
Detailed audit of Voatz' voting app confirms security flaws - rbanffy
https://www.govtech.com/biz/Detailed-Audit-of-Voatz-Voting-App-Confirms-Security-Flaws.html
======
mspecter
Oh, hi.

I'm Mike Specter, lead author on the MIT report [1], and have been involved in
other voting-related research projects [2,3].

LMK if you all have any questions!

1\. [https://internetpolicy.mit.edu/wp-
content/uploads/2020/02/Se...](https://internetpolicy.mit.edu/wp-
content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf)

2\.
[http://people.csail.mit.edu/rivest/pubs/PSNR20.pdf](http://people.csail.mit.edu/rivest/pubs/PSNR20.pdf)

3\.
[https://www.belfercenter.org/sites/default/files/files/publi...](https://www.belfercenter.org/sites/default/files/files/publication/StateLocalPlaybook%201.1.pdf)

~~~
micimize
I understand that current solutions to electronic voting are unsatisfactory,
but I am fairly baffled by:

> It remains unclear if any electronic-only mobile or Internet voting system
> can practically overcome the stringent security requirements on election
> systems

Like, we can adequately secure banking software. With proper considerations
and processes for the problem domain (i.e. user follow up / validation, alerts
on suspicious vote changes) I don't see why securely implementing electronic
voting is considered near-impossible, and has so few advocates.

~~~
mspecter
To put this in short-hand: "We bank online, we buy all sorts of stuff online,
why not vote?"

The biggest reason is that banking and other financial transactions have a
very different threat model from voting.

In particular, voting requires a _secret ballot_. In addition to preventing an
adversary from learning how you voted, a secret ballot requires you to be
unable to prove how you voted, to prevent vote selling and coercion.

So, unlike financial transactions, how you do validation / remediation of
failures is very unclear. Ben Adida has a blog post with further thoughts here
([https://benlog.com/2007/03/02/on-voting-banking-and-bad-
anal...](https://benlog.com/2007/03/02/on-voting-banking-and-bad-analogies/)).

~~~
micimize
Hmm, I hadn't fully grokked the facet of the problem domain. I guess you could
give users a spoofing mode, that allowed them to fake any ballot / action. Or
possibly, if there was a window of time in which they could change their
ballot freely.

Maybe making such features both secure and accessible would be nearly
impossible though.

------
aazaa
The biggest problem with Voatz is that it's selling silicon snake oil to
people who can't evaluate claims.

It starts with the premise that somehow Blockchain does something magical.
That is enables special security.

Claims like this are a load of crap.

What Bitcoin did, and what hucksters like Voatz are trying to cash in on, was
to make it provably difficult to write a public record. In doing so, Bitcoin
created provable digital scarcity (subject to certain well-known assumptions)
for the first time in human history.

Voatz picks out the cryptographic part as if it were somehow separable from
the proof of work part. The two are not separable. Voatz, and the fools who
are using it, have much bigger problems than "improper use of cryptographic
algorithms."

~~~
fastball
I mean, the crypto part that isn't PoW is mostly just PKC, which actually does
make sense for voting.

------
aneutron
So I'm halfway through the report, it's a very beautiful document, great work
from the team that wrote, and if I understood correctly, a VOTING application:

\- Uses ad-hoc cryptography as the main cryptography

\- Does not use the recommended security facilities on the target platforms
(iOS and Android)

\- Is deployed manually, with hardcoded secrets (AWS account with name "admin"
had its credentials hardcoded in a scala file named "AmazonOtpUtility.scala")

\- Has provably de-anonimizablity as a property (All is needed is apparently
access to the databases, and might I remind you of the Twitter / UAE/Saudi
Arabia recent story)

\- (And this is the biggest, most annoying thing) Is not end-to-end
verifiable.

\- The actual threat model is almost childish, as showed by the testing team.

I do apologize for the wording in the following paragraphs, but this a fucking
dumpster fire of a project for a voting platform.

Who the fuck authorized this to go forward as a voting platform for any state
in the United States ? Who the fuck is selling this as a "secure" platform ?
Can they sleep well at night ? When will the government intervene and stop
people from compromising democracy with stunts like these ?

~~~
baobabKoodaa
The people who authorized this are probably clueless. The people who created
this dumpster fire are clueless _and_ evil.

------
tprynn
Copying comment from previous thread:

Systemic issues:

* Creds scattered throughout source code, including DB / AWS creds, "fixed" by removing but still present in git history

* Numerous crypto vulns: nonces / AES-ECB

* What's even the point of blockchain, it just makes everything worse

Selected quotes:

"Trail of Bits was only provided a backend for live testing on the second-to-
last scheduled day of the assessment"

"The system is unusually complex, with an order-of-magnitude more custom code
than similar mobile voting systems we have assessed."

"Voatz's voting processes are error prone and manual, relying on manual
verification of voter identity and long-term storage of this identity on
Voatz's premises"

"E2E-V systems allow voters to cast encrypted ballots such that ballot counts
are verifiable to anyone, but individual voters’ preferences are not revealed.
... Voatz is not E2E-V."

"Storing voting data on a blockchain maintains an auditable record to prevent
fraud, but this comes at the expense of both privacy and increased attack
surface. Clients do not connect directly to the blockchain themselves, and are
therefore unable to independently verify that their votes were properly
recorded. Anyone with administrative access to the Voatz backend servers will
have enough information to fully reconstruct the entire election, deanonymize
votes, deny votes, alter votes, and invalidate audit trails."

------
baobabKoodaa
I briefly commented on Voatz in my thesis[1] last year:

 _Voatz is another blockchain-related voting project. They claim to have been
involved in a real world mobile voting experiment in West Virginia with real
votes cast through their mobile application. However, their source code and
voting protocol are not available for review.

Voatz is a great example of how commercial vendors can fill the letter of the
law without filling the spirit: what they refer to as a ”paper audit trail” is
literally a physical print of their digital records. If the digital records
are corrupted before printing, the paper records will be likewise corrupted.

Based on the descriptions on the FAQ page, Voatz servers are all running the
same software, and the voter needs their vote to be recorded on all of them in
order to receive confirmation that their vote has been recorded. This seems
like the worst of both worlds: a single misbehaving authority can prevent the
election from proceeding, and at the same time, the ”verifiable blockchain”
benefits are undermined by running the same closed-source unverifiable
software on all of the servers and the same closed-source unverifiable
software on all of the clients. The replication of servers provides security
benefits only against physical tampering of the machines – since the same
software is running on all of them, an accidental or intentional flaw in the
software can be exploited to manipulate votes on all servers simultaneously._

1\. [https://www.attejuvonen.fi/thesis/](https://www.attejuvonen.fi/thesis/)

------
save_ferris
> The summary goes on to list several technical flaws, such as a lack of test
> coverage and documentation, infrastructure provisioned manually without the
> aid of infrastructure-as-code tools, vestigial features that have yet to be
> deleted, and nonstandard cryptographic protocols.

I’m not a security engineer, so what’s the benefit of using a nonstandard
cryptographic protocol? That decision makes no sense to me.

~~~
spatley
The only reason to use nonstandard crypto is that you think you are smarter
than the entire crypto industry. ProTip: you are never smarter than the entire
crypto industry.

~~~
kache_
You forgot the other reason: backdoors

------
darawk
Should we change the link to point directly to ToB's blog post?

[https://blog.trailofbits.com/2020/03/13/our-full-report-
on-t...](https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-
mobile-voting-platform/)

It seems a lot more information rich.

------
orthecreedence
> The clients do not interact with the blockchain directly, so there is no
> blockchain verification code in the client.

Fun. So, why even use a blockchain? Why not at least have light-clients with
merkle verification? Does Fabric not have support for light clients (I haven't
looked at it in a while)?

~~~
JshWright
"Why even use a blockchain" is the first question that should be asked of any
company that advertises they use one. Most of the time it's also the last
question you'll need to ask...

------
egypturnash
Every time this company comes up, some part of me just shudders in horror at
the thought of outsourcing the crucial act of voting to a company called
_Voatz_.

Y'all the entire nation to put their trust in you and yet you have named
yourself with a "cute" misspelling of one of the things you are involved in?
Really?

------
zyxzevn
I wish it could be safe, but real electronic voting fraud may be far more
common in practice:

[https://www.youtube.com/watch?v=zsNXnAv131g](https://www.youtube.com/watch?v=zsNXnAv131g)
Computer Programmer testifies that Tom Feeney (Speaker of the Houe of Florida
at the time, currently US Representative representing MY district ) tried to
pay him to rig election vote counts.

Usually they can be detected when exit polls differ from the voting results.
But that seems common nowadays. So that is why I think that voting fraud may
be common.

But back to the whistleblower.. How many have accepted the money? And how many
of them are able do some underhand programming? Sometimes just to leave small
security holes.

I don't think that MIT can detect them that easily. For a long time we did not
even know the NSA encryption was compromised by NSA themselves.

------
imgabe
As a first impression, simply the name "Voatz" does not inspire a lot of
confidence.

------
cies
Have my vote printed to a roll of paper, like a cashier's counter roll. Make
sure that it shows through an opening in the case, so I can verify, and then
rolls further (beyond the opening) so I cannot see it anymore. This is a way
to store the votes "write only". The rolls are both human readable and machine
readable (OCR is nothing new).

The only problem with this compared to voting forms is that form fall into the
bin unordered, so it is harder to link a vote to a person.

Just an idea.

I would not trust ANY system that stores my vote on a re-writable storage
medium. I know there are some crypto/blockchain tricks that may help, but
that's so hard to audit for lay people that I prefer the paper roll any day.

~~~
henrikschroder
> The only problem with this compared to voting forms is that form fall into
> the bin unordered, so it is harder to link a vote to a person.

Uh, that's a _good_ thing, you don't want to be able to link a vote to a
person at all!

~~~
lippel82
That's why he said it was a problem.

~~~
henrikschroder
Ah, I misunderstood what he was saying! I read it the other way around.
Thanks!

------
r00fus
Can someone confirm to me why we need voting "apps" or why voting needs to be
electronic at all?

Vote in person by pen & paper or vote via mail remotely. Tabulation also
should be done locally and in-person with representatives of all parties
present.

Anything else seems ... like a way to more easily steal elections.

~~~
NikolaeVarius
>> The promises of mobile voting are attractive—better accessibility for
differently abled people, streamlined absentee voting, and speed and
convenience for all voters. If a mobile platform could guarantee secure
voting, it would revolutionize the process. It’s a fantastic goal—but there’s
still work to do.

~~~
henrikschroder
> If a mobile platform could guarantee secure voting

First, that's a mighty big if, and second, it's not enough!

Voting is a process where unlike online banking or online shopping there is no
way for a human to go in and fix errors, there's no way to audit a vote and go
"Oh, Bob meant to vote for A and Cindy meant to vote for B, so the machine did
it wrong". It's not enough that an electronic voting system is correct, every
single voter has to be able to trust the system, and for that it needs to be
simple to understand.

You can't look at the electrons inside a silicon chip to determine they're
doing the right thing. But with pen and paper and envelopes and urns and
observers and counters, you _can_ determine that the system is doing the right
thing. Involving lots and lots of citizens in the voting system is not a bad
thing, quite the opposite! You _want_ as many eyes as possible on the entire
process to ensure there's nothing shady going on, that there's no mistakes.

But if all the votes go into a black box that spits out the results, all of
that goes away, all of that trust, all of that ability to verify that the
results are correct.

~~~
baobabKoodaa
Well, they use a lot of pen & paper in Russia, but somehow Putin can get 107%
of votes in some areas. So perhaps your confidence in paper voting is a bit
too high.

~~~
henrikschroder
Yes, if election workers are corrupt, your election results will be corrupted
as well. No voting system can defend against it. That's what revolutions are
for.

~~~
baobabKoodaa
So you no longer stand by your original statement where you said "But with pen
and paper and envelopes and urns and observers and counters, you can determine
that the system is doing the right thing"?

Somehow you have gone from one extreme (implying that a traditional paper
voting system is always trustworthy) to another extreme (saying that all
voting systems can be corrupted), which, by the way, is not true either. For
example, the results of a voting system where all votes are public, can not be
manipulated. This tiny example shows that clearly some voting systems can
defend against corruption.

------
roywiggins
My personal audit went like this: "It's called Voatz, with a _Z_."

~~~
mandelbrotwurst
It's got what plants crave!

------
gok
Electronic voting is difficult because it's politically undesirable to many
people who benefit from dead tree voting, not for any technical reason. So
yeah, of course people claiming to solve a political problem with technical
buzzwords are almost certainly selling snake oil.

~~~
charonn0
> it's politically undesirable to many people who benefit from dead tree
> voting

Who supposedly benefits?

