Home / Blockchain / Blockchain: Researchers say Voatz voting app has big security flaws, 4 states using it for 2020 elections anyway

Blockchain: Researchers say Voatz voting app has big security flaws, 4 states using it for 2020 elections anyway

Blockchain:

Researchers at MIT say the voting app Voatz, which is being used by at least 4 states in the 2020 elections, has major security flaws that could allow an attacker to intercept and alter votes, while making voters think their votes have been cast correctly, or trick the votes server into accepting connections from an attacker.


Here’s the MIT research paper on Voatz.


Excerpt from Kim Zetter’s reporting for VICE:

An attacker would also be able to alter the user’s vote and trick the user into believing their vote was transmitted accurately, researchers from the Massachusetts Technology Institute write in a paper released Thursday.

The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system.

Read the full report at VICE NEWS:

‘Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws
[Kim Zetter Feb 13 2020]

Worth noting that in addition to today’s MIT research warning of significant vulns in Voatz, we also have a DHS report that found no evidence of malicious activity but plenty of recs for improved security. Voatz hadn’t previously made any reports public.https://t.co/4WEqslXXxp

— Kevin Collier (@kevincollier) February 13, 2020

Another reminder that in 2018 Voatz boasted on their website that Qualys provided a security audit. For Qualys they linked a free SSL certificate checker as proof they were secure (screenshot) which completely misunderstands third party security auditing. pic.twitter.com/zGKhAIT1gP

— Kevin Beaumont (@GossiTheDog) February 13, 2020

Election security is hard enough without snakeoil salesmen like Voatz trying to distract election officials into buying inherently defective products like Internet voting schemes.

— matt blaze (@mattblaze) February 13, 2020

You can tell more about the security of a product from the reaction by the vendor to a vulnerability than from the vulnerability itself. By this measure, Voatz has failed miserably. They have squandered any reason anyone might have had to trust them.

— matt blaze (@mattblaze) February 13, 2020

So Voatz did a press call this afternoon where they:

* Said paper was “riddled with holes”

* Didn’t offer evidence of researchers’ supposed malicious agenda

* Declined to name their outside auditors, citing terms of the NDA they wrotehttps://t.co/7xReuDtvFN

— Eric Geller (@ericgeller) February 13, 2020

When an MIT study showed Voatz e-voting software to be a security dumpster fire, the company apparently had the ingenious idea to attack the researchers and accuse them of being publicity hounds. https://t.co/6JtCeaKmfX

— Karl Bode (@KarlBode) February 13, 2020

[via techmeme.com]



Read More

Share this:

Share

About admin

Check Also

Blockchain: After damning report, a voting app says it’s secure—but experts have questions

Blockchain: After damning report, a voting app says it’s secure—but experts have questions

On Thursday, researchers at MIT published an injurious study about vulnerabilities in a "blockchain-based" voting app called Voatz. They found that malicious attackers could penetrate the app and then view, disrupt transmission, or even alter voters' choices.  Despite the niche nature of the app (it's geared towards overseas and disabled voters) and the technicality of…

Leave a Reply

Your email address will not be published. Required fields are marked *