Home / Blockchain / Blockchain: Voatz Internet Voting App Is Insecure

Blockchain: Voatz Internet Voting App Is Insecure

Blockchain:

This paper describes the flaws in the Voatz Internet voting app: “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections.”

Abstract: In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called “Voatz.” Although there is no public formal description of Voatz’s security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user’s device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a clean-room reimplementation of Voatz’s server and present an analysis of the election process as visible from the app itself.

We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote,including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting,and of the importance of transparency to the legitimacy of elections.

News articles.

The company’s response is a perfect illustration of why non-computer non-security companies have no idea what they’re doing, and should not be trusted with any form of security.

Tags: , , , ,

Posted on February 17, 2020 at 6:35 AM

32 Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.

Read More

About admin

Check Also

Blockchain: Digital ecosystems deep dive: Developer experience on alternative ledgers – VS Code | Block Talk

Blockchain: Digital ecosystems deep dive: Developer experience on alternative ledgers – VS Code | Block Talk

Play Digital ecosystems deep dive: Developer experience on alternative ledgers - VS Code 07:15 Sign in to queue Sorry, an error occurred. Description In this episode we take a deeper look at alternative ledger technologies. We look at developer experiences for Corda using the R3 extension for VS Code.Additional details and sample code are available…

Leave a Reply

Your email address will not be published. Required fields are marked *