A week after several vulnerabilities were revealed in the Voatz mobile voting app, the vendor has continued to attack the researchers from the Massachusetts Institute of Technology who discovered the flaws.
Last week, MIT researchers published a paper detailing significant vulnerabilities and weaknesses in Voatz's e-voting platform that could allow threat actors to obtain private voter data as well as prevent or change users' votes through the app. The research also contested claims from that vendor that its mobile app used blockchain technology to provide secure voting and criticized Voatz's lack of transparency.
While Voatz acknowledged the vulnerabilities -- but disputed the severity -- Voatz executives slammed the MIT researchers over other aspects of their research, including the researchers' decision to remain anonymous prior to the disclosure and their decision to use a reverse-engineered version of the mobile app instead of using a legitimate, up-to-date version offered through the vendor's bug bounty program on HackerOne.
But one of the biggest points of contention between the two parties is over Voatz's security claims, particularly its use of blockchain technology to protect the integrity of votes. The dispute largely boils down to a simple question: Does the Voatz mobile app actually use blockchain as the company appears to claim?
This article is part of
In a conference call with media members last Thursday, several Voatz executives responded to questions from reporters about the MIT research. The executives, including CEO and co-founder Nimit Sawhney, defended the company and blasted the researchers for their conduct during the research and disclosure process.
Sawhney also slammed the "completely inaccurate" claim that the Voatz mobile app did not feature any blockchain technology. Sawhney said the company uses the Hyperledger blockchain framework "to facilitate the forced post-election audit."
However, in its technical paper, the research team wrote "we found no reference to the blockchain within the app itself" and that votes generated from the app are not directly submitted to a blockchain system on the backend. In an FAQ posted last Friday, the MIT researchers reiterated their findings.
SearchSecurity contacted Sawhney for further clarification on two questions: does the Voatz mobile app contain the Hyperledger blockchain framework? And if not, then where is the Hyperledger framework applied?
Voatz responded with an email statement attributed to Sawhney, which linked to one of the company's recent post-election audits. "The mobile app can't function in isolation and does communicate with the Hyperledger-based blockchain network via the core relay servers," the statement read. "Each oval marked by the voter is recorded anonymously on the blockchain in a tamper resistant manner. The blockchain data is used for post-election audits."
To the latter question, Sawhney offered a link to this blog, and an infographic for how the entire platform "currently works."
SearchSecurity requested further clarification since the comments and documentation provided showed the blockchain framework wasn't applied until after the votes reached the validation servers.
In a follow-up statement, Sawhney wrote "We are refuting that claim because the mobile app does communicate with the blockchain network via the core relay servers that provide it with (1) the relay service and (2) the intelligence in terms of nearest node information, etc. This is a single channel communication and happens to a pass through [an] API mechanism and so claiming that the mobile application is not interacting with the blockchain network is incorrect."
In addition to disputing the MIT researchers' blockchain critiques, Sawhney took issue with the researchers' refusal to use the HackerOne bug bounty program and test the Voatz's actual apps and servers rather than using a "flawed" approach.
"Anybody who wishes to sign up, test that app over there, against the real server with full functionality, is able to do that," he said during the call. "They willfully chose not to do it. So absolutely, one of the first things we offered in our responses [was], 'Why don't you prove all these claims on a real system, and then we can investigate further.' But they did not respond to that at all."
Voatz senior vice president Larry Moore also criticized the researchers for hiding their identities and affiliation with MIT until after disclosure, which created "not a very collaborative environment," especially since the researchers were located just two miles away from Voatz's headquarters in Brookline, Mass. He also accused the researchers of using "media attention to, in a pretty aggressive way, to really try to stop this process in these [Voatz] pilots."
Shortly after the publication of SearchSecurity's initial story, a member of the research team, computer science PhD student Michael Specter, replied to SearchSecurity's questions: why the research team chose to remain anonymous and bypass the bug bounty program; and how the tested field version of the app was different from the one in the HackerOne bug bounty.
"Yes, we remained anonymous during the responsible disclosure process to protect ourselves and our research. Prior reported-on experiences with Voatz and security researchers made us worry about approaching them directly. So, instead, we coordinated our disclosure through DHS," Specter said.
Specter was referencing when the FBI launched an investigation against University of Michigan students who analyzed the Voatz app as part of their research during the 2018 midterm elections in West Virginia. Voatz accused the students of hacking the app, while the university said that the students were conducting dynamic analysis. Ultimately, the Department of Justice announced that no intrusion took place and charges were never filed against the students.
"We reported to DHS's Cybersecurity and Infrastructure Security Agency, which handled the disclosure process expeditiously and with a high degree of professionalism by alerting both the vendor and the affected states, while also protecting us and our research," Specter said.
Why didn't they use the official bug bounty program as Voatz recommended?
"There are many reasons why we chose not to use the bug bounty. Most crucially, vulnerabilities we discovered were considered either "low severity" or out of scope by the bug bounty. To quote the HackerOne page, 'Attacks requiring MITM [Man In The Middle] or physical access to a user's device' are completely out of scope. One of the most impactful vulnerabilities we found demonstrated that a MITM attack -- that is, assuming an attacker that can see the user's network traffic -- would allow a passive observer to determine the candidate for which a user voted. We do not agree that any of the attack vectors we discussed deserve to be out of scope, and a real-life attacker wouldn't either."
Specter also said the researchers did try to use the version of the app covered by the bug bounty program, but those efforts failed. "It is also the case that, when we started our research, the bug bounty version of the app did not function correctly. We attempted to use the bug bounty app on a supported, un-jailbroken, clean install of Android device, and it would fail to connect," he said. "We believe that this wasn't due to any security property of the system; we think it is far more likely that their backend was down. Further, Voatz provided no further resources, such as a binary or source of the server, or a way to control or modify the server, via the program to enable us to set up our own target to better understand their system."
Specter continued: "All of the apps were significantly obfuscated, and we had no way of knowing what differences existed between the non-live version and the deployed app. Analyzing a version of the app that was modified in ways we couldn't have known prior introduced threats to the validity of our work that we couldn't control."