Back to the list

Student may have tried to hack West Virginia's blockchain election for class

source-logo  decrypt.co 08 October 2019 18:55, UTC

The West Virginia Secretary of State office revealed last week that there was "an unsuccessful attempt to gain uninvited access" to its election system in May 2018.

The target was a blockchain-based mobile voting pilot that allowed military members overseas who are residents of Harrison and Monongalia counties to use the Voatz app to complete their ballots.

Was it Russian interference? Perhaps the North Koreans? As it turns out, it was probably a student from the University of Michigan. According to reports from CNN, the FBI is investigating the possibility that a Michigan student (or students) tried to hack Voatz for a course on election security.

The Voatz app's primary function is to authenticate voters, with the app linking users' identity to their smartphone via fingerprint or facial recognition. Voatz does not use a public blockchain like Ethereum or Bitcoin. Instead, the West Virginia pilot used somewhere between four and 16 nodes on a permissioned blockchain to verify ballots, though it says it used different cloud providers. One perceived benefit of the Voatz app is its ability to produce an anonymized paper trail.

In this instance, CNN reported, Voatz discovered the apparent hack attempt and shared it with the FBI. A statement from the U.S. Attorney's Office for the Southern District of West Virginia noted that the attempt had been referred to it by the West Virginia Secretary of State during the 2018 elections.

While both the U.S. Attorney's and the West Virginia Secretary of State's press releases are quick to note that the hack was unsuccessful and no votes appear to have been changed, the incident highlights unease among cybersecurity experts.

According to Duncan Buell, a professor of computer science and engineering at the University of South Carolina, instead of mitigating the risk of election tampering, "blockchains actually introduce new vulnerabilities to the voting process."

Buell noted to Decrypt several things that could go wrong. "First off," he said, is the fact that data is stored in a cloud instead of "computing resources owned by the election authority." That raises the risk of private interference, which would also be possible in a decentralized proof-of-work system. "What if a majority of the blockchain miners choose not to accept some of the votes?" he asked. 

Experience Web 3.0.

Be the first to get Decrypt Members. A new type of account built on blockchain.

Yet blockchain voting is moving forward, FBI investigation or not, thanks in part to ease and auditability. So far in 2019, the City and County of Denver and Utah County, Utah, have piloted Voatz for municipal elections. Jocelyn Bucaro, Director of Elections for the City and County of Denver, told Decrypt the pilot was a success: "Voters surveyed reported they preferred to vote by mobile app than by any other method currently available. We were also excited to offer a public audit of the ballots cast and counted through the application."

The upshot of that audit, she said, was "additional transparency and auditability over other methods of voting." And although the Colorado Secretary of State isn't currently considering rolling out Voatz statewide, she expressed support for further pilots.

As for West Virginia, Jennifer Gardner, Deputy Press Secretary for the Secretary of State’s Office, told Decrypt the office still plans to use Voatz again in 2020 overseas military voting, though it’s up to individual counties to decide whether to use it.