Blockchain-Based Voatz Loses West Virginia After Security Researchers Raise Concerns
Voatz, the company that delivered one of the first pilots for mobile internet voting using blockchain on the back end, completed another pilot in Utah with 78 submitted ballots. Another recent pilot – that time with Pierce County Elections – in November 2019 saw 163 voters submitting their ballots on the platform from 28 countries. By most accounts, Voatz is one of the more promising solutions to enable otherwise disenfranchised voters to participate in America’s democratic process. These include people with disabilities as well as overseas voters such as expats and those in uniform stationed abroad.
According to its website, Voatz is a “mobile elections platform” and has registered more than 80,000 votes across 50 elections since June 2016. The company has raised $7 million in Series A funding led by Medici Ventures and Techstars.
The Voatz mobile internet voting platform architecture stands on four key components:
- Device and network security. The Voatz app leverages third-party technologies such as Zimperium for virus and malware detection on the smartphone the app is installed on. If the Voatz app detects any critical threats or configuration weaknesses, e.g. a jailbroken phone, the user is prevented access to the app. The app also uses Advanced Encryption Standard (AES), TLS, HTTPS, and SHA-256 protocols to ensure network and communications security.
- Identity proofing, binding, and authentication. Voatz’s identity proofing is a three-step process involving credential validation, liveness detection, and photo matching. It uses third-party Jumio as part of the ID verification steps. Binding and authentication occur twice (to open the ballot and to submit the ballot) and rely on the smartphone’s PIN and fingerprint or face ID authentication mechanisms.
- Blockchain to secure the aggregate vote. To allow for vote auditing and prevent vote tampering all ballots submitted on the Voatz app are stored on a permissioned Hyperledger Fabric blockchain network distributed across 32 nodes split 16-apiece on Amazon Web Services (AWS) and Microsoft Azure cloud servers. The underlying blockchain network ensures immutable and redundant copies of ballot submissions.
- Post-election audits. The audit process includes three key parties:
- The user is sent a ballot receipt where they can verify their own selection. If unsatisfied, the voter can “spoil” their own ballot and recast their vote following the necessary identification and authentication mechanisms.
- Upon ballot submission by the voter, a receipt is also sent to the jurisdiction and the jurisdiction can perform their internal audit.
- An independent third-party is able to conduct a post-election audit to augment the jurisdiction’s internal audit.
At a first glance, all these mechanisms appear to ensure highly secure mobile internet voting. However, a team of researchers at MIT replicated – as much as possible using available disclosed information – the Voatz platform architecture using reverse-engineering with the Android app (the iOS version of the app was not tested) and saw multiple vulnerabilities. The researchers notified the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) branch of their findings. Some alarming discoveries from this exercise include:
- Client-side attacks. By overriding Zimperium’s entry points one can disable the Zimperium SDK’s call to Voatz’s API server, thus essentially shutting down the third-party’s malware detection mechanisms and opening up the opportunity to control, view, and monitor user voting activities on the smartphone.
- Server attacks. This is the most difficult vulnerability to exploit of the three on this list. However, the researchers found that a nation-state adversary could in theory employ enough resources and manpower to conduct a man-in-the-middle (MITM) attack on Voatz’s API server, which sits in between the app user’s device and the blockchain servers. A successful MITM on the API server would allow the adversary to view and modify the ballot before it gets logged on the blockchain.
- Network snooping. By using a proxy and the tool tcpdump a network adversary who views the user’s network activity could potentially infer the candidate the user voted for due to differences in the encrypted TLS packet size.
Voatz has issued a rebuttal since the publication of MIT’s research. In the rebuttal, Voatz claims that the researchers used an Android app that was at least 27 versions old. Even so, the most important response came from West Virginia – the first state in the US to pilot internet voting with blockchain in federal general elections. The state pivoted away from Voatz for its May 2020 primary election and instead used the Democracy Live platform.
Source: Blockchain Platforms Data Quadrant, Software Reviews. Accessed June 6, 2020.
Our Take
These developments regarding the use of blockchain technology in public organizations should serve as a learning opportunity for IT leaders when exploring the use of emerging tech in their own organizations. Some thoughts this author would like to leave the reader with:
- Try before you buy. Conducting proofs of concepts and experimenting with a new technology will allow you and your organization to assess how fit-for-purpose the tech really is for your business objectives.
- With any emerging and new technology, there’s a risk-benefit spectrum when it comes to early adoption. Some organizations are in a better position to mitigate and control the risk if a new technology does not pan out. Review and understand what kind of risk appetite your organization has for emerging tech before you dive in.
- The deficiencies, flaws, and vulnerabilities discovered should push the community to not only patch but perhaps even rethink the design of the technology and architectures moving forward, and in theory this will make the technology more robust and usable by the general public.
- This is all good. If a technology wants to lose the label of “emerging tech” and enter the mainstream it will have to mature and go through continuous scrutiny from the tech and research communities just as technologies before it have done.