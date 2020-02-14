WASHINGTON (CNN) – Security researchers report bugs in a smartphone-based voting app used by military voters overseas and piloted for domestic use.

The vulnerabilities could allow nation-state hackers to view, block, or even change smartphone ballot papers before they are counted. This emerges from a new article written by three researchers at the Massachusetts Institute of Technology.

The app was developed by Voatz, whose technology has been tested in West Virginia, Colorado and Utah.

The company called the report “flawed” in a statement released on its website on Thursday.

“We want to make it clear that all nine pilot elections to date have been conducted safely with fewer than 600 voters and with no reported problems,” said Voatz in the statement. “The real goal of the researchers is to intentionally disrupt the electoral process, sowing doubts about the security of our voting infrastructure, and spreading fear and confusion.”

The report is growing concern over the use of apps and online voting tools in the 2020 elections after the reporting tools in the Iowa assemblies failed.

Last year, Utah County, Utah began using Voatz for overseas disabled and military voters. In an interview, district clerk Amelia Powers Gardner said Voatz made more sense than the previous system, where remote voters had to email their ballots.

A review of Voatz’s implementation in Utah County – prior to the release of the MIT report – showed no problems, Gardner told CNN. Gardner said that when talking to the MIT researchers over the phone, it became clear that they preferred to vote in the traditional way using pencil and paper. But Gardner said that this is not feasible for foreign ancestors.

“I have a legal obligation to provide our overseas military members with an electronic form of ballot,” she said, “and if it isn’t, it’s an email – which they agreed to not for sure.”

The researchers’ conclusions on security risks in the app were based on a revised version of the Voatz Android app, which was run in a simulated environment. According to the study, a hacker who takes control of a smartphone with the app installed could intervene in the voting process by changing the ballot papers or finding out which candidate a voter supports.

“That means they could stop your vote if they knew you would vote for someone they didn’t like,” Mike Specter, one of the authors of the report, told CNN.

Other election security experts who have reviewed the MIT paper say it appears solid.

“This MIT study appears to have been carefully structured as the analysis was conducted,” said Andrea Matwyshyn, Penn State University election security expert.

At a conference call with reporters on Thursday, Voatz criticized the methodology of the report. Company executives said the researchers used an outdated version of the software and some of the problems found had already been fixed. Voatz also accused the researchers of making “hypothetical” claims based on their simulation instead of letting the app interact with an actual Voatz server.

“We already have this server available,” said Nimit Sawhney, CEO of Voatz. “It’s about our public bug bounty program. Anyone who wants to register and test the apps against the real server with full functionality can do so.”

The company declined to comment.

While participating in the bug bounty program would allow researchers to verify the interaction of the Voatz app with the company’s servers, the law largely prohibits researchers from testing the servers themselves, said Eric Mill, a cybersecurity expert who wrote technology programs for has administered the federal government.

“The fact that the app accidentally communicates with the server is not the same as permission to research the real server,” said Mill.

Critics say Voatz should be more transparent about its technology and the one it used to conduct independent audits. They also say that Voatz previously reported to the FBI a researcher from the University of Michigan who conducted similar tests on the technology, and the report’s authors cited this episode as the reason they didn’t contact the company directly.

Instead, they reported their results to the Department of Homeland Security, which routinely functions as a clearinghouse for information on election integrity.

Voatz said on Thursday that MIT researchers should have reached them despite their concerns about Voatz’s handling of previous research attempts. The company has also signed nondisclosure agreements that prevent the company from discussing many of its previous reviews, although it has recognized that the DHS has conducted its own review.

Technology news site Coindesk said it received a copy of the DHS review and reported it on Friday. While U.S. officials identified few major issues with Voatz, the review focused primarily on the company’s internal network and servers, not the app that was the subject of the MIT report.

The tension between Voatz and independent security experts is not surprising, Mill said. But he added that the trend in the industry has tended to be more disclosure and openness in recent years, not less – which highlighted Voatz’s response to the report. It also highlights a common misconception that greater secrecy leads to greater security, he said.

“This basic feeling of security from darkness, that you want to publish as little detail as possible to give your attacker as little information as possible, is a very common gut feeling for many lay people and in some cases for technologists,” he said. “It comes from fear and perhaps from understanding or appreciating the role of the public in ensuring defense.”

Close modal

Suggest a correction

Suggest a correction