CHARLESTON, WV (WOWK) – Researchers at MIT said they have uncovered security vulnerabilities in Voatz, the mobile voting application used during West Virginia’s 2018 midterm elections.
Their security analysis of the application pinpoints several weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted, MIT said. Researchers also found that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.
The research results are published in a new technical paper, written by MIT graduate students Michael Specter and James Koppel under the guidance of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and founding director of the Internet Policy Research Initiative shows. West Virginia was the first state in the U.S. to allow select voters to use Voatz to cast their ballots, according to the paper.
Researchers shared their findings with Department of Homeland Security’s Cybersecurity and Infrastructure Agency, MIT said. The researchers, along with the Boston University/MIT Technology Law Clinic, worked closely with CISA election security officials to make sure both impacted elections officials and the vendor were aware of the findings before the research was made public.
Voatz, a private Boston-based company, made history in 2018 by fielding the first internet voting app used in “high-stakes federal elections,” according to the technical paper. The paper is the first public security review of the company.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” says Weitzner. “We cannot experiment on our democracy.”
By reverse-engineering the application and creating a model of Voatz’s server, researchers found that someone with remote access to the device can alter or discover a user’s vote and that the server could easily change those votes if hacked, MIT said.
Specter and Koppel say that their findings show the need for openness to ensure the integrity of the election process, according to a press release from MIT. They also said paper ballot systems still used by some states is designed to be transparent, giving both citizens and political party representatives the opportunity to observe the voting process. Koppel said Voatz’s app and infrastructure, however, were “completely closed-source; we were only able to get access to the app itself.”
Voatz has also been used in elections in Denver, Oregon, and Utah, as well as both the Democratic and Republican conventions in 2016. Voatz was not used during the 2020 Iowa caucuses, researchers said.