Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities
from the bringing-new-attack-vectors-to-previously-excluded-voters dept
Mobile voting app Voatz is still a mess. Two years ago, West Virginia decided to give the app a spin to allow some voters to vote from home during the midterm elections. Nobody in the security world thought this was a good idea. The only people who did feel this was a safe, secure way to collect votes were state legislators and Voatz itself. Some early poking and prodding by security researchers immediately found problems with Voatz’s handling of votes, including out-of-date SSH and unproven facial recognition tech that was supposed to verify voters by matching their selfies to their government IDs.
Two-and-a-half years later, not much has improved. Voatz is still courting state governments, trying to talk them into using its app to allow the housebound and those overseas to vote in their elections. An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes — and alter or trash them — without anyone on either end realizing they’d been hacked.
Voatz responded badly, insulting the researchers and claiming its server-side software would miraculously prevent the described attack from happening. When the researchers pointed out Voatz was wrong about its own software, it published a blog post attacking the researchers as “publicity hounds” seeking to disrupt the election process.
Another month has passed and it’s more bad news for Voatz. Voatz and Tusk Philanthropies hired cybersecurity firm Trail of Bits to perform a security audit of its software. Guess what? It’s still a mess.
Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.
More specifically, it’s pretty much everything about the entire system:
Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).
This is software that’s been used by governments to collect more than 80,000 votes in more than 50 elections. This is the software Sen. Ron Wyden has called “snake oil.” When Voatz actually attempts to fix something, it sometimes makes it worse. From Motherboard’s report on the Trail of Bits audit:
In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target’s phone number could hijack the target’s Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that “can allow an attacker to bypass SMS verification during pre- and re-registration.” Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.
Voatz continues to seek shelter in the comforting embrace of denial, even when faced with findings from researchers it hired to audit its software. The company’s CEO, Nimit Sawheny, told Motherboard that while he didn’t dispute any of the technical details, Voatz is still safe to use because the deficiencies highlighted were “theoretical” and that he had not seen any proof yet that Voatz has been hacked.
Even theoretical holes can do real damage, once attackers figure out how to exploit the flaw. Just because Voatz hasn’t been hacked yet doesn’t mean it won’t be. And it won’t get more hack-proof if the company continues to downplay researchers’ findings or — in the case of the MIT study — publicly attack people who are doing everything they can to ensure elections aren’t disrupted (or hijacked) by malicious parties.
Worse, even as Trail of Bits was confirming the findings of the MIT report, the company’s CEO continued to claim MIT’s findings were mere “opinion” and that this report was filled with errors. This led to the following statement from the MIT team:
“It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public,” the authors of the MIT report told Motherboard in a statement.
Bringing voting options to people who previously had no choice but to sit out elections is important. But that doesn’t mean the American public should be forced to settle for half-assed solutions just because something better isn’t available at the moment. No parent wants to hear their child is ugly and full of security flaws, but Voatz’s insistence on attacking researchers and their findings does not make the company seem any more trustworthy or capable of providing a secure mobile voting option.