Tech

Why experts are overwhelmingly skeptical of online voting

150Views
EnlargeAurich Lawson / Getty Images

If anyone was going to be enthusiastic about online voting, it would be Ben Adida. After starting multiple dot-com startups in the late 1990s and early 2000s, Adida earned a computer science PhD from MIT in 2006. Studying under legendary cryptographer Ron Rivest (the "R" in RSA) at MIT, Adida explored how to use advanced cryptography to hold provably secure elections.

Adida created open-source online voting software called Helios based on that research. And more recently, he founded VotingWorks, a non-profit organization that creates open-source software for ballot-marking machines and post-election auditing.

"If I felt like Internet voting was viable, I would be really well-positioned to do it," Adida told Ars in a recent phone interview. "I did my PhD on it. I run Helios as a side project."

But Adida told us that online systems like Helios are "great for student elections, not for public elections."

"Every couple of months I get someone who says can we use Helios for a public election," Adida said. "I say, 'You really shouldn't.'"

That theme was echoed by other election security experts I talked to in recent weeks. Take David Becker, the executive director of the Center for Election Innovation and Research. He's generally an advocate for the use of digital technology in elections. For example, he's a staunch supporter of the controversial touchscreen ballot-marking devices used in Georgia elections. But like Adida, he argues we're nowhere close to having technology to securely cast votes on the Internet. "I've not seen any evidence that we can do so verifiably, securely, and auditably," Becker told Ars last month.

In 2018, West Virginia experimented with allowing 144 overseas service members to vote online using an app called Voatz. And this February, West Virginia passed legislation to expand online voting to disabled voters. The state was widely expected to again use Voatz for this, but West Virginia switched to software called OmniBallot for the June 2020 primary. It's not clear what voting technologies West Virginia will use in November's election.

Voatz CEO Nimit Sawhney has an ambitious vision for the future of American democracy. In two hour-long interviews with Ars—one in June, the other this week—he argued that everyone should have the option to cast votes online. He's frustrated by widespread skepticism about online voting among election security experts like Adida and Becker.

A look at the Voatz app interface (Android version)
Enlarge / A look at the Voatz app interface (Android version)Voatz

"How can you claim it's settled science that Internet voting can never be safe?" he asked in a June interview. "Three hundred years ago we knew the Earth was flat and the Sun was revolving."

Few of the experts I talked to said online voting could never be safe. But almost all of the independent experts I interviewed said it would be many years—if not decades—before it was feasible to build a secure voting system online.

Voatz is far from the only company working on online voting—other online voting systems have gotten equally harsh reviews from security experts. In June, we covered research by MIT computer scientist Michael Specter and the University of Michigan's Alex Halderman that analyzed OmniBallot.

"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voters device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," the researchers wrote. "Using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection."

MIT researchers found serious flaws

Voatz offers what seems like a simplified voting solution. Registered voters start with a smartphone app available for both iOS and Android. Votes are transmitted to servers hosted on Amazon Web Services and a copy is stored to a blockchain. The blockchain supposedly offers extra security by making it harder to tamper with votes later.

Last year, after it has already been utilized in a state election system, researchers from MIT undertook one of the first in-depth, independent reviews of Voatz software. "We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a users vote," the researchers wrote in February.

The researchers didn't have access to Voatz servers, so they focused their analysis on Voatz's mobile app. One of their big findings was that Voatz's protections against on-device malware were ineffective. The Voatz app comes with software called Zimperium that scans a smartphone for known malware and prevents the app from running if it is detected. But the MIT researchers demonstrated that it was possible to modify the Voatz app to prevent Zimperium from running in the first place.

Once these security checks are disabled, the Voatz app can be modified to undetectably change voters' choices. "It is straightforward to modify the app so that it submits any attacker-desired vote, yet presents the same UI as if the app recorded the users submitted vote," the researchers wrote.

The MIT study got a scathing response from Voatz. The company complained that the researchers had studied an outdated version of the Android app. And without access to the real Voatz servers, Voatz wrote, the researchers "fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false."

A Voatz-sponsored report backed up the MIT team

The month after the MIT study was published, a security consulting firm called Trail of Bits published its own analysis of the Voatz system. This work was partially funded by Voatz, which gave the firm access to its source code. Trail of Bits CEO Dan Guido told Ars that the review was undertaken at the behest of Tusk Philanthropies, a foundation that promotes online voting efforts.

Tusk "was a big supporter of Voatz, facilitating introductions to state and local governments," Guido told Ars in an interview this week. "They had an interest in making sure the technology they were promoting was safe enough to use for elections."

The Trail of Bits report, however, largely vindicated the MIT researchers. Trail of Bits did a line-by-line review of changes made to the app since the version used for the MIT analysis. Contrary to Voatz's claim, they didn't find any changes that would have affected the MIT results.

Trail of Bits also swatted down the idea that it was improper for the MIT team to use a mock server for security analysis. "Developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research," the researchers wrote.

Sawhney, the Voatz CEO, argued that the MIT researchers had failed to consider server-side precautions—"tripwires"—that could detect and prevent the operation of a modified client. But here too the Trail of Bits researchers—who did have access to Voatz's server code—backed up the MIT analysts. They found the Voatz server doesn't check whether Zimperium actually ran on a smartphone before accepting votes from it.

Sawhney fired back on these findings as well when talking with Ars, claiming that the Voatz client talks to a Zimperium cloud server that itself has a back-channel to Voatz's own servers. Any attempt to disable the Zimperium client would be detected by the Zimperium server, which would notify Voatz, Sahwney claimed.

But Guido argued that a hacker with control over a user's device can forge any message that an unmodified Voatz app would generate. There's no reliable way for a server to tell the difference.

"The problem isn't that they haven't implemented an extra handshake," Guido said. "They don't understand the limits of anti-tamper protections on a mobile device."

How Voatz works, according to Voatz.
Enlarge / How Voatz works, according to Voatz.Voatz

Poor key management

Guido told Ars that one of Voatz's fundamental problems was its unsophisticated techniques for managing secrets and configuring servers. One sign of this was the presence of hard-coded credentials in source code. "We discovered a substantial number of keys and secrets stored inside Git, accessible to anyone inside the company," Guido said.

That's a problem because an attacker could hack or bribe a Voatz employee, then use the employee's access to Voatz source code to steal credentials required to mount an attack on live election systems. That's exactly the kind of attack responsible for a pair of embarrassing data breaches suffered by Uber in 2014 and 2016. Sophisticated companies prevent this by using key-management systems that limit employee access to secrets. They also automate the configuration and deployment of new servers, which limits the ability of individual employees to tamper with live servers.

Voatz claimed that all of the hard-coded credentials spotted in Voatz source code were used for testing or were no longer in use. But Guido disputed that. He said that when the researchers notified Voatz engineers that there was a hard-coded secret in the source code, they initially moved it out of the Git repository and into a MongoDB database—another resource that was widely accessible to Voatz engineers. "They did not address the underlying issue," Guido said.

Another problem: the SSL certificate that secures connections between the Voatz app and Voatz server—which operate at subdomains of nimsim.com—uses a subdomain wildcard and a shared private key. This makes the whole system only as secure as the least secure server. If hackers manage to hack into one of Voatz's servers—perhaps an older server that was used for a prior election that doesn't have up-to-date patches—they'll gain access to the private key they need to impersonate any other Voatz server.

Talking to Ars this week, Voatz's Sawhney insisted that there was no problem here. "We don't see that as a viable threat vector," he said.

He also argued that fixing the problem would be too difficult. Voatz has dozens of servers and changes their domains and IP addresses every few weeks to make them more difficult for hackers to find and attack. This means Voatz would need to generate more than 100 fresh certificates every month if it wanted to give each server its own private key, he said.

But Guido argued that Sawhney was "over-estimating the difficulty" of generating fresh certificates. Today, there are automated systems to do it. However, those systems work best with automated infrastructure for managing private keys and deploying servers—infrastructure that Trail of Bits found lacking at Voatz.

It's hard to prove online voting is secure

I've only mentioned a fraction of the security issues flagged in the MIT and Trail of Bits reports. In total, Trail of Bits found 48 vulnerabilities, including 16 of high severity. Voatz disputes those findings, arguing that a majority of the supposed vulnerabilities were based on misunderstandings. I could go on for several more sections detailing the researchers' criticisms and Voatz's responses, but it's probably more helpful to step back and think about the big picture.

Despite being a professional technology reporter with a master's degree in computer science, I sometimes found the back-and-forth between Voatz and the security researchers difficult to follow. For an ordinary voter without a technology background, this kind of debate may be impenetrable. And that points to a fundamental downside to the concept of voting online. A voting system doesn't just need to be secure—it needs to be provably secure. And the proof of its security needs to be understandable by ordinary voters.

A conventional voting system with paper ballots is remarkably good on this score. Ordinary voters have an intuitive understanding of the security properties of paper ballots and ballot boxes. Voters can see their ballots go into the ballot box. Anyone can observe an election and verify that nobody is opening the ballot box and tampering with its contents. Recounts can be monitored by representatives of rival candidates to make sure no funny business occurs.

Verifying the security of an online voting system is vastly more difficult. Partly that's because the system has many more moving partsRead More – Source