Voatz, a mobile voting app that's already been used in several elections in the United States, has more than a dozen critical security flaws, according to a newly released audit. The audit also shows Voatz publicly refuted an MIT report that found flaws in its app even after it received confirmation that it was accurate.
The audit, which was prepared by cybersecurity firm Trail of Bits for Voatz and Tusk Philanthropies, which has partnered with Voatz on some of its pilot voting projects, found 48 technical vulnerabilities, 16 of which were "high-severity issues."
That's an unusually high and concerning number of critical vulnerabilities when compared with other penetration test ("pen test") reports. A Trail of Bits May 2019 audit of the application management software Kubernetes, for example, found 37 technical vulnerabilities, only five of which were high-severity issues.
"If this was a hot dog stand, it would be closed by the health department."
The audit notes that many of the vulnerabilities Trails of Bits reported to Voatz were only partially fixed, unfixed, or considered by Voatz as acceptable risks.
Voatz has already been used in elections in West Virginia and piloted in Denver, parts of Oregon, Utah, and Washington State. The company claims that since 2016 "more than 80,000 votes have been cast on the Voatz platform across more than 50 elections (including 10 governmental election pilots since March 2018 involving more than 700 pilot voters)." Experts have repeatedly warned that mobile or online voting is not a good idea, and that it is nearly impossible to design an online voting system that doesn't have serious security flaws.
“This damning report is clear evidence that election officials must listen to these experts and reject online voting snake oil like the insecure Voatz app," Senator Ron Wyden said.
"Voatz doesn't make any sense as it's currently designed. Architecturally, it trusts a central server with everyone's votes," Matthew Green, a cryptographer and computer science professor at Johns Hopkins University not involved with the Trail of Bits report, said. "A person who compromises that server or any of the client-side software has virtually free reign over an election."
Green added: "If this was a hot dog stand, it would be closed by the health department."
One high-severity issue Voatz found to be an acceptable level of risk involved authentication key passwords that Voatz stores in plaintext, generally bad practice for storing any password. These passwords are required for releasing new builds of the Voatz Android app. An attacker with access to a Voatz developer's compromised machine could then conceivably use these passwords to release an app claiming to be Voatz.
"Voatz accepts the risk presented here and believes the frequent key rotation, other controls in place provide sufficient safeguards in the short term," Voatz told Trail of Bits in response to this finding.
"Signing keys should definitely not be stored in git, and frequent key rotation seems like an inappropriate use of that particular safeguard mechanism," Maurice Turner, deputy director at the Center for Democracy & Technology said. "Android 9.0 (released in 2018) introduced key rotation, which means that devices running prior versions of Android either remain vulnerable or should not be used by voters."
In at least one instance, a fix that Voatz put in place to address a vulnerability resulted in a new bug. In this instance, Trail of Bits initially identified an issue where an attacker with knowledge of the target's phone number could hijack the target's Voatz account during re-registration process, locking the target out of the account and giving the attacker access. Voatz fixed this issue, but the fix it put in place introduced a new issue that "can allow an attacker to bypass SMS verification during pre- and re-registration." Voatz said this issue was fixed, but Trail of Bits could not independently confirm because it did not have access to the updated, supposedly fixed code.
In an interview with Motherboard, Voatz founder and CEO Nimit Sawhney accepted the technical details of the Trail of Bits report, but rejected the notion that Voatz is risky to use and should stop being piloted until these issues are resolved because they're "theoretical," and in trials so far has not seen proof that Voatz was hacked.
“Overall we’ve been very comfortable, we don’t see anything there which impacts any ongoing elections," Sawhney said. "Because a lot of this is theoretical, it’s whitebox, it is based on looking at the code…We feel very confident that this is a normal part of an audit process. No system is perfect, we’re not claiming this is perfect, but we stand behind the system.”
Sawhney added that “the risk of any of these being exploited in a pilot election is extremely low.”
John Sebes, chief technology officer for the Open Source Election Technology Institute, said that the subject of an audit—in this case, Voatz—is the least qualified party to assess whether or not a bug is likely to be exploited, and that he "objects so strenuously" to the idea that these are merely theoretical bugs.
“Nearly every major vulnerability that’s found starts out in the realm of there’s no known exploit. Eventually people who like to design and implement exploits do so,” he said. “Vendors are the least qualified people in the world to assess the likelihood of a bug, because of course they’re going to say that it isn’t very likely to be exploited. The fact that at any point in time an exploit does not exist has no bearing on whether it will in the future.”
In another instance, Trail of Bits simply could not confirm the existence of a security feature Voatz claims publicly it has in place. Voatz's FAQ page claims that "Once submitted, all information [including voter ballots] is anonymized, routed via a 'mixnet.'"
The term "mixnet" is sometimes used to describe a method of sending traffic that obfuscates and makes it hard to trace by using a chain of proxy servers that "shuffles" and sends that traffic back out in random order, but Voatz did not go into detail on what their implementation consists of.
"The Voatz FAQ talks about a mixnet for anonymizing votes, but we found no evidence of a mixnet in the code," the Trail of Bits audit says.
Sawhney said that due to time constraints could not provide that part of its network with Trails of Bits for review. "It's an experimental function but it does exist," Sawhney said.
In a blog post published alongside the report, Trail of Bits said that Voatz's code is written "intelligibly and with a clear understanding of software engineering principles," but that many issues remain.
"It is clear that the Voatz codebase is the product of years of fast-paced development," Trail of Bits said. "It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been. Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously. Mobile clients neglect to use recent security features of Android and iOS. Sensitive API credentials are stored in the git repositories. Many of its cryptographic protocols are nonstandard."
Trail of Bits added that "The quantity of findings discovered during this assessment, the complexity of the system, and the lack of access to both a running test environment as well as certain codebases leads us to believe that other vulnerabilities are latent."
When reached for comment, Trail of Bits simply directed us to its report and blog post. Trail Of Bits is a widely respected security firm based in New York. In the past, it has worked for Facebook, DARPA, and others.
The Trail of Bits report also establishes a timeline that shows Voatz publicly refuted research that found flaws with its app even after Trail of Bits told Voatz the findings were legitimate.
"We now know that Voatz and its backers commissioned secret, misleading audit reports, by organizations with no technical security experts, in order to deceive state and local elections officials that their product was secure."
On February 13, researchers at MIT released a report that found several vulnerabilities with the Voatz mobile app that would allow attackers to intercept votes as they're transmitted, alter a user's vote, and trick them into believing it was transmitted correctly. Experts Motherboard spoke to said that the MIT research showed that the Voatz app was "sloppy" and had "elementary" security flaws.
That same day, Voatz published a blog post strongly pushing against the MIT researchers' findings, saying the report was flawed and that the researchers' "true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."
However, according to audit, Trail of Bits received an anonymized summary of the MIT report, describing six vulnerabilities primarily related to the Voatz Android app, on February 5. By February 11, Trail of Bits began verifying the issues and provided an initial evaluation to Voatz confirming the presence of the described vulnerabilities.
Two days later, even after the company that Voatz itself was paying to find security issues confirmed the issues in the MIT report, Voatz publicly refuted it.
"It is profoundly troubling to hear that Voatz was aware that the vulnerabilities found in our research were still active at the same time they were misrepresenting and downplaying our findings to the Department of Homeland Security, state elections officials, and the public," the authors of the MIT report told Motherboard in a statement. "This only shows that we should never take an election software company at their word. Voting systems must be subject to thorough public inspection before they are used."
Soon after the MIT report was published, a public relations firm for Voatz reached out to Motherboard asking for an in-person, off-the-record meeting with its cofounder and vice president.
"There's been plenty of stories very recently about the potential—or not—of mobile voting moving forward and what it might mean for the accessibility and security around elections," the public relations firm said. "But misinformation has abounded."
In an on-the-record call Friday, Voatz's Sawhney continued to take issue with the MIT report, saying that Trail of Bits' confirmation of some of the issues MIT found were "opinion" and said "there are like so many errors in the MIT report, that it's just really really hard to accept that report."
"What we are saying is what we said in our initial response. These are hypothetical. It's not easy to exploit them in the real world and we stand by that statement," he added.
Voatz has been surrounded by controversy ever since West Virginia used it in a pilot program to allow military and overseas voters to cast ballots via their phone. The software has also been used in pilot projects in elections in Denver and parts of Oregon, Utah and Washington State. West Virginia recently announced plans to expand its use of Voatz to disabled voters in this year’s presidential elections. According to Voatz’ own FAQ, more than 80,000 votes have been cast on the Voatz platform across more than 50 elections since June 2016.
Voatz's Sawhney said that he believes the platform should be used only for those who are disabled or unable to vote, and that the technology is years away from being rolled out at a large scale.
People who are unable to get to a voting site are "frequently excluded from the conversation. Do they not have the right to vote? When you ask [why we're doing this], it's because there's a large segment of people who are not able to vote … these are millions of people. Anybody who says this is not worth doing are excluding those people."
"Voatz has a well-earned reputation for not playing well with security researchers," Turner said. "I hope this report is followed by meaningful steps to rebuild relationships with the election security community. Election officials can help by pushing state legislators to adopt vulnerability disclosure policies and prioritizing vulnerability mitigation across all public-facing IT infrastructure."
"Broadly, we believe election officials themselves should fund qualified, public reviews of these systems, and specify that those reviews describe the issues and solutions in a way that non-technical audiences can understand," Trail of Bits said in its blog post.
The company notes that an August 2019 report by The National Cybersecurity Center (NCC) seemed to address the Voatz's security issues, but the NCC doesn’t employ any security experts. The NCC report validated that Voatz’ features and operation meet the needs of the user, not that the Voatz system is secure.
"We now know that Voatz and its backers commissioned secret, misleading audit reports, by organizations with no technical security experts, in order to deceive state and local elections officials that their product was secure," Wyden said.
“We are very confident in the security of the platform," Sawhney said. "We don’t feel like anybody has practically demonstrated that they can actually manipulate a vote by breaking into a voter’s phone in real time and tamper with voters’ experience or to break into our back end and compromise things in the cloud.”
"We hope that our assessment will improve the overall security posture of the Voatz system, but there is still a great deal of work to be done to achieve that goal," Trail of Bits said.