Voatz Internet Voting App Is Insecure

This paper describes the flaws in the Voatz Internet voting app: "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections."

Abstract: In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called "Voatz." Although there is no public formal description of Voatz's security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user's device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a clean-room reimplementation of Voatz's server and present an analysis of the election process as visible from the app itself.

We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote,including a sidechannel attack in which a completely passive network adversary can potentially recover a user's secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting,and of the importance of transparency to the legitimacy of elections.

News articles.

The company's response is a perfect illustration of why non-computer non-security companies have no idea what they're doing, and should not be trusted with any form of security.

EDITED TO ADD (3/11): The researchers respond to Voatz's response.

Posted on February 17, 2020 at 6:35 AM • 32 Comments

Comments

LarryFebruary 17, 2020 7:16 AM

@Bruce
I'm just a wannabe tech guy,but I agree with your comments after reading the motherboard article.
Is the answer to hire people who REALLY know what they are doing? Or just skip it altogether?

Clive RobinsonFebruary 17, 2020 7:28 AM

The fact that a piece of software from a commercial commodity software development environment has faults should not supprise any of us.

Because even the least complex of usable commodity software as an application has faults. As the commodity software development processes are not appropriate or even conducive to producing even low fault count software let alone zero fault software that is unlikely to change any time soon in a "race to the bottom" market place. Also that is before you start looking into the commodity libraries the application links to. Which are also a "movable feast" so the fault count in the commodity application is also dependent on the faults and changes in those libraries and the underlying OS... Both of which change almost continuously and most definitely from smart device to smart device.

The fact that some of those faults in the application can be turned into vulnerabilities again should not supprise any of us.

The fact that in this day and age any commercial commodity software development organisation blusters in the way this one has should supprise us.

Because it's kind of been assumed for a decade or so now that the commodity platform software development organisations had got over this... But apparently not in this case.

But there is one thing I can telly you without a doubt, the security of the app matters not one jot if the input and output channels are neither secure or authenticated.

With the Android OS in particular, it is known that IO shims can be put in all Application IO channels. Therefore any voting system on Android OS is going to be insecure on the "weakest link in the chain" principle.

And after you think about this for even a little while you realize that no matter how much they bluster the application vendors can never produce a secure voting system with just an application.

And if they are not honest enough to admit that, then people should question their reasons or motives about not admitting it...

@ Bruce,

Do you still have a "Dog House" for those that squeeze snakes for their oil?

AlexTFebruary 17, 2020 9:26 AM

I have just gone through Voatz's response and I'm a little surprised that you consider that [they have] "no idea what they're doing".

Would you mind to expand on this ?

timFebruary 17, 2020 9:51 AM

I have just gone through Voatz's response and I'm a little surprised that you consider that [they have] "no idea what they're doing".

The core issue is that they aren't transparent. They've released no audit reports (just "summaries"). They refuse to divulge any details of their infrastructure. And they refused to address the key points that the researchers made. And that is even before we get to the blockchain silliness. Blockchain is offering no value here and tried and true alternatives exist.

Paper, pencil, optical scanner is all one needs to run an election. And its delivered time and time again.

Clive RobinsonFebruary 17, 2020 10:38 AM

@ Vesselin Bontchev,

here is the researchers' response to that [Votaz] response

Thanks for that.

Given Votaz's previous behaviour of sticking the FBI on researchers, their reply to Votaz's calumny is a lot politer and measured than Votaz would have a right to expect.

I did note that Votaz is a "startup" that has very recently gone through Series A funding of a few million USD. I guess they are touchy about having their dirty laundary exposed especially as it appears they have lied about the blockchain usage which has some legislative implications.

There is quite a difference between over egging the pudding and deliberate deception, and from what has been presented I know where I would cast my vote on Votaz on that score. Lets put it this way their deliberate attempts to hide code in the way they have would not help their cause in most peoples eyes.

As it is lets just be nice and say that Voyaz needs to come clean on what it's been upto before anyone else puts money into it.

Rj BrownFebruary 17, 2020 11:25 AM

Let's be honest here. It takes more than this: "Paper, pencil, optical scanner is all one needs to run an election."

It takes voters, and precinct workers. The precinct workers need to verify that the voters actually have the right too vote at that polling place, and that they have not voted at some other place, nor more than once this election at the current polling place. Our goofy laws make it hard for these polling place workers to do theri job. A personal appearance used to be goo enough back in the good old days, or if you live in a small rural town like ai do. These polling place workers know most of the voters on a first name basis and recognize them on sight. P{ity the large city polling place worker. He never saw most of the people he must verify, and the laws make it very hard for him to require these potential voters to prove their right to vote. Likewaise, some of these voters have a hard time proving their right to vote because of this lack of aquantance problem as well.

Marking a ballot and scanning it is the easy part. These ballots also need to be counted, tallied, and reported. This requires honest polling place workers. How to we vet them?

Forget the software problem! Even with software, the identification problem still exists. Someone needed to vet the person who wanted to use the software before the software was ever even installed.

wumpusFebruary 17, 2020 11:29 AM

@Larry "Is the answer to hire people who REALLY know what they are doing?"

This is the whole problem of hiring people to do "magic" (things you don't understand). The number of people you *know* who REALLY know what they are doing is small (and you probably can't hire Bruce right now anyway). But the number of people who can convince you in an interview that they REALLY know what they doing does not intersect well with the people who know what they are doing. And in something like security, you don't know until you've suffered a catastrophe (and even then it probably will be to failure to do what the people who REALLY know their thing say).

But the answer for electronic voting is *DON'T DO IT*. Back after the 2000 election, a bunch of engineers (from both parties) sat around and discussed the problem and concluded that all an electronic voting both should do is spit out a readily readable* ballot.

https://xkcd.com/2030/
Note that Randal Monroe even covers using a blockchain...

* that ballot should be both human and computer readable. And make sure you use high quality OCR (possibly with a special "digital font") that reads the same characters people read, as the humans aren't going to be able to tell which QRC is at the bottom of their ballot.

orcmidFebruary 17, 2020 12:13 PM

I wonder if Voatz has a reviewable threat model, or even know what that minimal technology is.

Dennis FazioFebruary 17, 2020 2:00 PM

Usually, new developments and inventions are created to solve a problem or provide a new capability not possible before. One has to ask what problem is online voting attempting to solve or what new capability is provided that warrants the complete redesign of an extensive critical civic and social practice?

An election system needs four key attributes: Access, Authentication, Anonymity, and Auditability. With network outages, server failures, denial of service attacks, with the authentication and voting action happening on the same communications channel, and the difficulty of providing *independent* count verification, Internet-based voting systems have a huge barrier to overcome.

Dancing On Thin IceFebruary 17, 2020 3:51 PM

@Rj Brown

"It takes voters, and precinct workers"

Investigations even by those believing it is rampant consistantly fail to find double voting incidents.
Voting twice by individuals with dual residencies also turns up as virtualy non-existent.
Other factors have a greater affect on elections such as voter role purges, misinformation campaigns, closing DMV offices serving certain demographics after requiring an ID to vote and gerrymandering.

Would the low numbers of voting booth fraud indicate precinct workers are a form of security theatre?
TЯump's election integrity "panel didn't uncover any evidence of fraudulent voting during its 11 months in operation"

Rj BrownFebruary 17, 2020 4:12 PM

@Dancing On Thin Ice:

"Would the low numbers of voting booth fraud indicate precinct workers are a form of security theatre?"

Either that, or they are doing such a good job that there is no need to replace them with computerized voting methods! :-)

Besides, these are volunteers. They are free labor. Why spend mony to replace something that works and is free?

SpaceLifeFormFebruary 17, 2020 4:58 PM

@ wumpus

'that ballot should be both human and computer readable.'

Yep. Give me Hollerith Cards.

I can not come up with any other medium than paper that can be both human *and* computer readable.

Papers please. As in paper ballots.

David LeppikFebruary 17, 2020 5:19 PM

@RJ Brown:

Volunteers are not free. They need to be recruited, trained, and retained. Since they aren't getting paid, they are less likely to show up than paid workers. They are less likely to be experienced and ready to deal with irregularities. For certain jobs, such as construction, it's often cheaper to hire professionals than to rely on volunteers.

Volunteers are paid in satisfaction. If volunteers have a great experience, they will recruit their friends. If they feel unsupported and then get blamed for problems, nobody will want to volunteer.

Therefore paper forms with good instructions are usually superior to computerized forms. They are more reliable and less intimidating, especially when things go wrong. Nobody has to provide tech support, and errors don't compound, e.g. bad network connections causing people to hit "submit" multiple times.

GrimaFebruary 17, 2020 6:12 PM

@Dennis Fazio re: "...what problem is online voting attempting to solve..."
The "wrong people" keep getting elected ;?>

RealFakeNewsFebruary 18, 2020 3:27 AM

>> blockchain

...and why do people think this is the best solution? It almost pin-points the day the voting app was invented.

Where can I get multi-million dollar investment to produce garbage?

There is only one reason a certain demographic is pushing for electronic voting!

How many times has electronic voting been attempted, and how many times was it found to be flawed to the point the machine was changing the vote as it was cast due to a "glitch"?

It's almost, if not, one-to-one.

Forget electronic voting being untrustworthy - those developing them are even less so!

Clive RobinsonFebruary 18, 2020 5:50 AM

@ RealFakeNews,

blockchain

I've almost always viewed it as,

1, A,solution looking for a problem.
2, Words for a foolish Angel's ear.

Opinions I and others have voiced on this blog before.

Which you may remember were followed by various "don't break my rice bowl" types descending from some dream state place "where numbers float buy just counting their toes" pretending to be the new coin of the world and unfortunatly gave the Moderator a mess to clean up...

Well they don't appear to be comming around as much any more, one can only hope reality has been a sufficiently "constructive lesson" for them. Also "What price an Angel's tears?" ;-)

I think the only reason this company has not gone the way of the dodo is that someone has managed to squeeze some oil out of a snake... That is some idiot politician put in a requirment for "blockchain" in the legislation.

Proving if it ever realy did need proving that our "representatives" are perhaps less wise than the average street corner hustler on the make...

P.S. For those that don't know the words to Don McLean's song of whimsy, the kicker is the last sentance,

    Wonderful baby livin' on love the sandman says maybe he'll take you above, up where the girls fly on ribbons and bows, where babies float by, just counting their toes. Wonderful baby nothin' but new, the world has gone crazy, I'm glad I'm not you.

UntilDoesNotEqualTillEOWWWFebruary 18, 2020 6:12 AM

https://i.postimg.cc/Xqq8cgx4/Minimise-Certificate-Use.png

Recursive tip: eh, ah, yeah, and do you _really_ need several dozens of CA's? and Certs? Not really. You might need one or two extras if your browser misses them, yet it already _lies_ and claims that missing Cert files/entries is "proof" of MITM problems. Alternatively, it might be true that every _extra_ of those several dozen CA's and Certs _actually_ _is_ the MITM attack!

Please wake up and dump the coffee, too. It's probably laced with ________________________, _____________, and/or _________________________.

Yep.
UntilDoesNotEqualTillEOWWW.

kiwanoFebruary 18, 2020 9:28 AM

Every time I see a post like this, I become a little more convinced that the only thing that'll get the USA to adopt nation-wide security standards for voting systems, is a civil war fought over whether or not an election outcome was the result of tampering. In light of that, I don't know whether or not it's a good thing that the upcoming election is so polarizing, and involves a candidate who's already faced accusations of electoral fraud that his opponents find credible.

Jim BaldwinFebruary 18, 2020 12:19 PM

IN RE: 'Let's be honest here. It takes more than this: "Paper, pencil, optical scanner is all one needs to run an election."
It takes voters, and precinct workers. The precinct workers need to verify that the voters actually have the right too vote at that polling place, and that they have not voted at some other place, nor more than once this election at the current polling place.'
*********************************************

All of this is rendered irrelevant with a vote by mail system. Voter ID is built in. Ballot handling is done by trained professionals, i.e., US Postal workers. Large numbers of ballots are never in one place at one time, except at the secure facility.

https://www.indentureland.com/2020/02/10/advantages-of-vote-by-mail/

https://multco.us/multnomah-county/news/questions-about-election-security-we-have-answers

myliitFebruary 18, 2020 4:00 PM

More about LA’s voting machines and processes

https://www.forbes.com/sites/mikemontgomery/2020/02/05/when-it-comes-to-electronic-voting-california-is-no-iowa/

“It’s worth noting that when LA surveyed the technology landscape to choose its new machines, it decided it had to build its own (with the help of global design firm IDEO). But the new apparatus is just one element of a larger formula that combines new technology with redesigned mail-in ballots; the shift to fewer voting centers, which are open prior to election day; and a whole lot of outreach. Los Angeles officials spent years on consulting, organizing focus groups and hearing out concerned voters.

Contrast that person-centered approach with the situation in Iowa. As best we can tell, its Democratic officials hired a tech startup without a clear track record; those developers rushed to build a smartphone app on an unreasonable timeline; and the ticking clock resulted in insufficient testing and training. Even if the app had worked as expected, the majority of intended users never downloaded it.

The tech business has a reputation for dreaming up brilliant solutions only to later realize that users’ behavior and preferences — not technology limitations — were the real problem. In the case of voting and managing elections, understanding where we are now — and why — is half the battle. Case in point: California Secretary of State Alex Padilla announced last month that LA’s new voting system is conditional on a number of changes. One is to allow all voters the option of hand-marking a paper ballot. That accommodation may seem counterintuitive, but if you can’t win user confidence in your technology, it doesn’t matter how great your product is. It will never make it to them in the first place.“

SpaceLifeFormFebruary 18, 2020 5:43 PM

@ Jim Baldwin

You have no clue about USPS.

Sorry to say.

"All of this is rendered irrelevant with a vote by mail system. Voter ID is built in. Ballot handling is done by trained professionals, i.e., US Postal workers. Large numbers of ballots are never in one place at one time, except at the secure facility."

There are no trained professionals at USPS.

USPS facilities are *NOT* secure.


RealFakeNewsFebruary 18, 2020 7:47 PM

You only need to look at the voter fraud that has occurred for years here in the UK in various seats at various times.

A year or two ago a guy claimed to have destroyed over 1000 ballot papers voting for the opposition, and knew of others that did the same.

Postal voting is not secure by any means.

MrCFebruary 20, 2020 3:05 AM

@ Larry

Is the answer to hire people who REALLY know what they are doing? Or just skip it altogether?

Skip it altogether. Although I think the following is a more useful way to think about the problem: It isn't possible to "hire people who really know what they are doing" for this sort of project, because everyone who knows what they're doing knows that secure internet voting is impossible. If you solicit bids for an internet voting project, every single one of the bidders is going to be a charlatan. So the root of the problem is that our policymakers don't have the sense to ask "Is this even possible?" before putting money on the table, at which point miscreants appear who will promise that anything is possible provided they get that money up front. Meanwhile, the legitimate computer security community has not devised an effective way to convey to policymakers "Hey, you want to do here is impossible, and attempting to do it is going to end really badly." (See, e.g., law enforcement's ongoing love affair with the idea of "encryption that's secure against all attackers except law enforcement" and decades of not listening to cryptographers telling them that's not possible.)

Why is secure internet voting impossible? You can basically generalize from the problems with Voatz: (1) You can't secure the consumer electronics endpoint, so votes can be hacked before they even leave the endpoint. (2) You don't have a secure way to transmit your binary or to transmit votes. TLS's trust model is not sufficient when stakes are this high. But how else do you expect users to download your app? And every "fix" for transmitting votes more securely (e.g., cert pinning, second handshake inside TLS, etc.) boils down to distributing a public key inside the binary that the user downloaded over TLS in the first place. The only truly secure method for transmitting public keys that we know of is face-to-face physical handoff, but that totally defeats the point of internet voting. (3) You can't build a system that authenticates voters and then credibly forgets who cast which vote. The idea of a mix network where every node is operated by the same corporation is deeply silly. (Ditto the idea of a blockchain where every node is operated by the same corporation.) Beyond that, mix networks have unrealistic constraints about how many nodes must be honest, whether dishonest nodes can collude, and so forth, and also lack a mechanism for dealing with the situation once a dishonest node is uncovered. (4) As a practical matter, we (all of humanity) simply don't know how to write complex software without bugs. And, as Clive points out, the lowest-bidder, commercial commodity software development way of writing software is a particularly bad one if your aim is bug-free software.

nehcukreebmiHFebruary 20, 2020 6:43 AM

Oh wow... any discussion on voting is emotional, and local, as the comments show.

Looking at the specifics of the case (i.e. oh-so-great new technology proven insecure): this is why there is such a thing as independent third-party testing of security IT systems. In the US you have FIPS 140-2 testing (mostly blackbox, but hey, at least something), and the rest of the world often relies on Common Criteria certification (full pants-down approach, costly, painful, takes a lot of time). It's a pain in the neck if you have to do it, but it helps.

Looking at voting, especially in the US, and the related problems in the overall system: I guess one aspect fundamental to all countries struggling with many of the risks/issues mentioned is not only about how you cast your vote or how you count your ballot.
As some posters have pointed out, it's also about voter registration. Voter registration without having a countrywide, reliable ID management system is nearly impossible in my view. If there is no official, nation-state issued identity document, any really effective voter registration system will basically end up costing as much as it would have taken to install a nationwide ID system.

And back to technology: paper ballots can in fact be combined with electronic security systems in interesting ways. Check out this solution used in some federal states in Argentina: https://www.votar.com.ar/index_eng.html. The front page does not show it, but the ballot cards contain RFID tags that allow metadata management to handle registration, counting, re-counting processes. What is missing there is probably a third-party security certification of the machine and its software.

-February 20, 2020 7:32 AM

@ Moderator,

The above from "nehcukreebmiH" reads like a 'product promotion intro'.

The funny thing is they have broken the link...

nehcukreebmiHFebruary 21, 2020 12:49 AM

Hi "- •"
well, actually it is not, or was not intended as such. I am not affiliated to these guys in any way. You will have noticed that I did point out that the Vot.ar system also has the problem of a) unknown things happening in the box and b) unknown software in both box and system. Still, that system does not fully rely on a concept of putting everything on smartphone and server in a quick hack, and then mostly relying on obfuscation and a strong legal department for your "security", which to me appears like what Voatz have done.
Instead, the Argentinians actually seem to have given some thought to what happens during an election and what is a useful interface between physical and logical world.
By the way, the normal spanish-language homepage still seems to work, you just leave out the last bit after the /.

IagoFebruary 21, 2020 7:53 AM

Oh, there's a big surprise! That's an incredib... I think I'm gonna have a heart attack and die from not surprise!

Clive RobinsonFebruary 21, 2020 11:56 AM

@ PattiM,

Any scientists here care to comment?

I guess an applied mathematician might be better ;-)

But then I'm just an engineer so what do I know 0:)

Some people find it a bit odd that the actual proff of why computers can not be secure proceeds the work of Alonzo Church and Alan Turing by a few years...

I generaly try to explain it in terms of the narrow scope of what a Turing engine can see and that any other engine can modify the tape thus the instructions outside of that scope. Thus the Turing engin can only tell you what it's instructions tell it to tell you.

If they still don't get it I explain about the computing stack and the levels at which security is applied, and how they are entirely dependent on the layers below. Thus any low layer attack bubbles up like the bubbles in a champaign glass, starting almost impossably small and ending up large enough to have a very significant effect hence a "bubbling up attack".

People were a little skeptical except in the aerospace and space industries where issues to do with changes in memory especially for "space qualified parts" due to radiation were known about before 8bit CPU's which is why the 1802 CPU as odd as it is is still around.

However not many appriciated that device area had consequences and that DRAM in particular due to the way it works is quite susceptable to certain types of usage issues.

Then Rowhammer came along and all of a sudden people started to realise that not only were bubbling up attacks a significant risk, but also unsecure applications well above the security layers in the Computing stack could "reach around/down" and attack the memory on which all computer security is dependent. Thus bring back to life all those insecure Direct Memmory Access (DMA) security faults such as those still around in the likes of Firewire etc.

Now of course we have "The Xmas gift that keeps giving" the all to predictable hardware faults in the "go faster stripe" hardware people bolt on around RISC cores such as out of order execution and caching. If you look on the current Friday Squid page you will see @Thoths posting about the latest security busting hardware fault,

https://www.schneier.com/blog/archives/2020/02/friday_squid_bl_716.html#c6806179

In the past I've also discused here in some depth ways to mitigate "outsider attacks" using multiple computers and voting circuits (something NASA pushed half a century ago) as well as halting a CPU and using an "all states known" state engine to walk the instruction memory looking for modifications, as well as actively monitoring the CPU behaviour "signatures" looking for out of spec behaviours.

Whilst none are 100% they are in fact probabalistic, but when used correctly they do mitigate injected code from malware etc.

But yes you gan get to 99.9% or so but adding the extra nines the way we currently do security is "buying you bothing at an absorbent price". Hence my starting looking at the mitigation methods well over a decade ago. It's not 100% but nothing ever will be, but it's a lot cheaper than any other methods around.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.