X

Security flaws mar mobile voting app, researchers say

Voatz, maker of a smartphone app used by military and overseas voters, disputes the findings as incomplete.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
gettyimages-521347422

Back to paper?

Getty Images

The Voatz mobile phone voting app has significant vulnerabilities, according to a paper released Thursday by MIT computer science researchers. The flaws in the app's design could let sophisticated hackers learn voters' identities or IP addresses, access votes and, in some cases, change them, the researchers found.

The app, used primarily by military and overseas voters, is the only voting app on the market, according to The New York Times, which reported the research earlier Thursday. The weaknesses addressed in the MIT paper were in the app that's installed on voters' phones. 

"Exploitation would be well within the capacity of a nation-state actor," the researchers, Michael A. Specter, James Koppel and Daniel Weitzner, wrote in their paper. Voatz disputes the findings.

The research comes amid calls from election security experts to use paper ballots in all elections. The Voatz app has been used to help overseas and military voters cast their ballots in the state of West Virginia, as well as localities like Denver, Colorado, and Utah County, Utah. In previous elections, overseas voters have had to waive their right to a secret ballot, and then print out a paper version of their ballot, scan it, and email it back to elections officials.

In a lengthy response, Voatz said the researchers' information was incomplete. They used an older version of the app's software, Voatz said, and they weren't able to see the backend protections that would prevent successful exploitation of the voting process. The company also criticized the researchers' methods, saying they didn't inform Voatz of the research until it became public.

"In short, to make claims about a backend server without any evidence or connection to the server negates any degree of credibility on behalf of the researchers," Voatz said. The company accused the researchers of trying to stir doubt and uncertainty in the security of elections.

As ZDNet points out, Voatz previously reported to the FBI activity on its backend systems that originated from a student researcher at the University of Michigan. But the company says it works with security experts who have access to more of its code and provide valuable feedback.

"Voatz has worked for nearly five years to develop a resilient ballot marking system, a system built to respond to unanticipated threats and to distribute updates worldwide with short notice," the company said.

The flaws found in the research were in the network protocol, which transmits information to and from the app, as well as the blockchain technology that protects votes. It was also possible for an attacker with root access to a voter's phone to see and potentially change votes, even after they had been sent, the researchers found.