MIT Says Hackers Could Alter Ballots in Voting App

The Voatz app has been used in pilot projects in Colorado, Oregon, Utah and West Virginia.

A poll worker speaks with a voter at the Minneapolis Early Voting Center, Jan. 17, 2020.
A poll worker speaks with a voter at the Minneapolis Early Voting Center, Jan. 17, 2020.
Glen Stubbe/Star Tribune via AP, File

CHARLESTON, W.Va. (AP) — An internet voting app that has been used in pilots in West Virginia, Denver, Oregon and Utah has vulnerabilities that could allow hackers to change a person's vote without detection, according to researchers at the Massachusetts Institute of Technology.

The analysis of the Voatz app, which has mostly been used for absentee voters and overseas military personnel, found that attackers could “alter, stop or expose how an individual has voted.”

Voting security experts have long argued that online voting is dangerously insecure.

“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” Daniel Weitzner, an MIT scientist who oversaw the report, said Thursday.

The researchers said they were forced to reverse engineer an Android version of the app because Voatz hasn't allowed transparent third-party testing of the system.

Boston-based Voatz disputed the research methods, issuing a statement that said the analysts used an old version of the app and accused them of acting in “bad faith.” The company noted it hasn't had any reported issues in its counting of less than 600 votes over nine pilot elections.

Although few voters are expected to cast ballots on such apps in the coming election, the report casts a harsh light on the looming proposition of online voting. In 2018, Alaska explored using an online voting system but shuttered the program because of security concerns.

To some experts, a study finding holes in a smartphone voting app wasn't a shock.

“Not to in any way diminish this (excellent) work, but the fact that an online mobile voting scheme has serious security flaws is ultimately unsurprising,” tweeted Matt Blaze, a professor of computer science and law at Georgetown University. “Every serious expert has warned against Internet voting.”

Voatz was used in West Virginia's 2018 elections, but state officials were quick to point out that it counted fewer than 200 ballots and had no reported problems. The app also was used in the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention.

The study comes as West Virginia prepares to choose an online voting system for a newly passed law requiring that it allow people with physical disabilities to vote electronically. Donald Kersey, a general counsel in the secretary of state's office, said officials haven't decided on which platform they will use to conform to the new law but maintained that public confidence is paramount.

“Obviously, integrity and security are prime, but voter confidence is equally important,” Kersey said.

J. Alex Halderman, a University of Michigan professor and one of the country's leading experts on election security, responded to the MIT study in a lengthy Twitter thread, calling the findings “devastating.”

“In my view, based on MIT's findings, no responsible jurisdiction should use Voatz in real elections any time soon," he wrote. “It will take major advances in security technology before Internet voting is safe enough.”

More in IoT