“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” the company said in its statement.
The researchers dispute many of these assertions, though. They say that they assessed the version of the Voatz app that was available in Google Play in early December and that since then the company has done five, not 27, updates to the app according to Google Play’s logs. They add that none of those five sets of update notes include any indication of security or architecture changes that would potentially negate their findings. And the researchers say that whenever they were forced to make assumptions about Voatz’s systems in their analysis, they did so as generously as possible.
“We explicitly assume in the paper a very optimistic model of what Voatz’s backend could be doing,” Specter, the lead researcher, told WIRED. “Every time we could possibly assume that Voatz could be preventing something we just assumed that they did it and that it’s completely secure. And even in that very strenuous situation we were able to show a number of attacks.”
The researchers asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to coordinate an anonymous disclosure process ahead of publication to safeguard against retaliation. Voatz memorably reported a University of Michigan researcher to the Federal Bureau of Investigation for what turned out to be security analysis of the app.
“When researchers recently contacted CISA to report vulnerabilities in mobile voting technology, we quickly shared this information with both the vendor and the state and local election officials who plan to pilot or use this technology during the 2020 election cycle,” a CISA spokesperson said in a statement. “Potentially affected election officials were able to speak with the researchers and CISA to understand and manage risks to their systems.”
The researchers say that during this process Voatz seemed to confirm the existence of at least two of the vulnerabilities and corresponding attack scenarios laid out in the paper. Voatz’s statement does not make any specific technical claims, and the researchers emphasize that the response doesn’t actually dispute any of their findings.
Security researcher Kevin Beaumont, who has found and pointed out bugs in Voatz’s systems in the past, says that the findings from MIT don’t surprise him. “Voatz has been trying to bury researchers in NDAs to stop findings going public, and reported one person who went public to the FBI,” Beaumont says. “Elections are serious stuff. There is no place for nondisclosure agreements and false audit claims in something this targeted. It’s difficult to know how Voatz is getting signed off to be involved in elections when their credentials appear questionable at best.”
Though more research into the Voatz app is needed to fully understand the reality of the platform’s defenses, the MIT research speaks to the pressing need for transparent, auditable voting systems—a point researchers have also strenuously made about existing, in-person voting machines.
“I think the research raises enough red flags to ask what Voatz is actually doing to protect your vote,” says Matthew Green, a Johns Hopkins cryptographer who viewed the findings ahead of publication. “People shouldn’t have to reverse-engineer an app to answer these questions. Democracy requires a lot more transparency.”
Updated Thursday February 13, 2020, 3:20pm ET to include comment from the MIT researchers.
More Great WIRED Stories