A smartphone voting system made by a Boston company has security vulnerabilities and should not be used in the upcoming presidential election, computer scientists at the Massachusetts Institute of Technology said Thursday.
The system, called Voatz, lets citizens cast their votes remotely by smartphone from anywhere in the world, rather than at a polling station or by mail.
Voatz has already been used in federal and local elections in West Virginia, Utah, Oregon, and Colorado. For instance, West Virginia used it in 2018 to enable absentee voting by people outside the United States, including military personnel.
But the MIT report, written by MIT doctoral candidates Michael Specter and James Koppel, and research scientist Daniel Weitzner, claims "Voatz is vulnerable to a number of attacks that could violate election integrity.” For example, researchers said they were able to change their votes on Voatz even after they had been submitted. The researchers also said they found that a hacking attack on the app could intercept votes, and possibly alter them, before they had been encrypted for secure transmission.
The MIT report comes just a week after the fiasco of the Democratic presidential caucuses in Iowa, caused by the malfunction of a different smartphone app intended to record and report the votes. It took three days to count all the votes, and the Associated Press, which usually declares the winner of the caucuses, has refused to do so, for fear the count may still not be accurate. The Voatz system was not used in Iowa.
Voatz harshly rebuffed the scientists’ claims, saying in a statement that the researchers tested an obsolete version of the smartphone app that wasn’t even connected to the company’s own servers, rendering the hacking simulation invalid.
Chief executive Nimit Sawhney said that when he learned about the MIT research, “one of the first things we said was, ‘why don’t you prove all these claims on a real system?’ They did not respond to that at all.”
Voatz charged “the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
The company’s senior vice president Larry Moore said Voatz would have worked closely with the MIT researchers if asked. “They could have contacted us," he said during a Thursday afternoon conference call with journalists.
Specter acknowledged his team kept Voatz at arm’s length because of concern that the company might overreact. Last year, when researchers at the University of Michigan tried to hack Voatz software as part of a research project, the company notified officials in West Virginia, who called in the FBI. “It made us kind of nervous,” he said.
Specter said he and his colleagues would welcome the chance to examine the Voatz software. Indeed, Specter argued that any software used to manage elections ought to be made publicly available so any computer scientist could thoroughly test it.
The Voatz app has already been used in federal and local elections in West Virginia, Utah, Oregon, and Colorado. The company declined to provide a full list of communities that use the system. Moore said that at least one community, Mason County, Wash., has decided against using Voatz because of concerns raised by the MIT report.