Researchers at MIT Identify Security Vulnerabilities in Voting App

The expansion of mobile technology in recent years has come with several amenities. It has also generated popular slogans like “there is an app for that.” These two notions have produced the idea of using mobile applications to complete practical activities such as voting.

Anything that can get hacked, will get hacked. This is why voting security experts have warned that paper ballots are the only secure method to vote.

 After a recent MIT investigation, it appears as though this holds true. MIT Researchers discovered that the voting app, ‘VOATZ,’ had vulnerabilities that could permit a hacker to change a person’s vote once they remotely accessed the device. Additionally, if a threat actor hacked the voting server, which investigators found was shockingly easy, they could also discover the user's vote and stop the connection before it is cast. To make matters worse, a hacker exploiting this vulnerability can remain fully undetected and thus easily sway the voting system. Unfortunately, this discovery came after VOATZ was already used in some states’ elections (West Virginia, Denver, Oregon, and Utah). 

What stands out about this disclosure is that the initial investigation was not on the app itself, but the connected app used post voting. The MIT research team would have never launched an investigation had inconsistencies not existed in the app that tracked results of the Democrat caucuses in Iowa. If the Target breach taught us anything, it is that organizations must consider the security practices of accompanying vendors. This very concern was proved when investigators found the 3rd party app did not use the security protocol to verify legitimate votes on the backend of the application. Furthermore, an ISP or anyone sniffing an unencrypted network could determine the way someone voted. In a topic of such sensitivity and with modern security controls, how was this possible? There are a few gaps to highlight that allowed this vulnerability to successfully execute:

  • The first, and perhaps most important, is the security principle known as ‘secure coding’ was not evident when researchers reverse engineered VOATZ. Failure to use voting system security experts who understand secure coding predisposed VOATZ to problems. Subsequently, the app also posed a security risk for users because it relied on a 3rd party for voter ID verification. This third party could potentially access a voter’s Personally Identifiable Information and any other collected data. Although the VOATZ app privacy policy does discuss sending information, researchers were not able to determine how much or what was sent over to the 3rd party. 
  • Second, many states do not have up-to-date election systems nor the budget to replace antiquated systems, as voting system reformation has not occurred since 2002 when the government passed the Help America Vote Act of 2002. This act appropriated $3.7 billion to update systems for the 2004 election. As all good things must end, these systems are now approaching their end of life and thus, more vulnerable to security issues. 
  • Third, proprietary apps such as VOATZ, use closed-source code. This practice is followed by most companies and essentially means the public is not given access to an apps source code. However, the lack of external quality assurance testing combined with the already insecure coding practices enabled the VOATZ app to be vulnerable from the start. These are a hazards that organizations who have critical apps should not be permitted to engage in.
  • Fourth, despite the benign intentions, the potential introduction of jeopardizing election integrity requires a comprehensive discussion. We all have an interest in increasing participation of government elections and thereby simplifying the process. Advocates  for the app commonly cite overseas troops and citizens with disabilities as justification for the need to have such an app. However, the expense this comes at is a grey area. The insinuations from mobile voting will continue to be scary until the next generation of election technology can be developed and properly tested.  

Conclusively, even though advocates of the VOATZ app were aware of the risks associated with mobile voting, they believed there were more benefits to using the technology. This mindset has led several organizations to rapidly push out applications before considering the ramifications. Consequences like losing individual trust starts when a system one uses becomes exposed as not secure. Discovery of the voting app vulnerability is about more than just weak programming practices, instead, it brings to light the importance of following standards like NIST and SDLC when developing critical apps. Additionally, when an app follows a thorough development framework, minor issues can be caught early on.

Fortunately, increasing and maintaining user trust is possible by applying high technical and operational security standards before deploying a system or app. Silent Sector operates using only top tier standards. Our goal is to help organizations establish a clear understanding of their security posture and provide the resources to enhance their system security. Our Web Application Penetration tests can provide your organization with a detailed look into the risks associated with exposed applications and connected entities.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.