MIT Wasn’t Only One Auditing Voatz – Homeland Security Did Too, With Fewer Concerns

clicks | 5 days ago | comments: discuss | tags: cryptocurrency

Article preview (bot search)

(Original link:

Benjamin Powers MIT Wasn’t Only One Auditing Voatz – Homeland Security Did Too, With Fewer Concerns The Department of Homeland Security (DHS) found a number of security vulnerabilities in Voatz’s tech infrastructure during a cybersecurity audit of the mobile voting app vendor’s Boston headquarters, according to a newly declassified report obtained by CoinDesk. However, the DHS report, conducted by a Hunt and Incident Response Team with the department’s Cybersecurity and Infrastructure Security Agency (CISA) also determined Voatz had no active threats on its network during the week-long operation, conducted last September. It developed a series of recommendations to further boost Voatz’s security. Voatz has since addressed those recommendations. The CISA report was shared with CoinDesk hours after a technical paper by MIT researchers claimed to detail a number of major vulnerabilities in the Medici-backed Voatz’s app, including allegations that the app leaves voters’ identities open to adversaries and that ballots can be altered. The MIT report , published Thursday by graduate students Michael Specter and James Koppel and principal research scientist Daniel Weitzner, further alleges that the app has limited transparency, a claim also raised by a number of security researchers. “Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections,” the MIT researchers said in the report. However, the CISA audit, which focuses less on the app itself and more on Voatz’s internal network and servers, draws a different conclusion. The DHS investigators wrote that while they found some issues which could pose future concerns to Voatz’s networks, overall the team “commends Voatz for their proactive measures” in monitoring for potential threats. The two reports paint contrasting pictures of how the company, whose app has been used in pilot programs and live elections in West Virginia, Colorado and Utah, approaches voting security. Further, at least one election official overseeing the Voatz app rollout believes the MIT study is missing data in its evaluation. The MIT researchers did not return a request for comment by press time. MIT findings The MIT report relies on a reverse-engineering of the Voatz app and reimplemented “clean room” server, according to the researchers, who did not interact with Voatz’s live servers or its purported blockchain back end. They found privacy vulnerabilities and a wealth of potential avenues for attack in the app. Adversaries could infer user vote choice, corrupt the audit trail and even change what appeared on the ballot, the researchers said. The researchers’ findings and faults did not focus on Voatz’s use of a blockchain, at least in part because they did not have access to the permissioned blockchain on which Voatz is said to store and authenticate votes. Instead, they report that the Voatz app never submits vote information to any “blockchain-like system.” Criticizing Voatz’s lack of transparency, the researchers further argued the company’s “black box” approach to public documentation could, in tandem with the bugs, erode public trust. “The legitimacy of the government relies on scrutiny and transparency of the democratic process to ensure that no party or outside actor can unduly alter the outcome,” the report said. Ultimately, the researchers recommended elected officials “abandon” the app outright. “It remains unclear if any electronic-only mobile or Internet voting system can practically overcome the stringent security requirements on election systems,” they said. But Amelia Powers Gardner, a Utah County, Utah election official who supervised her county’s rollout of the Voatz system for disabled voters and service members deployed overseas, told CoinDesk that at least some of the bugs the researchers found cannot be exploited in practice. “[The researchers] weren't able to substantiate these claims because they were never able to actually connect to the Voatz server,” Powers Gardner said. “So in theory, they claim that they may have been able to do these things, and only on the Android version, not the Apple version.” She said the MIT researchers’ effort comes from “what ifs, and perhaps, and maybes, that frankly just haven’t panned out,” and that the app had been patched since. For Powers Gardner, Voatz’s benefits far outweigh any security risks. She said the software is a far better alternative for otherwise disenfranchised voting groups than the current technological solution: email. “While these concerns of around mobile loading can be valid, they don't rise to a level of security that causes me to even question the use of the mobile app,” she said. John Sebes, co-founder and Chief Technology Officer of the Open Source Election Technology Institute, said that a number of the researchers’ concerns still stand, despite Powers Gardner’s claims. Election officials and computer scien...