Secretary of State’s Office pushes back on claims of vulnerabilities for mobile voting app

CHARLESTON — A new report detailing possible issues with a mobile voting app that could be rolled out to voters with certain physical disabilities this election cycle received pushback from West Virginia Secretary of State Mac Warner Friday.

According to a team of researchers at the Massachusetts Institute of Technology, the mobile voting app sponsored by the Secretary of State’s Office, developed by Voatz, funded by Tusk Philanthropies, has several flaws.

MIT found that the Voatz app’s defenses, which includes biometric face recognition and two-factor authentication, can be evaded by hackers with root access to the voter’s phone.

While the ballot is protected by a blockchain security system — utilized by banks and financial services, among others — the MIT report said a bad actor could intercept the ballot before the app transmits it to the block chain and either learn the voter’s choices or even manipulate the ballot. A hacker with access to the phone’s network protocol could leak details from the voter’s ballot.

In addition, once the ballot is secured within the blockchain, it could still be subject to attacks from the server side, the report claims.

“Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election,” said Michael Specter, a co-author of the report.

Specter is a graduate student in MIT’s Department of Electrical Engineering and Computer Science and a member of MIT’s Internet Policy Research Initiative.

“Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone,” Specter said.

The Secretary of State’s Office said the researchers tried to create a server system similar to what Voatz uses and used an outdated version of the Voatz app from 2017.

“They took an older version of one small sector on an Android phone and recreated what they thought was this apparatus and came up with their conclusions,” Warner said Friday. “Voatz…countered that and argued that it would be like analyzing Windows 7 when Windows 10 is out.”

Warner, on Friday, said while no voting system, paper or electronic, is immune to vulnerabilities, he said it would take bad actors being near every voter’s phone and require large amount of resources. Warner said he is more concerned about a nation state, such as Russia, trying to disenfranchise a demographic of voters through misinformation.

“The benefit, as you can imagine to somebody who doesn’t have that opportunity to vote, the reward is huge,” Warner said. “That it gives them a right to vote, an opportunity to vote, whether it’s military or a voter with a disability so that the reward is high and the risk is low.”

The reward side of the equation is bigger than the risk side, Warner said.

“The Russians and others are ready to move more of a large demographic in the U.S. society…and try to get them not to vote or to vote for somebody in particular,” he said. “You could move whole demographics, which could affect the outcome of elections, rather than just one individual vote.”

The MIT researchers took their concerns to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. According to a September 2019 CISA investigation uncovered by NBC News, CISA did not detect any threat behaviors, but did note a number of defense-in-depth protections Voatz should make to its systems.

The company has conducted several third-party audits of its system, though none have been released to the public.

In a conference call Thursday, Voatz CEO and co-founder Nimit Sawhney said his company was working with CISA to perfect the app.

“We’ve been collaborating with CISA ever since the discussion about this report started a few days ago, and it’s been a very transparent process with them, and we’ve communicated our feedback to them already throughout the process,” Sawhney said.

West Virginia became the first state to use a mobile voting app for deployed members of the U.S. military and their families. The program was used in a two-county pilot for the 2018 May primary, and rolled out to 24 counties for the 2018 general election that November. Similar programs have been used in eight cities and counties in five states to Tusk Philanthropies, one of the funders of mobile voting.

The iPhone and Android app, developed by Voatz and funded by Tusk, uses biometric data to confirm the voter’s identity, allows them to vote by smartphone, and uploads the ballot into an encrypted blockchain system. On Election Day, a county clerk is able to access the ballot, print it, and tabulate it like any other ballot.

Justice signed Senate Bill 94 on Feb. 5, allowing voters with physical disabilities and the blind to vote in elections by electronic absentee ballots. The bill leaves the choice of what type of electronic absentee ballot to use, whether to develop their own system or contract with a third party to develop a new system. Counties will also have the choice to use the Voatz system at no cost.

Warner said his office was open to other methods, still considering the Voatz mobile voting system a pilot project for now. A final decision will be made by March 1.

“We will take all that information together to make our determination as to what system we go with in the future,” Warner said. “We’re not necessarily tied to Voatz. There are other systems. Maryland has used a system. There’s other vendors out there in the space that we can turn to as well.”

“I don’t want to be afraid of technology,” Warner continued. “I want to use that technology to expand the franchise, to give those people the opportunity to vote.”

(Adams can be contacted at sadams@newsandsentinel.com)