back to article Voatz of no confidence: MIT boffins eviscerate US election app, claim fiends could exploit flaws to derail democracy

Only a week after the mobile app meltdown in Iowa's Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia's 2018 midterm election. They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state. Based on their findings, …

  1. JohnFen

    I'm baffled

    I'm utterly baffled that anybody thinks that a mobile app being involved in an election process is anything remotely close to being safe or secure. That's even worse than electronic voting machines.

    1. Version 1.0 Silver badge

      Re: I'm baffled

      And how many times has your phone updated it's apps - I see about 3-4 updates to something every bloody day, security is an illusion, phone app security doubly so ....

      1. big_D Silver badge
        Pint

        Re: I'm baffled

        Have one of these this lunch time --->

        For the Douglas Adams reference.

    2. Martin an gof Silver badge

      Re: I'm baffled

      Yet people seem to accept mobile banking and paymemt systems are secure. Make yer minds up, either it is possible to make secure mobile apps or it isn't. Unless mobile payment systems have access to facilities this ridiculously-named Voating system doesn't?

      M.

      1. jake Silver badge

        Re: I'm baffled

        "Yet sheeple seem to accept mobile banking and payment systems are secure."

        FTFY

        "Make yer minds up, either it is possible to make secure mobile apps or it isn't."

        We (TINW) have made up our minds. It isn't.

        Remember, just because it is possible to do something doesn't mean it is a good or safe idea ... no matter how much marketing tries to tell you otherwise.

      2. A random security guy

        Re: I'm baffled

        Security is not perfect and you want a Boolean answer. You weigh the risk vs. convenience. In the case of elections, the reward for manipulating an election is huge. Much more than robbing an entire bank.

        Robbing your account would not worth anything.

        People do lose money regularly through smartphones.

        But the bank makes sure that their losses are. acceptable. Moreover banks work much harder securing their apps. .

        1. jake Silver badge

          Re: I'm baffled

          "Security is not perfect and you want a Boolean answer."

          The question was "is it secure?". The answer, as you know full well, is no. The rest is just waffle.

          1. Martin an gof Silver badge

            Re: I'm baffled

            Which was sort of my point - and I'm a bit sad my snark seems to have bypassed my downvoter. I personally have never trusted that anything mobile - or, for that matter, just online - is 100% secure. It is one of those things that is impossible to prove and relatively easy to disprove.

            I think what I am saying is that people are being encouraged to transfer (in particular) financial dealings online and on mobile with the promise that it's all utterly safe. The consequences for an individual of a breach in their banking app could be catastrophic, though the consequences for society as a whole are likely trivial.

            Conversely, one of the arguments against online electronic voting (which probably uses many of the same frameworks as online electronic banking) is that it is utterly unsafe. In this case the consequences of a breach for an individual are likely quite minor, though the consequences for society could be bigger, if temporary. At the very least you would get another voting opportunity in 2/4/5 years (except for rare things like the EU referendum) and if widespread fraud was proved then I believe most jurisdictions have systems in place for declaring a vote invalid and re-balloting.

            I'm aware that paper ballots have their own issues, but we do at least have several hundred years of experience with paper and it is possible (even if it isn't done in every country) for any Joe Bloggs to follow a physical piece of paper along every step of its way from voting booth to tally pile. Once you've clicked that button on that app, who knows what happens to your vote?

            Completely stand-alone voting machines could in theory be better - no online connection means that all you have to worry about (apart from the software which could be audited I'd think) is the physical security of the device - but if one of the reasons for online voting is convenience then you don't gain anything if you still have to go to a polling station in order to push a button rather than putting a cross in a box.

            Obviously there's a trade-off being made somewhere along the convenient - secure continuum...

            M.

            1. Claptrap314 Silver badge

              Re: I'm baffled

              ALL voting machines promise convenience. What they deliver is a new method to forge votes.

              Physical voting machines have the virtue of only being able to change the vote on that particular machine.

              Electronic voting machines give you the ability to change the vote at scale.

              Internet voting apps allow you to do it from the convenience of the foreign (non-extraditing) jurisdiction of your choice.

        2. John Brown (no body) Silver badge

          Re: I'm baffled

          "Security is not perfect and you want a Boolean answer. You weigh the risk vs. convenience. In the case of elections, the reward for manipulating an election is huge. Much more than robbing an entire bank."

          First thoughts are so long as the risk of vote fraud is less than or equal to using paper ballots, then we should be good to go. But as we are all aware here, the bar is much higher in practice. Paper ballot fraud generally requires many people voting on behalf of others, or a physical presence to handle the boxes and change or stuff the contents. That's not generally easy to achieve undetected and so very, very risky. But with electronic voting, it could be much easier to fiddle a lot of votes by a singe person with a laptop.

      3. druck Silver badge

        Re: I'm baffled

        If your mobile banking application is compromised, you will find out when you receive the next statement from your bank, the details of all transactions will be there for you to see. If you dispute any of them, there is a clear process to follow, which (in exception of cases of gross negligence) will result in any losses bing refunded.

        With mobile app voting, you will not get a validated statement of how you actually voted, so you will be unaware of any fraud, and have no ability to raise a dispute and have the vote corrected.

        1. GnuTzu
          Thumb Up

          Re: I'm baffled

          Wow, that really put a bizarre idea in my head. (Oh, and upvote on your point about validated statements.)

          What if the voting app hacked your banking app to cause you to make a massive donation to the wrong candidate.

          I'm glad it's Friday. I'm seriously going to need to get toasted this weekend.

        2. vtcodger Silver badge

          Re: I'm baffled

          "If your mobile banking application is compromised, you will find out when you receive the next statement from your bank, the details of all transactions will be there for you to see. If you dispute any of them, there is a clear process to follow, which (in exception of cases of gross negligence) will result in any losses bing refunded."

          On top of which, the money has to GO somewhere, and cobbling together a transaction chain that can't be traced to the miscreants is a non-trivial job. It's sort of like counterfeiting. Doable, but likely to be an inordinate amount of effort and quite risky as well.

          Hacking a voting program is likely easier and less risky. And there's likely no meaningful audit trail.

        3. Michael Wojcik Silver badge

          Re: I'm baffled

          With mobile app voting, you will not get a validated statement of how you actually voted, so you will be unaware of any fraud, and have no ability to raise a dispute and have the vote corrected.

          It might be worth noting that there are protocols for voter-auditable secret-ballot voting, such as Rivest's ThreeBallots. The problem is that they're hard for many voters to understand, and increasing the cognitive load or work factor of voting even a little will have the effect of suppressing some of the vote, when participation is already pretty dismal.

          The fact of the matter is that mark-sense paper ballots with privacy-protected in-person voting where possible is still the best overall compromise anyone's come up with so far.

      4. JohnFen

        Re: I'm baffled

        > Yet people seem to accept mobile banking and paymemt systems are secure.

        Yes, they do. Those systems represent tradeoffs between security and convenience, and people are deciding that the tradeoff is worth it to them. That's fair -- we all decide the level of security that we're comfortable with. Elections are different, though, in that security risks with election systems involve everyone, not just individuals with accounts.

        > Make yer minds up, either it is possible to make secure mobile apps or it isn't.

        I think my stance was clear -- my mind is made up. It isn't possible to secure mobile apps to the degree that is necessary for election systems.

        1. Claptrap314 Silver badge
          Pint

          Re: I'm baffled

          YOU might be okay with banking apps. I'm not.

          My wife, on the other hand.... <sigh>

          Icon for crying in.

          1. JohnFen

            Re: I'm baffled

            Just to be clear -- I'm not either. I don't use them. But there's no denying that there are plenty of people who choose differently.

    3. JCitizen
      FAIL

      Re: I'm baffled

      Proof that you can find gullible state organizations and election commissions every time! Especially a bunch of corn cobs from Iowa!

  2. GBE

    The name was enough

    IMO, the cutesy-mispelled "Voatz" name alone was enough to confirm it should be avoided.

    1. borkbork

      Re: The name was enough

      Voatz - rhymes with goatse?

      1. skeptical i
        Pirate

        Re: The name was enough

        Weasels and stoats, ballots and voatz, Toad Hall is ablaze.

        1. big_D Silver badge

          Re: The name was enough

          The literary crowd is in good form this morning.

      2. big_D Silver badge

        Re: The name was enough

        I thought so.

  3. Anonymous Coward
    FAIL

    Possible? Yes. Probable? No.

    It is possible, theoretically, to make a secure app. But I they don't exist yet and I don't think it's probable that any will be developed soon.

    Beyond the developer mantra of build cheap, release fast, and grab as much money as possible, there is the problem of users. The people staffing the polls are unpaid, untrained, and, often, technologically illiterate.

    1. Mongrel

      Re: Possible? Yes. Probable? No.

      "It is possible, theoretically, to make a secure app."

      And that will still rely on the end users keeping their phone secure, not just anti-malware, but physically secure, with a proper unlock passcode\pattern.

      1. Robert Helpmann??
        Childcatcher

        Re: Possible? Yes. Probable? No.

        And that will still rely on the end users keeping their phone secure, not just anti-malware, but physically secure, with a proper unlock passcode\pattern.

        Exactly! Running voting through an app introduces at least one more point of failure. This is the opposite of securing things.

        1. JohnFen

          Re: Possible? Yes. Probable? No.

          Yes. And even worse than that, the additional attack surfaces are being manned largely by people who don't generally have system security in the front of their mind, and often don't know how that should inform their behavior. So those are particularly vulnerable attack surfaces.

      2. Fluffy Cactus

        Re: Possible? Yes. Probable? No.

        Well, excuuuuuse me, but...

        wasn't it Mr. Buttigieg who decided on hiring that mysterious "Shadow, Inc" company for the

        purpose of totaling up the caucus voting results?

        Really, if it were up to me to plan such a thing I would

        1) Prepare an exactly similar Excel spreadsheet for each county, that is to be used

        to total up their results.

        2) Provide a password to each county, via a secure channel, to be used to save that excel file in an encrypted form. Easily done, it takes 5 minutes to learn that. Do you know how to save a Word or Excel file with a password? Easy if you know how. Anything with less than 20 characters is easily cracked. Don't ya know?

        What's a good password? For example: "Raccoon7Blunder9Squared$#&SillyWalks"

        Long, irrational, yet possible to remember.

        3) Next I would ask each county officer to sign up for the Swiss "Protonmail.com" system, which is the

        only e-mail system in the world today that provides "End to End" encryption. Such that the transmissions are encrypted twice, once by you, and a second time by Protonmail.

        Neither Google, MSFT, Apple or anyone else does anything like that. Not even Protonmail has the password. (if you are dumb enough to lose your password, then you are too dumb to work for a caucus, or dumber than a bag of hammers, whichever comes first.) I am not affiliated with Protonmail, or have any other insight into it.

        I can of course not know whether Protonmail has some secret contract with the CIA, or any other countries. The story of about the US and German co-operation with swiss-based "Crypto AG", which enabled the US to look at other countries secret messages for decades, still makes it necessary to wonder about who indeed one is able to trust.

        The one way to find out whether a Encryption has been cracked by someone else, is to run a secret message through it which makes the other party react, if they could decrypt it. If they show their hand, you know your own encryption is no good. You learn that by reading about wars, ciphers, spy movies, and the various tricks of spy trade-craft. Obvious!

        4) Next, after decrypting the results at the "Central shop" (whatever you call it, I don't know), one will have in the meantime a simple script that totals up all the subtotals. And it's done!

        5) The number of people in computing today, who make "mere Apps" instead of well thought out, both simple and sturdy software, are legion. To many idiots working that know nothing. That there is an "App" that is supposed to reliably and safely complete this task, seems suspicious to me.

        Whether Mayor Pete was essentially "bamboozled" by a Republican attempt to interfere with this "Shadow, Inc" outfit, I do not know. Given Republican lack of conscience, anything is possible. Being careful is essential. There is not enough vetting of who is behind what. Say what you will, this makes me think way less of Pete Buttigieg, because it shows a certain naivety that does not make sense in a politician, or else it makes him suspicious as a counter-agent, witting or unwitting.

        Overall, I am surprised at the willful ignorance among democratic political operators. It's shameful. Be naive, and you lose. But then again, since the whole US diplomatic corps is incapable to send messages in safe encryption, why is that even a surprise? Remember Manning? Why would a low level guy get access to unencrypted top secret stuff. Are the Keystone Cops in charge of security?

        Numerous wikileaks revelations were indeed the fault of those who made it "totally easy to get to, by being careless."

        Were do I stand? I am a foreigner, in the US, not voting there. In terms of bias, there are more sensible ideas on the democratic side, and more mean-spirited ones on the Republican side. The ignorance on both sides is appalling.

        I rest my case, or, to be more exact, my case is in a coma, because the DNC appears to be in one as well.

        DNC means Democratic National Committee, i.e. the folks who decide who should be the democratic candicate for Pretzeldent.

        I hope that make the rest of you happy.

    2. Claptrap314 Silver badge

      Re: Possible? Yes. Probable? No.

      If you think it is even theoretically possible, please describe the basic architecture.

      Oh, and you cannot trust the provider of the app--they might be suborned for any of a number of reasons.

    3. Michael Wojcik Silver badge

      Re: Possible? Yes. Probable? No.

      It is possible, theoretically, to make a secure app

      Not in that formulation it isn't. "Secure" doesn't mean anything, in a technical sense, except under a threat model, and you haven't specified one. And for any non-trivial system under any non-trivial threat model, "secure" is a probabilistic claim, not an absolute one.

      So in fact it is not possible, theoretically or in practice, to make a "secure app".

  4. jake Silver badge

    27 times? In the world of DevOps and so-called "agile"?

    "The app biz claims the researchers looked at an old version of Voatz, one that has since been updated at least 27 times."

    So that's what, last Tuesday's mid-afternoon version?

    When was the last time your DearOldMum updated an app?

    Internet security is an illusion. So-called smart phone security doubly so.

    1. vtcodger Silver badge
      WTF?

      Re: 27 times? In the world of DevOps and so-called "agile"?

      27 updates? Why doesn't that make me feel more secure?

      1. Michael Wojcik Silver badge

        Re: 27 times? In the world of DevOps and so-called "agile"?

        Exactly. "We couldn't get it right the first 26 times, but now...".

        There's nothing wrong with having tested 28 or more builds, of course. But here the vendor is claiming that they've released at least 28 versions of the application they're claiming is "secure". That hollows out any reasonable interpretation of the word.

        Of course, as I noted elsewhere, saying an application is "secure" isn't a meaningful claim anyway without an explicit threat model &c.

  5. Anonymous Coward
    Anonymous Coward

    Some things just need to be done properly

    Even if slow and old fashioned, certified ballot papers a pen, locked boxes plus scrutineers is still best practice.

    1. Doctor Syntax Silver badge

      Re: Some things just need to be done properly

      But...but..but. It's so not 21st century.

  6. eldakka
    Mushroom

    Who to believe?

    On the one hand we previously have a Microsoft Research senior cryptographer, supported by an MIT professor1, and now a new paper out of MIT (that has thanks and attributions to both aforementioned MS cryptographer and MIT professor) that further supports this view of shitty software from Voatz.

    On the other side we have Voatz, some random, secretive company formed in 2016 who claims to have had independent security audits, yet conducted them all under NDAs so the results of those audits are secret.

    Can someone help me solve my dilemma on whom I should trust (while lacking independent, public, audits)? /s

    ----------------------------------------------------------------------------------

    1 Ron Rivest, the 'R' in RSA encryption and in the RC1/2//4/5/6 encryption algorithms. Also the creator of the MD2/4/5/6 hash algorithms.

    1. Reg Reader 1

      Re: Who to believe?

      You beat me to it.

      MIT Profs/researchers did the testing and they are backed up by two other very good schools Profs/researchers. For these people to go out on a limb when they could lose their reputation and possibly positions if wrong. Why would the Profs from these prestigious institutions go out of their way to be wrong?

      Voatz will lose money and contracts if their app isn't secure. Their software has been updated 27 times since the version this Prof. looked at. Updates are generally a good thing and can be used for a variety of reasons, but something as fundamental as voting needs to be done right before it's released. I'm not sure that's possible.

    2. Michael Wojcik Silver badge

      Re: Who to believe?

      What, Voatz's ad hominem arguments weren't convincing? "The researchers may claim that our app is riddled with flaws, but I have it on good authority they enjoy kicking puppies."

  7. Anonymous Coward
    Anonymous Coward

    Obviously the DNC

    are not backin' the USSA.

  8. James Anderson

    Just have an auction.

    I think the USA should give up on the pretence of democracy and just auction of public offices.

    It’s pretty much what happens now anyway given the massive campaign spends.

    Its a lot easier to get an accurate count of dollars than of votes, the money could be spent on something practical to benefit the people^h^h^h^h^hrich, and, it would save us from the embarking sight of billionaires trying to look like they cared.

    1. Claptrap314 Silver badge

      Re: Just have an auction.

      Cynosure worked like that. Results tended to be...highly kinetic.

  9. Cuddles

    Old version

    "The app biz claims the researchers looked at an old version of Voatz, one that has since been updated at least 27 times."

    "the Voatz app used in West Virginia's 2018 midterm election."

    If they're looking at how terrible the app was when it was actually used in the election, is it really relevant how many times it might have been updated since then? If anything this seems to be an outright admission that the researchers' claims are true, otherwise those updates wouldn't have been needed.

  10. Doctor Syntax Silver badge

    Right now anyone wanting to derail democracy must be standing in a long queue.

    1. Michael Wojcik Silver badge

      Not at all, my good man; we have perfected the art of doing so in parallel.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like