Security Analysis of the Democracy Live Online Voting System

2020-06-09 11:26

Abstract: Democracy Live's OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and online voting.

Three states - Delaware, West Virginia, and New Jersey - recently announced that they will allow certain voters to cast votes online using OmniBallot despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.

We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system's operation and analyze its security.

We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device and by insiders or other attackers who can compromise Democracy Live, Amazon,Google, or Cloudflare.

Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter's identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot.

News URL

https://www.schneier.com/blog/archives/2020/06/security_analys_7.html

#online #security