Voatz Internet Voting App Is Insecure

2020-02-17 12:35

Abstract: In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called "Voatz." Although there is no public formal description of Voatz's security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user's device.

We performed a clean-room reimplementation of Voatz's server and present an analysis of the election process as visible from the app itself.

We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote,including a sidechannel attack in which a completely passive network adversary can potentially recover a user's secret ballot.

We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality.

EDITED TO ADD: The researchers respond to Voatz's response.

News URL

https://www.schneier.com/blog/archives/2020/02/voatz_internet_.html

#internet #internetvoting