Voatz blockchain voting app security questioned in new study; DHS seems unconcerned
As if voting security concerns weren’t already on high alert for the potentially pivotal 2020 U.S. elections, widespread controversy has erupted over the security of Boston-based Voatz’s blockchain voting app, the first Internet-based voting app that’s been used in U.S. federal elections, especially for military members aborad and absentee voters. The Voatz app has also been used in federal, state, and local elections in West Virginia, Denver, Oregon, and Utah, the 2016 Massachusetts Democratic Convention, and the 2016 Utah Republican Convention.
The company also recently raised $7 million in Series A funding in anticipation of playing a larger role in Internet-based voting this year.
However, the security of the Voatz app was called into question following research by a team of MIT engineers in their recently published paper, A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, in which they alleged that Voatz’s Blockchain voting app has “vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” and, “that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.”
The paper’s three authors, Michael A. Specter (Department of Electrical Engineering and Computer Science Ph.D. Candidate, CSAIL, Internet Policy Research Initiative) James Koppel (EECS Ph.D. Candidate, CSAIL, Computer Assisted Programming Group), and Daniel Weitzner (a research Scientist, CSAIL, Internet Policy Research Initiative), boldly claimed that “Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections.”
“Although there is no public formal description of Voatz’s security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user’s device,” Specter, Koppel, and Weitzner wrote, adding that, “we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a cleanroom reimplementation of Voatz’s server and present an analysis of the election process as visible from the app itself.”
Specter, Koppel, and Weitzner discussed in detail their findings in their 20-page paper, and in their concluding section boldly stated: “Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned. We further recommend that any future designs for voting systems (and related systems such as e-poll books) be made public and that their details, source, threat model, as well as social and human processes be available for public scrutiny.”
They further noted “that all attacks presented in this paper are viable regardless of the app’s purported use of a blockchain, biometrics, hardware-backed enclaves, and mixnets,” and that “we join other researchers in remaining skeptical of the security provided by blockchain-based solutions to voting, and believe that this serves as an object lesson in security — that the purported use of a series of tools does not indicate that a solution provides any real guarantees of security.”
Consequently, they concluded, “(i)t remains unclear if any electronic-only mobile or Internet voting system can practically overcome the stringent security requirements on election systems.”
Unusually, the authors made a point of also stating that, “Given the heightened sensitivity surrounding election security issues, and due to concerns of potential retaliation, we chose to alert the Department of Homeland Security (DHS) and anonymously coordinate disclosure through their Cybersecurity and Infrastructure Security Agency (CISA)” and that “before publicly announcing our findings, we received confirmation of the vulnerabilities from the vendor, and, while they dispute the severity of the issues, appear to confirm the existence of the side channel vulnerability, and the PIN entropy issues. We also spoke directly with affected election officials in an effort to reduce the potential for harming any election processes.”
A CISA evaluation of the Voatz system though does not mention either a side channel vulnerability or PIN issues. While neither DHS nor CISA has publicly commented on the matter, a leaked CISA Hunt and Incident Response Team (HIRT) report, Hunt Engagement Summary, Voatz, Inc., (which Voatz also made available), “summarize[d] HIRT’s activities, findings, and analysis from an on-site engagement in response to a written Request for Technical Assistance (RTA) signed on May 13, 2019, and is based on the final report received by Voatz in January 2020,” befor the MIT researchers’ findings were published.
HIRT provides hunt assessments, upon client request, to determine if an intrusion has occurred within the client’s network environment. HIRT’s goal during a hunt is to search throughout the client’s critical, high-value network environment to determine if there is evidence of current or previous targeted malicious activity.
The document stated that “HIRT assessed 14 servers and 21 workstations and monitored network traffic from Voatz’s corporate headquarters located in Boston, MA. The onsite engagement ended on September 27, 2019, and post-engagement analysis concluded on October 4, 2019. HIRT did not identify any threat actor activity within Voatz’s network environment. During the hunt, HIRT identified some issues that while unrelated to threat actor activity, could pose threats to Voatz’s networks in the future and suggested some recommendations to further enhance the security posture.”
HIRT said it “commends Voatz for their proactive measures in the use of canaries, bug bounties, Shodan alerts, and active internal scanning and red teaming.”
The HIRT team made five recommendations, and in its updated February 11 report stated appropriate actions had either been taken or were in the process of being addressed to HIRT’s satisfaction. Voatz updated the report again on February 14, saying, “This Hunt Engagement Summary also contains additional information beyond what CISA provided in its Engagement Report, such as the descriptions of actions taken by Voatz in response to CISA’s findings.”
In its response, Voatz said, “the researchers were analyzing an Android version of the Voatz mobile voting app that was at least 27 versions old at the time of their disclosure and not used in an election. Had the researchers taken the time, like nearly 100 other researchers, to test and verify their claims using the latest version of our platform via our public bug bounty program on HackerOne, they would not have ended up producing a report that asserts claims on the basis of an erroneous method.”
Secondly, Voatz said, “as the researchers admitted, the outdated app was never connected to the Voatz servers, which are hosted on Amazon AWS and Microsoft Azure. This means that they were unable to register, unable to pass the layers of identity checks to impersonate a legitimate voter, unable to receive a legitimate ballot, and unable to submit any legitimate votes or change any voter data.”
Finally, “in the absence of trying to access the Voatz servers, the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false,” Voatz said, emphasizing that “this flawed approach invalidates any claims about their ability to compromise the overall system. In short, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers.”
Voatz executives were not happy with the MIT engineers’ conclusions – and the paper does tend to exhibit an unusual tone – nor their efforts to remain anonymous when they contacted CISA. “The researchers have labeled Voatz as ‘not transparent,’” Voatz said. “With qualified, collaborative researchers we are very open; we disclose source code and hold lengthy interactive sessions with their architects and engineers. We educate them on the critical demands of election security; they give us feedback and educate us on new best practices based on their practical knowledge of security drawn from other industries.”
Voatz said it “has worked for nearly five years to develop a resilient ballot marking system, a system built to respond to unanticipated threats and to distribute updates worldwide with short notice. It incorporates solutions from other industries to address issues around security, identity, accessibility, and auditability,” stressing, “We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues.”
Voatz CEO Nimit Sawhney told reporters last week that, “All of [the MIT engineers’] claims are based on the idea that, because they were able to compromise the device, they would be able to compromise the server. And that assumption is completely flawed.”
Continuing, Sawhney said the “whole paper is riddled with holes if I can use that word. For example, they talk about our use of the blockchain and say, executing a 51 percent attack. That attack is not possible because we do not use a public blockchain. We use a permissioned blockchain based on Hyperledger, and such an attack is not possible on that infrastructure. Similarly, they assume that by defeating the malware and the jailbreak detection on the mobile devices, that they will be able to connect to our server. Because they didn’t connect to our server, they did not experience all the checks which happen on the server, which would have prevented them from doing anything.”
“And then all of their claims are based on that,” Sawhney added. “That because they were able to jailbreak or successfully compromise a client device, that the assumption that the device would be able to connect to our server is completely, completely flawed. And so that’s the really, really strange thing was, why would they do such a hypothetical analysis when they had a real system to actually test it out?
Voatz Vice President Hilary Braseth added: “I also want to address upfront and right away that very often our system is accused of not having a way to ensure that after a voter makes selections on a smartphone, that they don’t get changed during transmission. This is false. Every ballot submitted using Voatz produces a paper ballot, and every voter using Voatz receives a ballot receipt once they submit, and both of these documents are anonymized and encrypted, and together they form the building blocks for an end-to-end voter-verified feedback loop that allows the jurisdiction to confirm that whatever the voters submitted on the smartphone is what’s tabulated.”
Meanwhile, on Friday, West Virginia Secretary of State Mac Warner defended Voatz. The Secretary of State’s Office has endorsed the app during this year’s election, especially for voters who have physical disabilities. Echoing Voatz’s arguments regarding the MIT scientists’ research, Warner also pointed out that they had tried to replicate a server like Voatz uses as well as the outdated 2017 version of the app.
“They took an older version of one small sector on an Android phone and recreated what they thought was this apparatus and came up with their conclusions,” Warner said. “Voatz … countered that and argued that it would be like analyzing Windows 7 when Windows 10 is out.”