USA

Security experts raise concerns about voting app used by military

The vulnerabilities could allow nation-state hackers to view, block or even change smartphone ballots before they're counted, according to a new paper written by three researchers at the Massachusetts Institute of Technology.The app is designed by the company Voatz, whose technology has been piloted so far in West Virginia, Colorado and Utah.The company called the report "flawed" in a statement posted to its website Thursday."We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues," Voatz said in the statement. "The researchers' true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."The report comes amid rising concern about the use of apps and online voting tools in the 2020 election following the failure of reporting tools in the Iowa caucuses.Last year, Utah County, Utah, began using Voatz for disabled and military voters based overseas. In an interview, County Clerk Amelia Powers Gardner said Voatz made more sense than the previous system, which required remote voters to submit their ballots by email.A review of Utah County's implementation of Voatz — prior to the MIT report's publication — did not uncover any problems, Gardner told CNN. Gardner said that in phone conversations with the MIT researchers, it became clear they preferred voting to be done the traditional way, by pencil and paper. But Gardner said that isn't feasible for Utahns living abroad."I have a legal obligation to provide our military members overseas an electronic form of a ballot," she said, "and if it's not this, it's email — which they agreed is not as secure."The researchers' conclusions about security risks in the app were based on a reverse-engineered version of Voatz's Android app, which they ran in a simulated environment. According to the study, a hacker who gains control of a smartphone with the app installed could interfere in the voting process by altering ballots or figuring out which candidate a voter supports. "Which means they could stop your ballot if they knew you were going to vote for someone they didn't like," Mike Specter, one of the authors of the report, told CNN.Other election security experts who have reviewed the MIT paper say it appears solid. "This study from MIT appears to have been structured with care in the way that the analysis was conducted," said Andrea Matwyshyn, an election security expert at Penn State University.On a conference call with reporters Thursday, however, Voatz criticized the report's methodology. Company executives said the researchers had used an outdated version of the software and that some of the issues they found had already been patched. Voatz also accused the researchers of making "hypothetical" claims based on their simulation, rather than having the app interact with an actual Voatz server."We already have this server available," said Nimit Sawhney, Voatz's CEO. "It's to our public bug bounty program. Anybody who wishes to sign up, test the apps over there, against the real server with full functionality, is able to do that."The company declined to comment further.While participating in the bug bounty program would allow researchers to verify how Voatz's app interacts with the company's servers, the law largely prohibits researchers from testing the servers themselves, said Eric Mill, a cybersecurity expert who has administered technology programs for the federal government."The fact that the app happens to talk to the server isn't the same as giving permission to research the real server," said Mill. Critics say Voatz should be more transparent about its technology and those it has tapped to perform independent audits. They also say Voatz previously reported a University of Michigan researcher to the FBI for condRead More – Source

Related Posts