MIT researchers have discovered several vulnerabilities in a mobile voting application, raising serious questions about election security.
Voatz’s eponymous app has been used since the 2018 midterm elections in counties in West Virginia, Oregon, Washington, Utah and by overseas and military voters, and the company has touted blockchain-based security features as well as its remote identity verification technologies.
Researchers have instead found a wide number of vulnerabilities capable of allowing hackers to alter, stop, or expose submitted votes.
“We find that Voatz is vulnerable to a number of attacks that could violate election integrity. For example, we find that an attacker with root access to a voter’s device can easily evade the system’s defenses, learn the user’s choices (even after the event is over), and alter the user’s vote,” stated the researchers in the introduction to the white paper.
“[E]xploitation would be well within the capacity of a nation-state actor,” the authors went on to state before flatly concluding that the Voatz application, “is not secure.”
Voatz posted a blog rebutting the findings, claiming that the version of the app studied was “at least 27 versions old… and not used in an election.” It went on to explain that no issues had been reported, and even accused the researchers of aiming “to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
Election security experts and politicians including Oregon Senator Ron Wyden have criticized the company and its response to the paper.
“I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe… Americans need confidence in our election system,” said Wyden.
Read the MIT researchers’ findings here.