Voting app used during 2018 midterm elections in West Virginia found to let hackers alter, stop or expose how an individual voted
- Voatz app was used in West Virginia during the 2018 midterm elections
- MIT experts investigated the app and found ‘it is riddled with security issues’
- They found hackers can easily access the app and change how people vote
- Third parties can also access the app and see people’s personal information
West Virginia allowed residents to cast their vote in the 2018 midterm election using the smartphone app Voatz and thousands are expected to use the technology in this year’s election.
However, researchers at the Massachusetts Institute of Technology say the app ‘is so riddled with security issues that no one should be using it.’
The vulnerabilities hidden in the technology give hackers the ability to alter, stop or expose how an individual users has voted.
Researchers also uncovered that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.
The app has been used during elections in Denver, Oregon, and Utah, as well as at the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention – it was not used during the 2020 Iowa caucuses.
Scroll down for video
MIT researchers say Voatz ‘is so riddled with security issues that no one should be using it.’ The vulnerabilities hidden in the technology give hackers the ability to alter, stop or expose how an individual users has voted
After uncovering the startling vulnerabilities, MIT turned them over to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and founding director of the Internet Policy Research Initiative, said: ‘We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field.’
‘We cannot experiment on our democracy.”
To investigate Voatz, the team reversed engineered the app and found an adversary with remote access to the device using the application can alter or see a user’s vote.
And if the server is hack, which the team found can be easily done, the cybercriminal can change votes.
Researchers also uncovered that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users
Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science and a member of MIT’s Internet Policy Research Initiative, said: ‘It does not appear that the app’s protocol attempts to verify [genuine votes] with the back-end blockchain.’
‘Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election.’
‘Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.
The team also found that a third party has the ability to access user’s photo, driver’s license data, or other forms of identification.
Matthew Green, an associate professor at the Johns Hopkins Information Security Institute. In the case of Voatz, also noted: ‘I think this type of analysis is extremely important. Right now, there’s a drive to make voting more accessible, by using internet and mobile-based voting systems.’
‘The problem here is that sometimes those systems aren’t made by people who have expertise in keeping voting systems secure, and they’re deployed before they can get proper review.’
In the case of Voatz, he adds, “It looks like there were many good intentions here, but the result lacks key features that would protect a voter and protect the integrity of elections.”
