Election securityResearchers Identify Security Vulnerabilities in Voting App

By Abby Abazorius

Published 14 February 2020

In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure means of voting. Mobile voting application could allow hackers to alter individual votes and may pose privacy issues for users.

In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure means of voting.

Now, MIT researchers are raising another concern: They say they have uncovered security vulnerabilities in a mobile voting application that was used during the 2018 midterm elections in West Virginia. Their security analysis of the application, called Voatz, pinpoints a number of weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted. Additionally, the researchers found that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.

The findings are described in a new technical paper by Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science (EECS) and a member of MIT’s Internet Policy Research Initiative, and James Koppel, also a graduate student in EECS. The research was conducted under the guidance of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and founding director of the Internet Policy Research Initiative.

After uncovering these security vulnerabilities, the researchers disclosed their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). The researchers, along with the Boston University/MIT Technology Law Clinic, worked in close coordination with election security officials within CISA to ensure that impacted elections officials and the vendor were aware of the findings before the research was made public. This included preparing written summaries of the findings with proof-of-concept code, and direct discussions with affected elections officials on calls arranged by CISA.

In addition to its use in the 2018 West Virginia elections, the app was deployed in elections in Denver, Oregon, and Utah, as well as at the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention. Voatz was not used during the 2020 Iowa caucuses.

The findings underscore the need for transparency in the design of voting systems, according to the researchers.

“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” says Weitzner. “We cannot experiment on our democracy.”