Voatz smartphone voting app has significant security flaws, MIT researchers say

A recent version of a smartphone voting app that has been used in limited capacity in federal elections scattered across four states has significant security flaws, a Massachusetts Institute of Technology study has found.

The app, Voatz, made by a startup of the same name based in Boston, uses a combination of blockchain software and remote identity verification in an effort to create a secure system that can be accessed through a smartphone. Researchers did not say they found evidence that the app had been hacked, but noted that the vulnerabilities could have been exploited.

“We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote,” the researchers wrote in a press release published Thursday. The study, the first major public security audit of the app, found that “exploitation would be well within the capacity of a nation-state actor,” the researchers said.

Voatz, which in theory makes it much easier for nontraditional voters to cast their vote, has slowly made inroads in U.S. elections. Since 2018, it’s been made available for overseas and military voters in 24 West Virginia counties and two Oregon counties, as well as Pierce County, Washington, and for voters with disabilities in Utah County, Utah.

While supporters have touted its ability to enfranchise Americans with disabilities and those serving overseas — both groups with dismal voting turnout — the company has largely been quiet about addressing security concerns. While it has undergone several private independent security audits, those results have never been made public, and academic consensus has said that the technology to securely conduct online elections doesn’t yet exist.

In a blog post rebuttal to the study, Voatz noted that the researchers were working on an older design of the app, and touted that they’ve had no security complaints from government clients.

Maurice Turner, an election cybersecurity expert at the Center For Democracy and Technology, a nonprofit focused on technology policy, said he found that response unconvincing.

“I don’t think that’s worthwhile,” he said “If an app is available on an app store for a legit install, it needs to be something that Voatz feels is up to their standard on a live election.”

A 2019 Department of Homeland Security analysis of Voatz, found multiple areas where the app’s security could be improved, but no evidence of past malicious activity.

Before announcing their findings, the researchers disclosed them to Homeland Security’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency (CISA). In a statement, a CISA spokesperson said that “we quickly shared this information with both the vendor and the state and local election officials who plan to pilot or use this technology during the 2020 election cycle.”

The news may put West Virginia, the state that’s pioneered mobile voting in the U.S., in a bind.

Secretary of State Mac Warner, the state’s chief election official, already made Voatz available to overseas and military voters for the 2018 primaries. Gov. Jim Justice made history on Feb. 5 when he signed a bill requiring counties to provide an electronic option for voters with disabilities starting with the 2020 election. Voatz was the presumed option, though Warner previously said he was waiting on the results of a security audit before making a decision.

“We have been following the MIT research. In an effort to provide additional security to any platform we may use, we continue to welcome critiques of the Voatz technology as does Voatz,” Mike Queen, a spokesperson for Warner’s office, said in an email.