DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting

    Title: The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections

    Description:
    In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called “Voatz.” Although there was no public formal description of Voatz's security model, the company claimed that election security and integrity were maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user's device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation. We performed a cleanroom reimplementation of Voatz's server and present an analysis of the election process as visible from the app itself.

    We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote, including a sidechannel attack in which a completely passive network adversary can recover a user's secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections.

    Speaker(s): Michael A. Specter

    Location: Voting Vlg

    Discord: https://discord.com/channels/7082082...33881148506164

    Event starts: 2020-08-08 13:30 (01:30 PM) PDT (UTC -07:00)

    Event ends: 2020-08-08 14:00 (02:00 PM) PDT (UTC -07:00)

    For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T20:08 (UTC).
    Starts
    August 8, 2020 13:30
    Ends
    August 8, 2020 14:00
    Location
    Voting Vlg
Working...
X