The push for online voting has been happening for years, but now that a major pandemic has hit the US, there is more incentive than ever for states and counties to try out online and mobile voting services. This summer, Delaware and West Virginia will allow online voting in their primaries, and New Jersey is also testing it in a municipal election. The Utah GOP recently used mobile voting in a virtual state convention. Other states and counties are likely to follow.
These solutions are far from perfect; to call them "experimental" is putting it nicely. Most of the current providers are new companies with relatively small development teams. Multiple researchers like MIT and Trail of Bits have found vulnerabilities in the voting app created by Voatz. It's also concerning that the app developer appears to be antagonistic to the security community about such vulnerability research. And let's not forget what happened to Shadow Inc.'s IowaReporterApp during the Iowa Democratic presidential caucus this past February.
The inherent vulnerability of app-based voting is a serious cause for concern, but governments and political parties are likely to pursue them anyway. So, let's take a closer look at where the problems are.
What Attacks Are Most Likely?
Mobile voting apps could face a variety of attacks, but some of the most likely scenarios are credential brute-forcing, injection, man-in-the-middle, and distributed denial-of-service attacks. Weak user credentials are a common problem, and we can expect attackers to target this in a mobile voting app. Password spraying, credential stuffing, and dictionary attacks are all likely. In a 2018 security report, Voatz was cited for allowing voters to use PINs to secure their accounts.
Injection attacks such as SQLi are particularly worrisome because the integrity of data may be at risk. Under the right circumstances, it could be difficult to track this type of data manipulation to increase, change, or delete votes. Russia used this attack in the 2016 election, and we can expect more attacks in future elections.
Man-in-the-middle (MitM) attacks could attempt to steal credentials and data or alter information. These can exploit client-side vulnerabilities, insufficient server-side security, or weaknesses in an API itself. A study last year found that 8% of the top mobile apps are vulnerable to MitM attacks, and another 45% use weak encryption.
A Security Checklist
In order for a voting app to be considered secure, it will have to check off a number of critical security boxes:
Remote voting faces a number of fundamental challenges. The most obvious of these is usability. No matter how simple the app interface is, voters will still get confused and make mistakes. How do you troubleshoot this on Election Day? What if people aren't able to vote because of it? The app's ease of use is further complicated by the need for robust cybersecurity. Even basic security measures such as user authentication, password requirements, password recovery, MFA, and so on, will be difficult to properly implement because of how they will affect the user experience.
Data integrity is another problem. Digital voting creates many points of failure along the way, from technical errors in processing and storage to malicious insiders and outsider attacks, all of which must be accounted for. The stakes are high, as there is no paper record to audit the votes.
Lastly, nonrepudiation is a risk. What if a voter claims the voting app made a mistake? Or someone else (spouse, friend) voted for them? Or that they accidentally submitted the wrong candidate? Voting apps will have to be able to prove the person voted the way the vote was received, beyond any shadow of a doubt. The apps will also require rigorous security testing and analysis, and a defense-in-depth approach. However, even with strong security measures in place, these apps could still be vulnerable to abuse, particularly from state-sponsored actors and malicious insiders.