Hackers attack blockchain-based voting systems. Are the new voting systems safe?

For better or worse reasons, technological advances will always be reflected in most aspects of our lives, and democratic processes are no exception. Web application security specialists reported that in the 2018 midterm elections an unidentified threat actor tried to hack into the blockchain-based voting system used in West Virginia, known as Voatz. 

Blockchain technology

Although the attack was unsuccessful, the FBI has continued to follow up on this incident. “Last year we detected an attempted hacking against the mobile voting system in Virginia. The security protocols of the electoral system worked as expected. The FBI is investigating the IP addresses linked to this malicious activity,” said Andrew Warner, West Virginia’s secretary of state.

During past elections, at least 140 Virginia voters, including active members of the US Military residing abroad, used the Voatz mobile app, powered by blockchain, to cast their votes to elect members of the US Congress and local representatives. Although it seems like a very small number of voters it could still be decisive, especially in local elections. For example, four seats in the West Virginia Delegate house decided on less than 100 votes.

Through this app, users had to verify their identity using multi-factor authentication in conjunction with facial recognition software. Once this process was completed, users accessed their ballot and sent their votes. While it sounds pretty secure, web application security experts believe Voatz could still have some security weakness.

“Apparently the hacking attempt was not successful, but this is a sign that electronic voting systems could become one of the main targets of malicious hacker groups. Moreover, although this system seems to be more secure than its predecessors, it is difficult to evaluate it, as there are various confidentiality agreements,” the experts mention.

Uncertainty regarding Voatz is shared by other members of the cybersecurity community, such as Matt Blaze, a web application security specialist at Georgetown University. “Another aspect to consider is the use of this system on conventional smartphones. Blockchain security does not extend to the device where the application was installed, so a threat actor could try to attack the user from that point,” he says.

During a recent funding campaign, Voatz managed to raise $7 million USD to continue its investigation, so it is highly likely that its use will continue to be enforced, at least the West Virginia authorities.

The US presidential election is less than two years away, so web application security specialists from the International Institute of Cyber Security (IICS) highlight the importance of Voatz, and any other similar system, adopting a more open stance to public scrutiny. Continuing to use Voatz despite not having as much information as possible seems a little responsible measure by the US authorities.