The Massachusetts-based enterprise, Voatz, the blockchain US election app security risks, has recently been unearthed and garnering heat from all sides.
Voatz has been promoting a blockchain mobile voting app that has been investigated to have a lot of security loopholes and thus has garnered a lot of public criticism, and the security loopholes are particularly serious regarding data security.
The importance of controlling these security issues is all the more important as election week is near in the US. The audit report on the US election app’s security includes a 122-page security review with an additional 78 pages highlighting threat-modeling considerations.
US election app security risks: Voatz doesn’t need blockchain?
The blockchain Voatz uses doesn’t extend to the mobile client, in turn, creating US election app security risks.
The attraction of this blockchain app is that it doesn’t require voters to trust anybody as it is a decentralized system; however, Voatz doesn’t extend this to the public. Voatz uses a Hyperledger blockchain as an audit log. This isn’t cutting edge blockchain technology at use as this can easily be done by a database with an audit log.
The audit report founded that the Voatz system doesn’t have any alleviation for deanonymizing voters based on the period their vote was cast in the app. Voatz claims that there is a “mixnet” that lands the information on the blockchain after they are anonymized.
US election app security risks: MIT’s findings confirmed
Massachusetts Insitute of Technology – MIT researchers published a report on February 13th claiming that Voatz’ blockchain had major security issues to which Voatz replied later the same day and refuted MIT’s claims.
As it turns out, the response from Voatz was written three days after the trail of Bits verified the ubiquity security vulnerabilities to MIT after it received a summary of issues by the United States Homeland Security.
Previous US election app security risks projects were not complete?
This was the first report that carried out a white box investigation that leads to these findings; prior to this, many reports were conducted but weren’t comprehensive enough. Trail of Bits summarised the previous reports as follows.
A security review was conducted back in 2019 by NCC, but because it was private, there wasn’t any employment of technical security experts.
In October of 2018, ShiftState conducted a widespread hygiene review of the blockchain architecture, the data flow, and threat alleviation decisions; however, this review didn’t count for searching bugs in the application itself.
The last security review was conducted in October of 2019, which merely assessed cloud resources and whether the app was hackable or not. The prior reports did not include assessments of server and back-end security issues, which rendered the previous reports as incomprehensive.
On the one hand, different US states are considering blockchain-based voting. While on the other hand, Trail of Bits report states that these reports were merely technical documents, and the overlooking of these assessment loopholes brings the question of whether elected officials are qualified enough to read these documents.