Voatz allows voters to cast their ballots from any geographic location on supported mobile devices. Its mobile voting platform is under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election. The issues are serious enough to attract inquiries from the Department of Homeland Security and Congress.
However, there has been no comprehensive security report to provide details of the Voatz vulnerabilities and recommendations for fixing them—until now.
Trail of Bits has performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Our assessment confirmed the issues flagged in previous reports by MIT and others, discovered more, and made recommendations to fix issues and prevent bugs from compromising voting security. Trail of Bits was uniquely qualified for this assessment, employing industry-leading blockchain security, cryptographic, DARPA research, and reverse engineering teams, and having previously assessed other mobile blockchain voting platforms.
Our security review resulted in seventy-nine (79) findings. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.
Why Voatz counts
The promises of mobile voting are attractive—better accessibility for differently abled people, streamlined absentee voting, and speed and convenience for all voters. If a mobile platform could guarantee secure voting, it would revolutionize the process. It’s a fantastic goal—but there’s still work to do.
Voatz has already piloted its mobile voting app with elections in West Virginia; Denver, Colorado; Utah County, Utah; and both Jackson and Umatilla Counties in Oregon. According to Voatz’ own FAQ, more than 80,000 votes have been cast on the Voatz platform across more than 50 elections since June 2016.
And yet, four security assessments that took place before ours could not quell a great deal of uncertainty and public speculation about Voatz’ implementation and security assurances.
In May 2019, researchers from Lawrence Livermore National Laboratory, the University of South Carolina, Citizens for Better Elections, Free & Fair, and the US Vote Foundation enumerated a series of questions about the security of Voatz in What We Don’t Know About the Voatz “Blockchain” Internet Voting System. They asked questions like, “Does Voatz collect voters’ location data? If so, why?” and, “How do we know that voter data cannot be retroactively de-anonymized?”
In November 2019, Senator Ron Wyden began sending letters to the National Security Agency and U.S. Department of Defense; Oregon Secretary of State Bev Clarno; and ShiftState Security. Another letter, addressed to Voatz and signed by five members of Congress (including Klobuchar, Peters, Wyden, Lofgren, and Thompson) expressed “serious concern regarding reports that there may be substantial cybersecurity vulnerabilities associated with your company’s mobile voting application.”
On February 5th, 2020—during our review period—Trail of Bits was given an anonymized, summary report of security issues in the Voatz Android mobile application externally reported to the DHS CISA. Six vulnerabilities were described, primarily related to the Android mobile application (version 1.1.60, circa September 24, 2019). One week later, the full report was made public, Voatz released a rebuttal, and a story in the New York Times was published about the security “debate” surrounding Voatz.
Trail of Bits enters the fray…
In December 2019, Trail of Bits was hired by both Voatz and Tusk Philanthropies, an organization that funded municipalities election costs for Voatz’s pilots, to conduct the most complete security assessment of the platform to date.
To the best of our knowledge, no assessment prior to ours had been scoped to include the discovery of Voatz Core Server and backend software vulnerabilities.
Trail of Bits was provided over 168,000 lines of pure source code across approximately 2,100 files. This did not even constitute the entire Voatz system, as the code for certain components such as the audit portal were never furnished. The system is unusually complex, with an order-of-magnitude more custom code than similar mobile voting systems we have assessed.
Highlights of our Findings
Our Voatz security report is divided into two volumes:
- The security assessment’s technical findings (Volume I)
- A threat model containing architectural and operational findings (Volume II)
Our security review resulted in seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity. The high-severity findings are related to:
- Cryptography, e.g., improper use of cryptographic algorithms, as well as ad hoc cryptographic protocols.
- Data exposure, e.g., sensitive credentials available to Voatz developers and personally identifiable information that can be leaked to attackers.
- Data validation, e.g., reliance on unvalidated data provided by the clients.
- Audit logging and accountability controls, e.g., the inability to track commands issued by administrators.
- Security assessment and authorization controls, e.g., insufficient continuous monitoring, documented procedures, and documented connections.
- Configuration management controls, e.g., a lack of baseline configurations and security impact analyses.
- Contingency planning, e.g., insufficient plans for disaster recovery and business continuity.
- Insufficient incident response, component interconnection, maintenance, and risk assessment plans and protocols.
Our technical report includes Appendix B, containing an independent analysis of not only the MIT report, but five prior assessments of Voatz. The Security Properties and Questions section of the report also answers as many questions as possible from the What We Don’t Know About Voatz paper. For example, we describe how “anonymous IDs” are assigned to ballots, whether SIM swapping is sufficient to steal a voter’s account, and how voters are uniquely identified when requesting a receipt.
What’s been fixed
On February 26, 2020, Trail of Bits reviewed fixes proposed by Voatz for the issues presented in the technical report (Volume I). Each finding was re-examined and verified by Trail of Bits. We found that Voatz had addressed eight (8) issues and partially addressed six (6) issues; thirty-four (34) technical issues remain unfixed, at the time of writing.
See a detailed review of the current status of each issue in Appendix E: Fix Log of the technical report. The Fix Log was further updated on March 11th with responses from Voatz indicating their plans to address additional findings.
So, what does it all mean?
Voatz’s code, both in the backend and mobile clients, is written intelligibly and with a clear understanding of software engineering principles. The code is free of almost all the common security foibles like cryptographically insecure random number generation, HTTP GET information leakage, and improper web request sanitization. However, it is clear that the Voatz codebase is the product of years of fast-paced development. It lacks test coverage and documentation. Logical checks for specific elections are hard-coded into both the backend and clients. Infrastructure is provisioned manually, without the aid of infrastructure-as-code tools. The code contains vestigial features that are slated to be deleted but have not yet been (TOB-VOATZ-009). Validation and cryptographic code are duplicated and reimplemented across the codebase, often erroneously (TOB-VOATZ-014). Mobile clients neglect to use recent security features of Android and iOS (TOB-VOATZ-034 and TOB-VOATZ-042). Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001). Many of its cryptographic protocols are nonstandard (TOB-VOATZ-012).
The quantity of findings discovered during this assessment, the complexity of the system, and the lack of access to both a running test environment as well as certain codebases leads us to believe that other vulnerabilities are latent.
Broadly, we believe election officials themselves should fund qualified, public reviews of these systems, and specify that those reviews describe the issues and solutions in a way that non-technical audiences can understand. It’s easy to get confused by non-commissioned reports; for example, an August 2019 report by The National Cybersecurity Center (NCC) seemed to address the platform’s security issues, but the NCC doesn’t employ any security experts. Their report validated that Voatz’ features and operation meet the needs of the user, not that the Voatz system is secure.
We hope that our assessment will improve the overall security posture of the Voatz system, but there is still a great deal of work to be done to achieve that goal. The door is open to continue to help Voatz remediate the issues we discovered.
Meanwhile, as we continue working in election security, we are taking the initiative to help companies incorporate more security knowledge earlier into the development process.
Elect security with us.
See something you need? We have staff who specialize in election security issues, including cryptographic, blockchain, and technical security experts. Contact us to see how we can help.
*** This is a Security Bloggers Network syndicated blog from Trail of Bits Blog authored by Dan Guido. Read the original post at: https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/