Third-party Voatz security assessment says third of findings were ‘high severity’
Trail of Bits has performed the first-ever “white-box” security assessment of the Voatz biometric voting platform, with access to the Voatz Core Server and backend software, and assessed that it “confirmed the issues flagged in previous reports by MIT and others, discovered more and made recommendations to fix issues and prevent bugs from compromising voting security.”
White-box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality.
In its report, Voatz Security Assessment Volume I of II: Technical Findings, prepared for Tusk Philanthropies and Voatz, Trail of Bits stated, “Our security review resulted in 79 findings. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.”
Trail of Bits said it “was uniquely qualified for this assessment, employing industry-leading blockchain security, cryptographic, Defense Advanced Research Projects Agency [DARPA] research, and reverse engineering teams, and having previously assessed other mobile blockchain voting platforms.”
Tusk Philanthropies and Voatz engaged Trail of Bits to review the security of the Voatz mobile voting platform on December 18, 2019, and conducted its “assessment over the course of twelve person-weeks with five engineers working from commit hash 3443f4a of the Voatz Core Server repository, commit hash 07d1adb of the Voatz Android Client, commit hash d8436c1 of the Voatz iOS client, and commit hash 69d7a8b of the Voatz Administrative Web Interface.”
“To the best of our knowledge,” the Trail of Bits report stated, “this is the first “white-box” assessment of the Voatz system, and the first assessment to include in its scope the discovery of Voatz Core Server and backend software vulnerabilities. Our report and any conclusions drawn from it are only meant to reflect the security of the Voatz solution, not mobile voting in general,” emphasizing that the “review of election proceedings, both prior and current, was not in-scope of its “assessment.”
The Voatz platform allows voters to cast ballots from any geographic location on supported mobile devices, but its mobile voting platform has been “under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election,” Trail of Bits said, adding that “the issues are serious enough to attract inquiries from the Department of Homeland Security [DHS] and Congress. However, there has been no comprehensive security report to provide details of the Voatz vulnerabilities and recommendations for fixing them — until now.”
Biometric Update previously reported that widespread controversy over the security of the Boston-based Voatz’s blockchain voting app, the first Internet-based voting app that’s been used in U.S. federal elections, especially for military members abroad and absentee voters, had been called into question following research by a team of MIT engineers in their paper, A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, in which they alleged Voatz’s Blockchain voting app has “vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” and, “that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.”
The paper’s three authors, Michael A. Specter (Department of Electrical Engineering and Computer Science Ph.D. Candidate, CSAIL, Internet Policy Research Initiative) James Koppel (EECS Ph.D. Candidate, CSAIL, Computer Assisted Programming Group), and Daniel Weitzner (a research Scientist, CSAIL, Internet Policy Research Initiative), claimed their “findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections.”
Unusually, the authors made a point of stating that, “Given the heightened sensitivity surrounding election security issues, and due to concerns of potential retaliation, we chose to alert the Department of Homeland Security and anonymously coordinate disclosure through their Cybersecurity and Infrastructure Security Agency (CISA),” and that “before publicly announcing our findings, we received confirmation of the vulnerabilities from the vendor, and, while they dispute the severity of the issues, appear to confirm the existence of the side-channel vulnerability and … PIN entropy issues. We also spoke directly with affected election officials in an effort to reduce the potential for harming any election processes.”
A CISA evaluation of the Voatz system did not mention either a side-channel vulnerability or PIN issues, however. While neither DHS nor CISA publicly commented on the matter, a leaked CISA Hunt and Incident Response Team (HIRT) report, Hunt Engagement Summary, Voatz, Inc., (which Voatz also made available), “summarize[d] HIRT’s activities, findings, and analysis from an onsite engagement in response to a written Request for Technical Assistance (RTA) signed on May 13, 2019, and is based on the final report received by Voatz in January 2020,” before the MIT researchers’ findings were published.
The goal of HIRT — which provides hunt assessments upon client request to determine if an intrusion has occurred within the client’s network environment – in conducting a hunt is to search throughout the client’s critical, high-value network environment to determine if there is evidence of current or previous targeted malicious activity.
The document stated, “HIRT assessed 14 servers and 21 workstations and monitored network traffic from Voatz’s corporate headquarters located in Boston, MA. The onsite engagement ended on September 27, 2019, and post-engagement analysis concluded on October 4, 2019. HIRT did not identify any threat actor activity within Voatz’s network environment. During the hunt, HIRT identified some issues that, while unrelated to threat actor activity, could pose threats to Voatz’s networks in the future and suggested some recommendations to further enhance the security posture.”
HIRT said it “commends Voatz for their proactive measures in the use of canaries, bug bounties, Shodan alerts, and active internal scanning and red teaming.”
The Voatz app has also been used in federal, state, and local elections in West Virginia, Denver, Oregon, and Utah, the 2016 Massachusetts Democratic Convention, and the 2016 Utah Republican Convention.
Trail of Bits acknowledged that “the promises of mobile voting are attractive – better accessibility for differently-abled people, streamlined absentee voting, and speed and convenience for all voters. If a mobile platform could guarantee secure voting, it would revolutionize the process. It’s a fantastic goal – but there’s still work to do.”
“And yet,” the company said, “four security assessments that took place before ours could not quell a great deal of uncertainty and public speculation about Voatz’ implementation and security assurances.”
In May 2019, researchers from Lawrence Livermore National Laboratory, the University of South Carolina, Citizens for Better Elections, Free & Fair, and the U.S. Vote Foundation, “enumerated a series of questions about the security of Voatz in, What We Don’t Know About the Voatz “Blockchain” Internet Voting System, Trail of Bits stated, noting, “They asked questions like, ‘Does Voatz collect voters’ location data? If so, why?’ and, ‘How do we know that voter data cannot be retroactively deanonymized?’”
In November 2019, Senator Ron Wyden began sending letters to the National Security Agency and U.S. Department of Defense, Oregon Secretary of State Bev Clarno, and ShiftState Security. In a letter to Voatz signed by five members of Congress, they voiced “serious concern regarding reports that there may be substantial cybersecurity vulnerabilities associated with your company’s mobile voting application.”
In its report, Trail of Bits said, “The Voatz system has over two dozen components in its architecture. Trail of Bits’ engineers made their best effort to manually inspect each piece of code; however, this required each engineer to analyze, on average, almost 3,000 pure lines of code across 35 files per day of the assessment in order to achieve minimal coverage. Trail of Bits was only provided a backend for live testing on the second-to-last scheduled day of the assessment and was asked not to attack or maliciously alter the instance in such a way that it would deny service to other concurrent audits sharing it. Therefore, almost all of the findings in this report are the result of a manual analysis of the codebase.”
The assessment resulted in forty-eight technical findings, of which a third were high severity, another quarter medium severity, and the remainder a combination of low, undetermined, and informational severity. The high-severity findings were determined to be related to “cryptography, e.g., improper use of cryptographic algorithms, as well as ad hoc cryptographic protocols, and data exposure, e.g., sensitive credentials available to Voatz developers and personally identifiable information that can be leaked to attackers, and data validation, e.g., a family of findings related to reliance on unvalidated data provided by the clients.”
The Trail of Bits report said “the use of the Hyperledger Fabric blockchain mimics the functionality of a distributed database with auditability” and that “the assessed version of Voatz no longer uses any custom chaincode or smart contracts; all data validation and business logic are executed off-chain in the Scala codebase of the Voatz Core Server.”
Several of the “high-risk findings were the result of data validation issues and confused deputies in the Core Server that could allow one voter to masquerade as another before even touching the blockchain.”
Continuing, the Trail of Bits 122-page report said “storing voting data on a blockchain maintains an auditable record to prevent fraud, but this comes at the expense of both privacy and increased attack surface,” explaining that “clients do not connect directly to the blockchain themselves, and are therefore unable to independently verify that their votes were properly recorded. Anyone with administrative access to the Voatz backend servers will have enough information to fully reconstruct the entire election, deanonymize votes, deny votes, alter votes, and invalidate audit trails.”
The report pointed out that “other e-voting systems attempt to achieve the best of both worlds- cryptographic authentication, validation, and nonrepudiation as well as provable privacy – by using exotic cryptographic schemes like zero-knowledge proofs and forms of secure multiparty computation. However, these, like proof-of-authority blockchains, are nascent technologies that are exceedingly hard to implement correctly, as was recently demonstrated by the failure of Swiss Post’s e-voting experiment.”
Throughout its engagement in studying the Voatz system, Trail of Bits said it “provided assistance to Voatz in navigating this complex trade space to mitigate the risks presented by voting systems in general and, if possible, avoid issues that have plagued other experimental voting systems.”
Voatz’s backend and mobile clients code “is written intelligibly and with a clear understanding of software engineering principles,” the report stated, noting the “the code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage and improper web request sanitization.”
“However,” Trail of Bits pointed out, “it is clear that the Voatz codebase is the product of years of fast-paced development” and “lacks test coverage and documentation.” The report concluded that “logical checks for specific elections are hard-coded into both the backend and clients,” and that “infrastructure is provisioned manually without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been. Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously,” while “mobile clients neglect to use recent API features of Android and iOS,” “sensitive API credentials are stored in the git repositories,” and “many of its cryptographic protocols are nonstandard.”
Saying there was “a great deal of uncertainty and public speculation about Voatz’s implementation and security properties … we sought to investigate a series of questions that would address the overall security posture, guarantees, and behavior of the Voatz system.”
The answers to those questions are in the Security Properties and Questions section of the report.
In conclusion, Trail of Bits stated, “Voatz should immediately address all of the recommendations in the ‘Short Term’ section of our recommendations summary, especially those related to high-severity issues. High priority should be given to remediating data sanitization of device I.D.s, improper use of cryptography, and overreliance on the authenticity and honesty of client implementations.”
Additionally, the study found that “operationally, the system is also in dire need of infrastructure management automation. Overall, it seems that Voatz is struggling to manage a codebase of its size while concurrently, manually managing election pilots. We hope that this assessment will improve the overall security posture of the Voatz system, but there is still a great deal of work to be done to achieve that goal.”
In an update, Trail of Bits said it reviewed a few weeks ago the fixes “proposed by Voatz for the issues presented in” the report, and that “eight issues were addressed and forty issues remain partially or fully unfixed.”
“The quantity of findings discovered during [Trail of Bits] assessment, the complexity of the system, and the lack of access to both a running test environment as well as certain codebases lead us to believe that other vulnerabilities are latent,” the company said.
Voatz said in its recent response that “We consider today to be an important milestone as part of our ongoing efforts to chart a new, forward approach to transparency in our elections infrastructure. We recognize that transparency in our critical infrastructure is both desired and not always championed across the industry. As part of our effort to shift the paradigm, we announce the publishing of one of our public, comprehensive audits of our system, conducted in partnership with leading security consulting firm Trail of Bits.”
“Security has been our utmost priority since day one – in fact, the earliest roots of our company came from winning the ‘Hack to the Future’ hackathon at SXSW,” the company stressed. “Beyond the ‘hacker’s mindset’ being embedded deep in our DNA, across our corporate and elections infrastructure, we focus heavily on the practical aspects of security and a highly layered approach to provide defense in depth.”
Voatz said it is continuing to invest in recurrent, continuing audits by independent third parties that involve a thorough investigation of the entire system.
The company added that the Trail of Bits report is just “the first of many to come in the next several months” and that it has “voluntarily engaged with multiple agencies in DHS, including CISA [and] one of the leading federal testing labs in the nation to review the technologies deployed in our pilots,” and that “these audits are ongoing … due to the ever-evolving nature of threats along with the rapid iterations in the platform itself.”