Researchers say online voting tech used in 5 states is fatally flawed

Elections in five states have used or plan to use OmniBallot's online voting tech.

Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. "The report did not find any technical vulnerabilities in OmniBallot," wrote Democracy Live CEO Bryan Finney.

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT's Michael Specter and the University of Michigan's Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.

This is true in a sense—the researchers didn't find any major bugs in the OmniBallot code. But it also misses the point of their analysis. The security of software not only depends on the software itself but also on the security of the environment on which the system runs. For example, it's impossible to keep voting software secure if it runs on a computer infected with malware. And millions of PCs in the United States are infected with malware. The issue has particular urgency right now because the ongoing COVID-19 pandemic is forcing election officials to make significant changes to election procedures. Right now, most jurisdictions using the OmniBallot software don't use its "electronic ballot delivery" feature. But enabling the feature would require little more than a configuration change. There's a risk that election officials, under pressure to make remote voting easier, will decide to enable the software's online voting feature for this November's general election.

How OmniBallot works

Experimenting with a live election system would be unethical and likely illegal. Instead, Specter and Halderman obtained a copy of the OmniBallot software, reverse-engineered it, and then created new server software that mimicked the behavior of the real server. This allowed them to experiment with the software without risking interference with a real election.

The problems with online voting

While there are some security concerns with ballot-marking software, the researchers say that these problems pale in comparison to security vulnerabilities of OmniBallot's "electronic ballot delivery" system. The fundamental problem is that the complexity and opacity of online voting systems creates numerous opportunities for a hacker to tamper with a ballot during the submission process. Malware on the client device could modify the ballot before it's transmitted to Democracy Live's servers. OmniBallot is built on Amazon Web Services using JavaScript libraries delivered by Google and Cloudflare. So hackers or malicious insiders at any of these companies could potentially alter ballots if they had access to one of these companies' systems. And the nature of online voting means there's no reliable way for a voter to verify that a ballot was transmitted correctly. Software engineers have developed theoretical designs for voting systems with end-to-end security. These systems use sophisticated cryptography to enable voters to cryptographically verify that their vote has been counted correctly. But Democracy Live doesn't do anything like that. In their paper, Specter and Halderman describe how an attacker could exploit the lack of end-to-end verification. "The web app would show a ballot containing the selections the voter intended, but the ballot that got cast would have selections chosen by the attacker," they write. "The attack would execute on the client, with no unusual interactions with Democracy Live, so there would be no way for the company (or election officials) to discover it."

Auditing doesn’t fix the problem

Democracy Live conducts post-election audits using Amazon's AWS CloudTrail software to verify that no Democracy Live employees abused their access to company servers. These checks could detect some forms of election tampering, but Specter and Halderman point out that they are far from foolproof.

States face pressure over online voting

Most states have heeded the experts' warnings and shied away from online voting. But a few have pushed forward, drawing the ire of computer security researchers in the process.