West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’.
The US state employed the technology in 2018 to troops oversease and was also set to implement it in the upcoming primary elections for residents with disabilities
However, the flaws, uncovered earlier this month by MIT engineers, give hackers the ability to alter, stop or expose how an individual users has voted.
Secretary of State Mac Warner said on Friday that disabled and overseas voters will now a service by Democracy Live which lets them log in to fill out a ballot online or print an unmarked ballot and mail it in.
Scroll down for video
West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’. The US state employed the technology in 2018 to troops oversease and was also set to implement it in the upcoming primary elections for residents with disabilities
The US state was set to employ Voatz following a new bill that requires counties to provide certain individuals with a type of online ballot-marking device that can be used with a smartphone.
West Virginia’s election official is leaning towards adopting the smartphone app Voatz, which by troops overseas to vote in elections.
In 2018, West Virginia rolled the app out to its residents in the military that are deployed overseas and unable to cast their votes in person.
Warner said, at the time, they were aware of the risks but believe there is more benefit to using the technology.
However, the flaws, uncovered earlier this month by MIT engineers, give hackers the ability to alter, stop or expose how an individual users has voted. Secretary of State Mac Warner said on Friday that disabled and overseas voters will now a service by Democracy Live which lets them log in to fill out a ballot online or print an unmarked ballot and mail it in
However, multiple cybersecurity experts raised concerns about using the technology and others like it, saying it provides more opportunities for hackers to infiltrate the voting system – leading engineers at MIT to open an investigation.
The experiment was conducted shortly after ‘inconsistencies’ with an app that was supposed to track the results of the Democrat caucuses in Iowa threw the vote into chaos overnight.
Although Voatz was employed during the Iowa caucus, MIT researchers conducted their own test with the app to see just how safe it is, as thousands of voters are predicted to use the technology in the 2020 president election.
After uncovering the startling vulnerabilities, MIT turned them over to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and founding director of the Internet Policy Research Initiative, said: ‘We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field.’
‘We cannot experiment on our democracy.’
To investigate Voatz, the team reversed engineered the app and found an adversary with remote access to the device using the application can alter or see a user’s vote.
And if the server is hack, which the team found can be easily done, the cyber criminal can change votes.
Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science and a member of MIT’s Internet Policy Research Initiative, said: ‘It does not appear that the app’s protocol attempts to verify [genuine votes] with the back-end blockchain.’
‘Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election.’
‘Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.
The team also found that a third party has the ability to access user’s photo, driver’s license data, or other forms of identification.
Matthew Green, an associate professor at the Johns Hopkins Information Security Institute. In the case of Voatz, also noted: ‘I think this type of analysis is extremely important. Right now, there’s a drive to make voting more accessible, by using internet and mobile-based voting systems.’
‘The problem here is that sometimes those systems aren’t made by people who have expertise in keeping voting systems secure, and they’re deployed before they can get proper review.’
In the case of Voatz, he adds, ‘It looks like there were many good intentions here, but the result lacks key features that would protect a voter and protect the integrity of elections.’
Now, troops and those with disabilities will have access to Democracy Live, which is already an option for those residents in Washington State.
Voters are asked to sign into an Amazon Web Services portal with their name and a handful of personally identifying information, like their date of birth.
Users then choose to either mark the ballot online or print it unmarked, fill it in and then mail the paper to the designated address.
Voters are verified by trained local election officials who compare signatures, as is already the case with conventional mail-in overseas ballots.