Why experts are overwhelmingly skeptical of online voting

[Karlston]

Why experts are overwhelmingly skeptical of online voting

An online voting CEO tried—and failed—to convince me it was a good idea

Enlarge

Aurich Lawson / Getty Images

149 with 89 posters participating, including story author

If anyone was going to be enthusiastic about online voting, it would be Ben Adida. After starting multiple dot-com startups in the late 1990s and early 2000s, Adida earned a computer science PhD from MIT in 2006. Studying under legendary cryptographer Ron Rivest (the "R" in RSA) at MIT, Adida explored how to use advanced cryptography to hold provably secure elections.

 

Adida created open-source online voting software called Helios based on that research. And more recently, he founded VotingWorks, a non-profit organization that creates open-source software for ballot-marking machines and post-election auditing.

 

"If I felt like Internet voting was viable, I would be really well-positioned to do it," Adida told Ars in a recent phone interview. "I did my PhD on it. I run Helios as a side project."

 

But Adida told us that online systems like Helios are "great for student elections, not for public elections."

 

"Every couple of months I get someone who says can we use Helios for a public election," Adida said. "I say, 'You really shouldn't.'"

 

That theme was echoed by other election security experts I talked to in recent weeks. Take David Becker, the executive director of the Center for Election Innovation and Research. He's generally an advocate for the use of digital technology in elections. For example, he's a staunch supporter of the controversial touchscreen ballot-marking devices used in Georgia elections. But like Adida, he argues we're nowhere close to having technology to securely cast votes on the Internet. "I've not seen any evidence that we can do so verifiably, securely, and auditably," Becker told Ars last month.

 

In 2018, West Virginia experimented with allowing 144 overseas service members to vote online using an app called Voatz. And this February, West Virginia passed legislation to expand online voting to disabled voters. The state was widely expected to again use Voatz for this, but West Virginia switched to software called OmniBallot for the June 2020 primary. It's not clear what voting technologies West Virginia will use in November's election.

 

Voatz CEO Nimit Sawhney has an ambitious vision for the future of American democracy. In two hour-long interviews with Ars—one in June, the other this week—he argued that everyone should have the option to cast votes online. He's frustrated by widespread skepticism about online voting among election security experts like Adida and Becker.

Enlarge / A look at the Voatz app interface (Android version)

Voatz

"How can you claim it's settled science that Internet voting can never be safe?" he asked in a June interview. "Three hundred years ago we knew the Earth was flat and the Sun was revolving."

 

Few of the experts I talked to said online voting could never be safe. But almost all of the independent experts I interviewed said it would be many years—if not decades—before it was feasible to build a secure voting system online.

 

Voatz is far from the only company working on online voting—other online voting systems have gotten equally harsh reviews from security experts. In June, we covered research by MIT computer scientist Michael Specter and the University of Michigan's Alex Halderman that analyzed OmniBallot.

 

"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," the researchers wrote. "Using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection."

MIT researchers found serious flaws

Voatz offers what seems like a simplified voting solution. Registered voters start with a smartphone app available for both iOS and Android. Votes are transmitted to servers hosted on Amazon Web Services and a copy is stored to a blockchain. The blockchain supposedly offers extra security by making it harder to tamper with votes later.

 

Last year, after it has already been utilized in a state election system, researchers from MIT undertook one of the first in-depth, independent reviews of Voatz software. "We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote," the researchers wrote in February.

 

The researchers didn't have access to Voatz servers, so they focused their analysis on Voatz's mobile app. One of their big findings was that Voatz's protections against on-device malware were ineffective. The Voatz app comes with software called Zimperium that scans a smartphone for known malware and prevents the app from running if it is detected. But the MIT researchers demonstrated that it was possible to modify the Voatz app to prevent Zimperium from running in the first place.

 

Once these security checks are disabled, the Voatz app can be modified to undetectably change voters' choices. "It is straightforward to modify the app so that it submits any attacker-desired vote, yet presents the same UI as if the app recorded the user’s submitted vote," the researchers wrote.

 

The MIT study got a scathing response from Voatz. The company complained that the researchers had studied an outdated version of the Android app. And without access to the real Voatz servers, Voatz wrote, the researchers "fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components that are simply false."

 

A Voatz-sponsored report backed up the MIT team

The month after the MIT study was published, a security consulting firm called Trail of Bits published its own analysis of the Voatz system. This work was partially funded by Voatz, which gave the firm access to its source code. Trail of Bits CEO Dan Guido told Ars that the review was undertaken at the behest of Tusk Philanthropies, a foundation that promotes online voting efforts.

 

Tusk "was a big supporter of Voatz, facilitating introductions to state and local governments," Guido told Ars in an interview this week. "They had an interest in making sure the technology they were promoting was safe enough to use for elections."

 

The Trail of Bits report, however, largely vindicated the MIT researchers. Trail of Bits did a line-by-line review of changes made to the app since the version used for the MIT analysis. Contrary to Voatz's claim, they didn't find any changes that would have affected the MIT results.

 

Trail of Bits also swatted down the idea that it was improper for the MIT team to use a mock server for security analysis. "Developing a mock server in instances where connecting to a production server might result in legal action is a standard practice in vulnerability research," the researchers wrote.

 

Sawhney, the Voatz CEO, argued that the MIT researchers had failed to consider server-side precautions—"tripwires"—that could detect and prevent the operation of a modified client. But here too the Trail of Bits researchers—who did have access to Voatz's server code—backed up the MIT analysts. They found the Voatz server doesn't check whether Zimperium actually ran on a smartphone before accepting votes from it.

 

Sawhney fired back on these findings as well when talking with Ars, claiming that the Voatz client talks to a Zimperium cloud server that itself has a back-channel to Voatz's own servers. Any attempt to disable the Zimperium client would be detected by the Zimperium server, which would notify Voatz, Sahwney claimed.

 

But Guido argued that a hacker with control over a user's device can forge any message that an unmodified Voatz app would generate. There's no reliable way for a server to tell the difference.

 

"The problem isn't that they haven't implemented an extra handshake," Guido said. "They don't understand the limits of anti-tamper protections on a mobile device."

Enlarge / How Voatz works, according to Voatz.

Voatz

Poor key management

Guido told Ars that one of Voatz's fundamental problems was its unsophisticated techniques for managing secrets and configuring servers. One sign of this was the presence of hard-coded credentials in source code. "We discovered a substantial number of keys and secrets stored inside Git, accessible to anyone inside the company," Guido said.

 

That's a problem because an attacker could hack or bribe a Voatz employee, then use the employee's access to Voatz source code to steal credentials required to mount an attack on live election systems. That's exactly the kind of attack responsible for a pair of embarrassing data breaches suffered by Uber in 2014 and 2016. Sophisticated companies prevent this by using key-management systems that limit employee access to secrets. They also automate the configuration and deployment of new servers, which limits the ability of individual employees to tamper with live servers.

 

Voatz claimed that all of the hard-coded credentials spotted in Voatz source code were used for testing or were no longer in use. But Guido disputed that. He said that when the researchers notified Voatz engineers that there was a hard-coded secret in the source code, they initially moved it out of the Git repository and into a MongoDB database—another resource that was widely accessible to Voatz engineers. "They did not address the underlying issue," Guido said.

 

Another problem: the SSL certificate that secures connections between the Voatz app and Voatz server—which operate at subdomains of nimsim.com—uses a subdomain wildcard and a shared private key. This makes the whole system only as secure as the least secure server. If hackers manage to hack into one of Voatz's servers—perhaps an older server that was used for a prior election that doesn't have up-to-date patches—they'll gain access to the private key they need to impersonate any other Voatz server.

 

Talking to Ars this week, Voatz's Sawhney insisted that there was no problem here. "We don't see that as a viable threat vector," he said.

 

He also argued that fixing the problem would be too difficult. Voatz has dozens of servers and changes their domains and IP addresses every few weeks to make them more difficult for hackers to find and attack. This means Voatz would need to generate more than 100 fresh certificates every month if it wanted to give each server its own private key, he said.

 

But Guido argued that Sawhney was "over-estimating the difficulty" of generating fresh certificates. Today, there are automated systems to do it. However, those systems work best with automated infrastructure for managing private keys and deploying servers—infrastructure that Trail of Bits found lacking at Voatz.

It's hard to prove online voting is secure

I've only mentioned a fraction of the security issues flagged in the MIT and Trail of Bits reports. In total, Trail of Bits found 48 vulnerabilities, including 16 of high severity. Voatz disputes those findings, arguing that a majority of the supposed vulnerabilities were based on misunderstandings. I could go on for several more sections detailing the researchers' criticisms and Voatz's responses, but it's probably more helpful to step back and think about the big picture.

 

Despite being a professional technology reporter with a master's degree in computer science, I sometimes found the back-and-forth between Voatz and the security researchers difficult to follow. For an ordinary voter without a technology background, this kind of debate may be impenetrable. And that points to a fundamental downside to the concept of voting online. A voting system doesn't just need to be secure—it needs to be provably secure. And the proof of its security needs to be understandable by ordinary voters.

 

A conventional voting system with paper ballots is remarkably good on this score. Ordinary voters have an intuitive understanding of the security properties of paper ballots and ballot boxes. Voters can see their ballots go into the ballot box. Anyone can observe an election and verify that nobody is opening the ballot box and tampering with its contents. Recounts can be monitored by representatives of rival candidates to make sure no funny business occurs.

 

Verifying the security of an online voting system is vastly more difficult. Partly that's because the system has many more moving parts. Voatz's system makes use of smartphones and mobile operating systems, servers and server software, cellular towers, encryption algorithms, a blockchain, and so forth. Most voters have only a vague idea of how some of these technologies work. Most citizens are not remotely qualified to judge whether that system is secure or not.

Enlarge / A voting machine is submitted to abuse in DEFCON's Voting Village at the 2016 conference.

Sean Gallagher

Online vote-hacking scales

Online voting advocates emphasize that no system is perfect. They acknowledge that online voting has risks, but they argue that traditional voting methods have risks of their own. Paper ballots sometimes get lost or damaged. Corrupt officials occasionally tamper with peoples' votes.

 

But there are reasons to think that online voting is inherently more vulnerable. One reason is the complexity of online voting systems. Hackers can attack an election by finding vulnerabilities in voters' smartphones, in server software, or in networking infrastructure. They can hack or bribe employees at the voting software vendor. They can use social engineering to steal a voter's credentials or impersonate a voter to election officials.

 

Online election hacking also scales in a way that tampering with an offline election doesn't. Someone can hack an online election from anywhere in the world. A hacker who finds a vulnerability in a voting software package can exploit that same weakness in every jurisdiction that uses the software.

 

In contrast, tampering with the results of a conventional paper-based election is massively labor-intensive. An attacker needs to physically visit the locations where ballots are collected, stored, or counted. If someone wants to modify the result of 100 precincts, they may need to recruit 99 confederates to pull off an attack.

 

This is a particularly significant difference if you're worried about attacks by foreign governments. It's trivial for the Russian government to hire 100 hackers to attack American election infrastructure from a comfortable office building in Moscow. If software like Voatz were widely used in an American election, Russian hackers might be able to modify thousands or even millions of votes without setting foot on American soil. But to compromise a paper-based election on a similar scale, a foreign government would need to sneak dozens of agents into the country—or recruit dozens of Americans to betray their country. There would be a high risk that a conspirator would tip off the feds and the spies would get arrested.

 

So it's true that paper ballots aren't foolproof—no election system is. But a hacker can't modify thousands of paper ballots with a few keystrokes, and they can't modify a paper ballot from Moscow or Beijing. Online voting opens our election system up to new classes of threats that simply don't exist in the offline world.

Why testing doesn't help

While reporting this story, I found that academic computer security researchers were overwhelmingly skeptical of online voting in general and Voatz in particular. So in the interest of fairness, I asked Voatz if they could put me in touch with experts who had more positive things to say about Voatz's technology.

 

One person they introduced me to was Eric Haseltine, a technologist who served in senior roles in the US intelligence community, including Associate Director for Science and Technology at the Office of the Director of National Intelligence. He also worked as a cybersecurity analyst focused on Russia. An official Voatz advisor, Haseltine says he hasn't been paid in cash for his work but does hold equity in the company.

 

"I haven't been that intimately familiar with what they're doing," Haseltine told Ars. "I'm looking at this conceptually."

 

Haseltine argued the key thing Voatz is doing is constantly testing its own system and inviting outsiders to test it. That's what Voatz did when it gave Trail of Bits access to its system and invited the firm to conduct an in-depth security audit. The Trail of Bits researchers raised questions about whether Voatz is ready to be used in real elections. But the hope is that over time, as the company performs more pilot projects and undergoes more security audits, it will stamp out more and more bugs and eventually achieve a high level of security.

 

But it's important to consider the resources available to a potential hacker. A few weeks of analysis by a firm like Trail of Bits will reveal certain types of vulnerabilities. But there are almost certainly others that only a deep-pocketed attacker—like a foreign government—will be capable of exploiting. In digital security, the constant difficulty lies in trying to defend against threats researchers may not even be aware of yet.

 

For example, MIT's Michael Specter notes that there is an underground market for exploits to smartphones. For around $500,000, he says, you can buy a "zero-day" exploit that enables a smartphone app to gain root access. That's too expensive for academic researchers or security consultants. But it would be chump change for a foreign government hoping to subvert an American election.

 

For this reason, Ben Adida says, pilot programs like the use of Voatz in West Virginia in 2018 simply aren't helpful to determining whether software is secure. It's possible that no one hacked the software because it's impervious to hacking. But it's also possible that the 144 votes at stake just weren't weren't significant enough for anyone to bother.

 

 

Why experts are overwhelmingly skeptical of online voting