Security Researchers Find Flaws in Online Voting System Tested in Five States

They say the vulnerabilities could allow hackers to manipulate voting data.

Jaap Arriens/NurPhoto via ZUMA Press

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

An online voting technology that has been tested in five states can be hacked to alter, block, or expose voters’ ballots, according to research published Thursday by a trio of MIT researchers.

Voatz, a Boston-based company, claims its app allows for widely accessible and secure voting from smartphones by relying on security features built into the phones themselves. It has run pilots in several states including West Virginia, where the technology was used during the 2018 midterms to facilitate online voting for Americans living overseas, including military personnel. The app has also been used in various elections in Denver, Oregon, and Utah. In 2016, the Massachusetts Democratic Convention and Utah Republican Convention relied on this technology. This year, thousands more people in West Virginia were set to use the app under expanded access laws in the state designed to help absentee voters with disabilities, but now officials there are reconsidering their options.

The MIT researchers—graduate students Michael Specter and James Koppel and their adviser Daniel Weitzner—claim in their new paper that they found the vulnerabilities and disclosed them to the Department of Homeland Security in order to alert election administrators in the jurisdictions using the app.

Voatz is not a stranger to national headlines. In October 2019, then-CNN reporter Kevin Collier reported that a student from the University of Michigan had been referred to the FBI for investigation after the company claimed the student tried to break into its systems during the 2018 election. Last week, information security journalist Yael Grauer took a deeper look at the case, reporting how the company may have changed the terms of its bug bounty program—which offers rewards to researchers who find and report vulnerabilities—after the news broke, suggesting it may have sought to deter research on its tech.

Last November, Sen. Ron Wyden (D-Ore.) called for the Department of Defense and the NSA to audit Voatz, after complaining the company wouldn’t release security audits and wouldn’t identify the security researchers it claimed to be working with.

“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe,” Wyden said in a statement Thursday. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system. It is long past time for Republicans to end their election security embargo and let Congress pass mandatory security standards for the entire election system.”

In a response posted to its blog—”Chronicles of an Audacious Experiment”—Voatz called the MIT report “flawed.” The company claimed the researchers tested the company’s Android app “that was at least 27 versions old.” And it said the “outdated app” was never connected to the company’s servers but rather to simulated servers, and therefore made false “assumptions” about how the back end of the system works. “In short,” the company said, “to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers.”

The company claimed that past elections using its technology had run smoothly, and it attacked the MIT researchers for seeking “media attention,” contending their “true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”

Alex Halderman, an election security expert at the University of Michigan, tweeted Thursday that the findings show “there’s a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatz’s private key, impersonate the Voatz API server, and then intercept and change votes.” He said it was “shocking” how “primitive” the app is and that “no responsible jurisdiction should use Voatz in real elections any time soon.”

Of Voatz’s rebuttal to the MIT report, Halderman said: “The Voatz response doesn’t seem to dispute any of the specific technical claims in the MIT paper. That’s very telling, in my view. If any of it is wrong, Voatz should say what, specifically, that is. They don’t seem to even say the more recent version of the app works differently.”

The researchers claim that their analysis shows the app could allow an adversary to see a user’s vote or disrupt the transmission of voting data. An attacker could “control their vote,” the researchers claim, and if someone controls of the back-end server they’d have “full power to observe, alter, and add votes as they please.” This table outlines the researchers’ summary findings based on the level of access the adversary gains.

A summary of potential attacks a hacker could launch against the Voatz app, according to the MIT researchers.

Michael Specter, James Koppel, Daniel Weitzner

The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) worked with the MIT researchers to alert election officials, a CISA spokesperson told Mother Jones, and shared relevant information with Voatz as well. The election officials “were able to speak with the researchers and CISA to understand and manage risks to their systems,” the spokesperson said, adding that “there is no known exploitation of the vulnerabilities to the bring-your-own-device mobile voting system described in the research.”

Donald Kersey, general counsel for West Virginia Secretary of State Mac Warner, said in a statement provided to Mother Jones that the state appreciates “the responsible and ethical reporting of this research through the Department of Homeland Security by the research team at MIT,” and that Warner hasn’t decided which technology to use for the May 12 primary election or the general election in November. Warner’s office also provided a copy of a declassified DHS assessment of the Voatz network. The audit, conducted in Voatz headquarters last fall, found some security gaps but “did not identify any threat actor activity within Voatz’s network environment.”

The report doesn’t examine the app directly, but it does cover the cloud servers used to support it. While the team saw “no evidence of malicious activity,” it did find determine some server settings could “unintentionally lead to a reduced security posture.” Voatz reported to DHS that those concerns had been addressed.

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate