MIT says hackers could change ballots in widely used voting app
An internet voting app that has been used in pilots in West Virginia, Denver, Oregon and Utah has vulnerabilities that could allow hackers to change a person’s vote without detection, according to researchers at the Massachusetts Institute of Technology.
The analysis of the Voatz app, which mostly has been used for absentee voters and overseas military personnel, found that attackers could “alter, stop or expose how an individual has voted.”
Voting security experts have long argued that online voting is dangerously insecure.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” Daniel Weitzner, an MIT scientist who oversaw the report, said Thursday.
The study’s findings were unsurprising, said Jocelyn Bucaro, Denver’s director of elections. The clerk’s office previously commissioned a security audit and knew of some of the app’s weaknesses. Still, the study didn’t examine every facet of the app, she said, and there’s time to make improvements.
Voatz was used as a pilot program for Denver’s 2019 municipal election and would not be used again until 2023 at the earliest, Bucaro said.
“We’re hoping to see some standards developed and then see Voatz and other applications work to meet those standards,” she said.
The researchers said they were forced to reverse-engineer an Android version of the app because Voatz hasn’t allowed transparent third-party testing of the system.
Boston-based Voatz disputed the research methods, issuing a statement that said the analysts used an old version of the app and accused them of acting in “bad faith.” The company noted it hasn’t had any reported issues in its counting of less than 600 votes over nine pilot elections.
Although few voters are expected to cast ballots on such apps in the coming election, the report casts a harsh light on the looming proposition of online voting. In 2018, Alaska explored using an online voting system but shuttered the program because of security concerns.
To some experts, a study finding holes in a smartphone voting app wasn’t a shock.
“Not to in any way diminish this (excellent) work, but the fact that an online mobile voting scheme has serious security flaws is ultimately unsurprising,” tweeted Matt Blaze, a professor of computer science and law at Georgetown University. “Every serious expert has warned against Internet voting.”
Voatz was used in West Virginia’s 2018 elections, but state officials were quick to point out that it counted fewer than 200 ballots and had no reported problems. The app also was used in the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention.
The study comes as West Virginia prepares to choose an online voting system for a new law requiring that it allow people with physical disabilities to vote electronically. Donald Kersey, a general counsel in the secretary of state’s office, said officials haven’t decided on which platform they will use to conform to the new law but maintained that public confidence is paramount.