The voatzThe voting application has significant vulnerabilities, according to a document published Thursday by MIT computer researchers. The researchers found that defects in the design of the application could allow sophisticated hackers to learn voter identities or IP addresses, access votes and, in some cases, change them.
The application, used primarily by military and foreign voters, is the only voting application on the market, according to The New York Times, which reported the investigation Thursday morning. The weaknesses addressed in the MIT document were in the application installed on the voters' phones.
"The exploitation would be within the capacity of a nation-state actor," the researchers, Michael A. Specter, James Koppel and Daniel Weitzner, wrote in their article. Voatz denies the findings.
The investigation takes place amid calls from electoral security experts to use paper ballots in all elections. The Voatz application has been used to help foreign and military voters vote in the state of West Virginia, as well as in locations such as Denver, Colorado and Utah County, Utah. In previous elections, foreign voters had toto a secret ballot, and then print a paper version of your ballot, scan and email it to election officials.
In a long response, Voatz said the researchers' information was incomplete. They used an earlier version of the application software, Voatz said, and could not see the backend protections that would prevent the successful exploitation of the voting process. The company also criticized the investigators' methods, saying they did not inform Voatz of the investigation until it was made public.
"In summary, making claims about a backend server without any evidence or connection to the server denies any credibility on behalf of the investigators," said Voatz. The company accused the investigators of trying to provoke doubts and uncertainty in the security of the elections.
As ZDNet notes, Voatz previously informed the FBI activity about its back-end systems that originated from a student researcher at the University of Michigan. But the company says it works with security experts who have access to more of their code and provide valuable comments.
"Voatz has worked for almost five years to develop a resilient ballot system, a system created to respond to unforeseen threats and distribute updates around the world on short notice," the company said.
The defects found in the investigation were in the network protocol, which transmits information to and from the application, as well as the blockchain technology that protects the votes. It was also possible that an attacker with root access to a voter's phone could see and potentially change the votes, even after they were sent, the investigators found.