Security researchers from the Massachusetts Institute of
Technology (MIT) and the University of Michigan found numerous security issues
and vulnerabilities within Democracy Live’s OmniBallot platform.
The COVID-19 pandemic is pushing more states to look into
the possibility of letting constituents vote online. Some states in the U.S.
already have this option, while others are adapting existing systems to suit
their needs. The same is true for the OmniBallot platform, which is used for
blank ballot delivery, ballot marking, and (optionally) online voting.
Of course, any online exposed platform is subject to
potential cyberattacks and, in the case of this system, to vote tampering.
OmniBallot is already deployed in Delaware, West Virginia and New Jersey, and
these states previously announced they would support at least a limited form of
online voting.
The security researchers investigated
the OmniBallot system in Delaware, which is a web-based platform written using
the AngularJS framework and implemented as a combination of static HTML,
JavaScript, CSS, and JSON-based configuration files.
Following guidance by the U.S. Cybersecurity and
Infrastructure Security Agency, researchers identified vulnerabilities in three
areas.
– When
OmniBallot is used to deliver blank ballots for printing, attackers could
modify certain voters’ ballots or return instructions to omit candidates, causing
votes to be scanned incorrectly, or delay or misdirect mailing returns.
– Attackers
can learn the voter’s selections and target ballots for a disfavored candidate
by misdirecting them or causing them to be scanned as a vote for somebody else.
Attackers could also mark the ballot for different candidates than the voter
intended, which, although visible, many voters would likely fail to detect.
– When
ballots are returned over the Internet using OmniBallot, there is no way for
voters to confirm that their votes have been transmitted without modification,
and attackers could change votes in ways that would be difficult for voters,
officials, or Democracy Live to detect.
In fact, this last part represents the most exposure, as
attacks can come from client-side malware, compromised third-party services
(Amazon or Google) and even infiltration of Democracy Live. Even the most
rigorous audits would have trouble securing these avenues.
The researchers do say that, with the proper mitigations,
many of these problems could be fixed in time for the incoming elections. One
of the most important steps would be more transparency and authorities allowing
independent review of the systems.