Tuesday, January 19, 03:32
Home security Voting applications: Democracy in the hands of technology

Voting applications: Democracy in the hands of technology

In recent years, there has been increasing interest in the use of online and mobile technology to add to voting procedures. At the same time, cyber security experts point out that paper voting is the only secure voting tool.


Now, MIT researchers are raising another concern: They say they have discovered security vulnerabilities in a voting application used during the 2018 elections in West Virginia. The application's security analysis, called Voatz, identifies a number of vulnerabilities, including the ability for hackers to change, stop, or expose how an individual user was voted. In addition, the researchers found that the use of Voatz by an outside partner to identify and verify voters poses potential privacy concerns for users.

Following the disclosure of these security vulnerabilities, the researchers disclosed their findings to the Department of Cyber ​​Security and Infrastructure (CISA) of the Ministry of Homeland Security. The researchers worked with the Boston University / MIT Technology Law team and CISA electoral security officials to ensure that election executives and the software partner were aware of the findings before the investigation was published. This included preparing written summaries of the findings and direct discussions with affected electoral officials about calls organized by CISA.

In addition to being used in the 2018 elections in West Virginia, the application was used in elections in Denver, Oregon, and Utah, as well as in the 2016 Massachusetts and Utah Democratic Conventions.

The findings underscore the need for transparency in the design of voting systems, according to researchers.

"We all have an interest in increasing access to the vote to get more votes, but in order to maintain confidence in our electoral system, we must ensure that voting systems meet high technical and operational security standards before they are implemented," he says. Weitzner. "We cannot experiment with our democracy."

"The view of security experts is that secure elections online are not possible today," Koppel adds. "The rationale is that application weaknesses can give the opponent an unjustified influence in an election and today's software is unstable enough that the existence of unknown exploitable vulnerabilities is a very high risk."

Capture the results

The researchers originally inspired Voatz's security analysis based on Specter's research with Ronald Rivest, a professor at the MIT Institute. Neha Narula, Director of the MIT Digital Law Initiative, exploring the feasibility of using systems blockchain in the elections. According to researchers, Voatz claims to use a blockchain to ensure security, but has not released any source code or public documentation of how its system works.

Specter, who teaches a self-taught course at MIT founded by Koppel and focuses on reverse engineering software, outlined the idea of ​​applying Voatz reverse engineering in an effort to better understand how his system worked. To ensure that they do not interfere with pending elections or expose user files, Specter and Koppel reversed the application and then created a model of the Voatz server.


They found that an opponent with remote access to the device could change or discover a user's vote and that the server, if tampered with, could easily change those votes. "The application protocol does not appear to attempt to verify [authentic votes] via blockchain," Specter explains.

“We found that your ISP or someone close to you if you are in unencrypted Wi-Fi, could track how you voted in certain election configurations. The most aggressive malware could possibly detect how you're going to vote and then stop the connection based on that alone. "

In addition to detecting vulnerabilities through the Voatz voting process, Specter and Koppel have found that the application poses problems for users' privacy. As the application uses an external provider for voter ID verification, a third party may have access to the voter's photo, driver's license data or other forms of identification if the provider's platform is not secure.

Need for greater transparency

Specter and Koppel state that their conclusions point to the need for transparency in the administration of elections in order to ensure the integrity of the electoral process. At present, they note that the electoral process in states using paper ballots is designed to be transparent and that citizens and representatives of political parties have the opportunity to observe the voting process.

On the contrary, Koppel notes that “Voatz's implementation and infrastructure were completely closed infrastructures. We could only access the application itself. ”

“I think this type of analysis is extremely important. There is currently an effort to make voting more accessible by using online and mobile voting systems. The problem here is that sometimes these systems are not made by people who have experience in maintaining the security of voting systems, "says Matthew Green, an associate professor at the Johns Hopkins Information Security Institute. In the case of Voatz, he adds, "It seems like there were a lot of good intentions here, but the result lacks key features that will protect a voter and the integrity of the election."

Looking ahead, researchers warn that software developers need to prove that their systems are as safe as paper.

"The biggest issue is transparency," says Specter. "When you have a part of the election that is opaque, not visible, not public and has some kind of proprietary element, that part of the system is inherently suspicious and needs to be checked."


Please enter your comment!
Please enter your name here

In a world without fences and walls, who needs Gates and Windows



FCC: Extremists turn to radio equipment after banning from social media

The US government warns that extremists could turn to radio equipment to plan their future attacks, ...

Android: How to make Signal the default messaging app

Signal is a popular encrypted messaging application that focuses on privacy. It is an alternative to ...

Google Cloud: We use some SolarWinds, but we were not affected by the hack

Google Cloud CISO Phil Venables has revealed that the cloud uses software from the vendor, SolarWinds, but states that the use ...

Scotland Environment Service: ransomware continues to affect us

The Scottish Environmental Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and continues to face ...

Backdoors and vulnerabilities were discovered in FiberHome routers

Backdoors and other vulnerabilities have been discovered in the firmware of a popular FiberHome FTTH ONT router. FTTH ONT stands for Fiber-to-the-Home Optical Network ...

GitHub apologizes to an employee who fired! What happened;

GitHub has admitted that it was wrong to fire a Jewish official who made "anti-Nazi" comments about the Capitol riots.

By 2030 AI will replace the people of cybersecurity

Security company Trend Micro recently conducted a new survey that reveals that more than two-fifths (41%) of IT leaders believe ...

Chinese Winnti APT targets organizations in Russia and other countries!

Security researchers at Positive Technologies have uncovered a series of attacks carried out by a Chinese APT hacking team targeting organizations in Russia ...

Silicon Valley is investing a huge amount of money in India

From March to November, even when COVID-19 destroyed economies around the world, the richest man in India ...

Microsoft, Salesforce, Oracle are designing a digital vaccination passport

A Covid digital vaccination passport is being developed jointly by a team of health and technology companies, as well as governments, airlines and ...