advertisement
advertisement

MIT student researchers say one of the best-known voting apps is ripe for hacks

MIT student researchers say one of the best-known voting apps is ripe for hacks
[Photo: Parker Johnson/Unsplash; 3mikey5000/Pixabay]

Mobile voting apps may someday be a great way to increase participation in democracy, but right now there are serious questions about any technologies that must connect to the internet to transmit votes. Airtight security is crucial.

And now a new MIT study says Voatz—perhaps the best-known voting app—could be hacked. Two MIT graduate students, Michael Specter and James Koppel, say they uncovered security vulnerabilities in an earlier version of the Voatz app. The two report that the app presents the opportunity for hackers to alter, stop, or expose how an individual user has voted. Additionally, the researchers found that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.

“Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election,” write Specter and Koppel in their report. “Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.”

The findings were reported today in a story by The New York Times’s Matthew Rosenberg.

Voatz says the MIT researchers used an old version of its app and did not connect the app to Voatz’s servers. “In the absence of trying to access the Voatz servers, the researchers fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false,” the company said in a statement today.

Voatz is currently being used in a number of remote voting pilots, by small numbers of voters. The company has said that its app has been reviewed by numerous independent security researchers, but it has not provided specific information on the methodologies used in that research or the identities of the researchers.

advertisement
advertisement