Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities

from the bringing-new-attack-vectors-to-previously-excluded-voters dept

Mobile voting app Voatz is still a mess. Two years ago, West Virginia decided to give the app a spin to allow some voters to vote from home during the midterm elections. Nobody in the security world thought this was a good idea. The only people who did feel this was a safe, secure way to collect votes were state legislators and Voatz itself. Some early poking and prodding by security researchers immediately found problems with Voatz’s handling of votes, including out-of-date SSH and unproven facial recognition tech that was supposed to verify voters by matching their selfies to their government IDs.

Two-and-a-half years later, not much has improved. Voatz is still courting state governments, trying to talk them into using its app to allow the housebound and those overseas to vote in their elections. An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes — and alter or trash them — without anyone on either end realizing they’d been hacked.

Voatz responded badly, insulting the researchers and claiming its server-side software would miraculously prevent the described attack from happening. When the researchers pointed out Voatz was wrong about its own software, it published a blog post attacking the researchers as “publicity hounds” seeking to disrupt the election process.

Another month has passed and it’s more bad news for Voatz. Voatz and Tusk Philanthropies hired cybersecurity firm Trail of Bits to perform a security audit of its software. Guess what? It’s still a mess.

Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.

More specifically, it’s pretty much everything about the entire system:

Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).

This is software that’s been used by governments to collect more than 80,000 votes in more than 50 elections. This is the software Sen. Ron Wyden has called “snake oil.” When Voatz actually attempts to fix something, it sometimes makes it worse. From Motherboard’s report on the Trail of Bits audit:

In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target’s phone number could hijack the target’s Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that “can allow an attacker to bypass SMS verification during pre- and re-registration.” Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.

Voatz continues to seek shelter in the comforting embrace of denial, even when faced with findings from researchers it hired to audit its software. The company’s CEO, Nimit Sawheny, told Motherboard that while he didn’t dispute any of the technical details, Voatz is still safe to use because the deficiencies highlighted were “theoretical” and that he had not seen any proof yet that Voatz has been hacked.

Even theoretical holes can do real damage, once attackers figure out how to exploit the flaw. Just because Voatz hasn’t been hacked yet doesn’t mean it won’t be. And it won’t get more hack-proof if the company continues to downplay researchers’ findings or — in the case of the MIT study — publicly attack people who are doing everything they can to ensure elections aren’t disrupted (or hijacked) by malicious parties.

Worse, even as Trail of Bits was confirming the findings of the MIT report, the company’s CEO continued to claim MIT’s findings were mere “opinion” and that this report was filled with errors. This led to the following statement from the MIT team:

“It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public,” the authors of the MIT report told Motherboard in a statement.

Bringing voting options to people who previously had no choice but to sit out elections is important. But that doesn’t mean the American public should be forced to settle for half-assed solutions just because something better isn’t available at the moment. No parent wants to hear their child is ugly and full of security flaws, but Voatz’s insistence on attacking researchers and their findings does not make the company seem any more trustworthy or capable of providing a secure mobile voting option.

Filed Under: , , , ,
Companies: voatz

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cybersecurity Firm Hired By Voatz To Audit Its System Finds Voatz Is Full Of Vulnerabilities”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
TKnarr (profile) says:

When Sawheny says they don’t have to worry because they haven’t been hacked yet, I’m minded of:

  1. No Apollo capsule had had a fire due to a pure-oxygen atmosphere… until January 26, 1967.
  2. No Space Shuttle had had a failure due to O-rings… until January 28, 1986.
  3. No Space Shuttle had had a failure due to debris strikes from the main fuel tank… until February 1, 2003.
  4. No 737 MAX had had a fatal accident due to malfunction of the AOA indicator and the MCAS software… until October 29, 2018.
  5. The Voatz software had never suffered a hack… until ?.
That One Guy (profile) says:

Re: Re:

Oh it’s actually even worse.

An MIT study of the software found multiple issues, including flaws that would allow attackers to intercept votes — and alter or trash them — without anyone on either end realizing they’d been hacked.

Assuming that is correct then the claim that ‘they haven’t been hacked yet’ is one that simply cannot be assumed to be correct, as they could very well have been and simply don’t know it.

Anonymous Coward says:

Bringing voting options to people who previously had no choice but to sit out elections is important.

How many people are in this situation, where voting at the normal and advance polls isn’t an option, voting at special polls (eg. hospital polls) won’t work, and mail voting isn’t available? And do the people in that group have the required electronic devices?

ECA (profile) says:

I dont know..

But considering all that programming can do, a remote access type is going to be plagued with problems.
Person and device verification.
Loss prevention
Location ID
But even this, at the polls isnt being done.
They arnt using any resource at the polls, LIKE DMV/DOT pictures. Most just ask for a drivers license.. Which we KNOW can be faked. Anything can be faked.

I wont even go into being PART of the system, and being able to fake Whole personalities..

Upstream (profile) says:

Re: I dont know..


There is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology in the foreseeable future.

Their Computer Technologists’ Statement on Internet Voting is a good, fairly short (< 1 page) read on the subject.

ECA (profile) says:

Re: Re: I dont know..

There is 1 major fault, not flaw…
Its the interaction of humans, and verification of such.
How do you stop a group from falsifying, data to create persona to use in voting??
There are not any formats we have to stop this. i can even express how its done, from the past and upto about 2000. Not sure of the possibility at this time, but with a little money, could keep this rolling.

There was a way expressed in the Anarchist cookbook, that worked until they started giving SS# at birth. Before that time we only got them in middle teens.
For a very long time, keeping records for Birth/death/marriage/… in the states REALLY sucked, and with computers at least there is abit better coverage of this.
If someone was shown to move out of a state it was not easy to Find their DATA to match up to records IN the original state. Let alone trying to find a persons SS# after death, because few carry a card with them. its only been enforced by the corps and insurance corps..

In all of this, it would not take much to get a Doctor to Falsify a birth. Esp in rural area. Get the SS#, and creat false history.
Unless you want a Tattoo or Chip in everyone, its not that easy to KEEP Identity safe or private.

That One Guy (profile) says:

"I reject your reality and substitute my own!"

There’s confidence in your product, and then there’s willful blindness, hiring experts to check your product to rebut the people calling it full of holes only to ignore those experts when they confirm the original assessment.

You wouldn’t trust a car maker who said that they don’t need to worry about claims that their car designs are horribly unsafe because crashes are ‘theoretical’…

You wouldn’t trust your money to bank that responded to claims that they don’t use encryption to protect accounts because security breaches are ‘theoretical’ and the people pointing that out are only doing so ‘for the attention’…

And you shouldn’t trust a voting app company who is told about security problems with their product, has those problems confirmed, and then proceeds to dismiss all concerns by claiming that there’s no proof (yet) that those security problems have been exploited.

ECA (profile) says:

Re: "I reject your reality and substitute my own!"

how about the Only warranty the car maker tries to give you..
10 years 100,000 miles..on the DRIVE TRAIN..
Ever wonder about that??
OH! its now a shorter time??
5 years and 60,000 miles?

"A drivetrain warranty includes the transmission, driveshaft, axles, and wheels, but it does not include the engine. A powertrain warranty covers everything that makes a vehicle move, from the engine to the transmission to the parts that allow power to travel from the engine to the wheels."

Dont read the EXCLUSION section..its all the plastic and rubber on the engines, including Wires.

Coake Enniday says:

The Benefit of the Doubt.

I am constantly amazed by the way people always consider that code companies like this are incompetent, or uncaring, and absolutely never consider that they are deliberately creating flaws in order to serve a less than altruistic purpose – in this case, insuring that the election results CAN be altered externally, on the fly, by those that know the means/flaws provided by the software manufacturer in the code.

I ask myself this question: is there more money to be made by selling software to the combined states of America that gets used once every four years, or by offering a private deal to the billionaires that run the country, that will insure the candidate they desire will win the election – any election that uses that company’s code.

"Never attribute to malice that which can be explained by incompetence."
Indeed. One wonders Who actually created and disseminated that saying.
The Why seems pretty obvious now. I’ve no doubt however that people will consider that the originator of the statement did so out of incompetence, rather than malice.

Upstream (profile) says:

Re: The Benefit of the Doubt.

Hanlon’s Razor might not be so sharp after all.

Hanlon was a blind ostrich who wore rose colored glasses and persistently whistled the theme song to Annie. Unfortunately, applying Hanlon’s Razor often results in giving someone a pass, or a psuedo-legitimate excuse, when it is not warranted.

In the case of Voatz, it is definitely a stretch to think that their responses to revelations of serious security problems with their product are the result of incompetence or ignorance. It also seems unlikely that the security problems themselves are the result of incompetence or ignorance.

Just because the security holes were not clearly labeled "Back Door to Alter Election Results" does not mean that they were not intended to be exactly that.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...