Hackers Could Change Your Vote on the Voatz Voting App

Hackers Could Change Your Vote on the Voatz Voting App

As the 2020 elections approach, it has now been discovered that hackers can abuse many vulnerabilities to control voting. This is not the first time that election votes have been found to be vulnerable to hacking. Russian hackers had visited voters databases in two Florida counties before the 2016 election. Now, some flaws in the mobile voting app that some states plan to use for the 2020 election may lead to someone’s vote cancellation or alteration. The worse is that it may also expose voters’ private info.

Voatz is a blockchain app that was used in the 2018 mid-term elections for absentee-ballot voting. West Virginia was the first state to use Voatz, which is developed by a Boston-based company, for marking the inaugural use of internet voting in a high-stakes federal election. It was for collecting votes from military service personnel stationed overseas. Last year, some counties in Utah and Colorado also used the app for municipal elections. Mason County in Washington state has already pulled its plans to use Voatz in November. According to the company’s claim, there are a number of security features protecting the app from auspicious use. The security features include:

  • Immutability via its use of a permissible blockchain
  • End-to-end voting encryption
  • Voter anonymity
  • Device compromise detection
  • Voter-verified audit trail

Nevertheless, researchers from MIT still found that there are some flaws in the app that can be abused by hackers to control users’ devices. According to the paper conducted by MIT researchers, The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S.Federal Elections, “We find that an attacker with root privileges on the device can disable all of Voatz’s host-based protections, and therefore stealthily control the user’s vote, expose her private ballot, and exfiltrate the user’s PIN and other data used to authenticate the server.”


Contact LIFARS Immediately for

Your Cybersecurity Mitigation Plans