Voatz smartphone voting app has significant security flaws, MIT researchers say

Researchers did not say they found evidence that the app had been hacked, but they said the vulnerabilities could have been exploited.
Image: TOPSHOT-US-POLITICS-VOTE
A voter at the Ward Five Community Center in Concord, New Hampshire, during the New Hampshire primary on Feb. 11, 2020.Joseph Prezioso / AFP - Getty Images

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Kevin Collier

A recent version of a smartphone voting app that has been used in limited capacity in federal elections scattered across four states has significant security flaws, a Massachusetts Institute of Technology study has found.

The app, Voatz, made by a startup of the same name based in Boston, uses a combination of blockchain software and remote identity verification to create a secure system that can be accessed through a smartphone. Researchers did not say they found evidence that the app had been hacked, but they said the vulnerabilities could have been exploited.

"We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote," the researchers wrote in a press release published Thursday. The study, the first major public security audit of the app, found that "exploitation would be well within the capacity of a nation-state actor."

Voatz, which in theory makes it much easier for nontraditional voters to cast their votes, has slowly made inroads in U.S. elections. Since 2018, it has been made available for overseas and military voters in 24 West Virginia counties and two Oregon counties, as well as in Pierce County, Washington, and for voters with disabilities in Utah County, Utah.

While supporters have touted its ability to enfranchise Americans with disabilities and those serving overseas — both groups with dismal voting turnout — the company has largely been quiet about addressing security concerns. While the app has undergone several private independent security audits, the results have never been made public, and academic consensus has said the technology to securely conduct online elections doesn't yet exist.

In a blog post rebutting the study, Voatz said the researchers were working on an older design of the app and touted that they've had no security complaints from government clients.

Maurice Turner, an election cybersecurity expert at the Center for Democracy and Technology, a nonprofit focused on technology policy, said he found the response unconvincing.

"I don't think that's worthwhile," he said. "If an app is available on an app store for a legit install, it needs to be something that Voatz feels is up to their standard on a live election."

Voatz's summary of a Department of Homeland Security analysis of its networks found multiple areas where the app's security could be improved but no evidence of past malicious activity. Voatz has not made the government report public.

Before announcing their findings, the researchers disclosed them to Homeland Security's cybersecurity arm, the Cybersecurity and Infrastructure Security Agency, or CISA. In a statement, a CISA spokesperson said that "we quickly shared this information with both the vendor and the state and local election officials who plan to pilot or use this technology during the 2020 election cycle."

Download the NBC News app for breaking news and politics

The news may put West Virginia, the state that's pioneered mobile voting in the U.S., in a bind.

Secretary of State Mac Warner, the state's chief election official, already made Voatz available to overseas and military voters for the 2018 primaries. Gov. Jim Justice made history on Feb. 5 when he signed a bill requiring counties to provide an electronic option for voters with disabilities starting with the 2020 election. Voatz was the presumed option, although Warner previously said he was waiting on the results of a security audit before making a decision.

"We have been following the MIT research. In an effort to provide additional security to any platform we may use, we continue to welcome critiques of the Voatz technology as does Voatz," Mike Queen, a spokesman for Warner's office, said in an email.

CORRECTION (Feb. 17, 2020, 4:39 p.m. ET) A previous version of this article misstated the origin of a report about Voatz. The report was a Voatz summary of an analysis performed by the Department of Homeland Security, not a report from Homeland Security.