernandez reiterated the need for a system that allows for risk-limiting audits, for which hand-marked paper ballots are the gold standard.
“Risk-limiting audits are a more efficient and statistically sound process than traditional post-election audits that tally a fixed percentage of ballots,” he wrote. “Election officials should be looking for systems that facilitate risk-limiting audits, which of course requires a paper trail.”