Academic Study Finds Security Flaws in Online Voting ToolOmniBallot Voting Platform Is Vulnerable to Hacking, Researchers Say
Researchers at the Massachusetts Institute of Technology and the University of Michigan have uncovered multiple security flaws in an online voting platform called OmniBallot. These flaws could enable hackers to access and manipulate voter data, according to a paper published this week.
Currently, OmniBallot is used in Delaware, New Jersey and West Virginia, and is designed to allow military personnel to cast their ballots while overseas. In addition, the online voting platform lets those with disabilities vote during the ongoing COVID-19 pandemic, according to Democracy Live, which developed the platform.
The OmniBallot platform allows voters to download a blank ballot, mark it and then send it through either mail, fax or email for verification, according to Democracy Live. After the results of the joint study were published this week, Bryan Finney, founder and president of Democracy Live, disputed the results and said the platform had undergone security testing by a third party.
What the Researchers Found
The combined MIT and University of Michigan study found that the APIs used with the OmniBallot software and its transmission of voter data to Democracy Live's servers leaves several security loopholes that hackers can exploit to access this sensitive data.
This includes potentially exposing information on a voter's identity, ballot selections and browser history. In addition, since OmniBallot does not have a tool for verifying the submitted votes, the study finds that a hacker could intercept the data to manipulate votes and further use it for political ad targeting or disinformation campaigns.
"We conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection," Michael A. Specter and J. Alex Halderman, the two researchers who conducted the study, write.
23/ What we recommend for OmniBallot voters:— J. Alex Halderman (@jhalderm) June 8, 2020
If you can, print a blank ballot, mark it, and mail it/drop it off.
If you need to mark online, double check that your printed ballot is marked correctly.
Avoid email/online return if possible.
More here: https://t.co/Ze6Z0VNraF
To analyze the software, the researchers say they reverse-engineered the publicly available elements of OmniBallot. To avoid the legal complications of connecting to a server containing actual voting data, the researchers used their own server to create a simulated voter system, according to the paper.
"Next, we iteratively reverse-engineered the code to understand each server API call and the format of the expected response, repeating this process until we could complete the voting process using a local stand-in server we created," according the paper.
From there, the researchers looked at three possible attack scenarios:
Server-Side Attacks: The researchers say the software's architecture makes server-side attacks "very powerful," as threat actors can use this method to steal private information and modify election data - including voted ballots - the study notes. This vulnerability could be exploited by software engineers and system administrators at Democracy Live, insiders at Amazon, which owns and operates the OmiBallot's physical servers, and external attackers who manage to breach the servers or Democracy Live's development systems, the report adds.
Manipulating Online Ballots
Since voters use OmniBallot to mark ballots online and then print them and return a physical ballot for tallying, the researchers note that these security vulnerabilities pose a great threat to blank ballot delivery, including misdirection and manipulation.
"OmniBallot's online ballot marking configuration could allow attackers to see the voter's selections before the ballot is generated, allowing them to surgically suppress votes for a particular candidate by misdirecting or modifying only those ballots," the study finds.
Another possible challenge is that hackers can compromise ballot secrecy by injecting code into the software, where they can then access and exfiltrate the voters' identity and ballot choices. Since OmniBallot does not use end-to-end verifiability, the researchers add that hackers could intercept the ballot return feature and change the vote to the threat actor's choice.
Democracy Live Pushes Back
After the study's results were published, Finney disputed the results in a statement: "The report did not find any technical vulnerabilities in OmniBallot. The authors take issue with online technologies in general relating to the transmission of ballots."
Finney told Information Security Media Group that a company called Shift State Security conducted penetration test of the OmniBallot platform and concluded the tool was secure.
"Shift State Security, led by a team of former FBI cybersecurity agents, reviewed all third-party penetration," Finney says. "Shift State has stated that no testing of OmniBallot resulted in compromise of the OmniBallot system."
In addition to the questions raised about OmniBallot, researchers found flaws in other voting apps as well. In February, another team of MIT researchers published a technical paper that describes several security flaws in Voatz, a smartphone app used for limited online voting during the 2018 U.S. midterm elections (see: MIT Researchers: Online Voting App Has Security Flaws).
The makers of the Voatz app contend that the research was flawed when it was published.
Another app used in the Iowa Democratic caucuses in February also malfunctioned, causing widespread confusion and the delay of results of that contest (see: The Iowa Caucus: No Hacking, But a Bungled Risk Matrix).