Online Voting Platform in Three U.S. States Vulnerable to Multiple Types of Attacks

Security researchers from the Massachusetts Institute of Technology (MIT) and the University of Michigan found numerous security issues and vulnerabilities within Democracy Live”s OmniBallot platform.

The COVID-19 pandemic is pushing more states to look into the possibility of letting constituents vote online. Some states in the U.S. already have this option, while others are adapting existing systems to suit their needs. The same is true for the OmniBallot platform, which is used for blank ballot delivery, ballot marking, and (optionally) online voting.

Of course, any online exposed platform is subject to potential cyberattacks and, in the case of this system, to vote tampering. OmniBallot is already deployed in Delaware, West Virginia and New Jersey, and these states previously announced they would support at least a limited form of online voting.

The security researchers investigated the OmniBallot system in Delaware, which is a web-based platform written using the AngularJS framework and implemented as a combination of static HTML, JavaScript, CSS, and JSON-based configuration files.

Following guidance by the U.S. Cybersecurity and Infrastructure Security Agency, researchers identified vulnerabilities in three areas.

–       When OmniBallot is used to deliver blank ballots for printing, attackers could modify certain voters” ballots or return instructions to omit candidates, causing votes to be scanned incorrectly, or delay or misdirect mailing returns.

–       Attackers can learn the voter”s selections and target ballots for a disfavored candidate by misdirecting them or causing them to be scanned as a vote for somebody else. Attackers could also mark the ballot for different candidates than the voter intended, which, although visible, many voters would likely fail to detect.

–       When ballots are returned over the Internet using OmniBallot, there is no way for voters to confirm that their votes have been transmitted without modification, and attackers could change votes in ways that would be difficult for voters, officials, or Democracy Live to detect.

In fact, this last part represents the most exposure, as attacks can come from client-side malware, compromised third-party services (Amazon or Google) and even infiltration of Democracy Live. Even the most rigorous audits would have trouble securing these avenues.

The researchers do say that, with the proper mitigations, many of these problems could be fixed in time for the incoming elections. One of the most important steps would be more transparency and authorities allowing independent review of the systems.