MIT test of "Secure" Voting App finds multiple vulnerabilities.

The touch screen "unauditable" voting machines are very bad, as far as security. We all know that, I hope! What about Internet voting? *Any closed source "voting app" has a strong possibility of being even worse. MIT found multiple security vulnerabilities in "Voatz" which was recently used in Virginia.

Article by way of Bruce Scheiner and his excellent blog.

[2020.02.17] [] This paper describes the flaws in the Voatz Internet voting app: "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections []."

> Abstract: In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called "Voatz." Although there is no public formal description of Voatz's security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user's device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a clean-room reimplementation of Voatz's server and present an analysis of the election process as visible from the app itself.
> We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote,including a sidechannel attack in which a completely passive network adversary can potentially recover a user's secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting,and of the importance of transparency to the legitimacy of elections. 

News [] articles [].

The company's [] response [] is a perfect illustration of why non-computer non-security companies have no idea what they're doing, and should not be trusted with any form of security.

EDITED TO ADD (3/11): The researchers respond [] to Voatz's response.