Profile picture
, 11 tweets, 12 min read
My Authors
Read all threads
Today, @mspecter, @jimmykoppel, and @djweitzner released a detailed security analysis of Voatz, a blockchain-based Internet voting app that's used in West Virginia and other states. Their findings are devastating, bit.ly/VoatzPaper. But Voatz has even more problems! 1/
@mspecter @jimmykoppel @djweitzner The paper finds that the Voatz API server, if hacked, can change votes entirely. The authors say the app doesn't actually use a blockchain or an E2E-V protocol to secure app-server vote transmission, but essentially just a regular HTTPS connection to voatzapi.nimsim.com. 2/
@mspecter @jimmykoppel @djweitzner To protect the connection, Voatz uses certificate pinning. That means the app will only trust a specific HTTPS certificate to authenticate the server. For maximal security, the app should pin to a cert that is used only on a specific well hardened server. 3/
@mspecter @jimmykoppel @djweitzner However, the server at voatzapi.nimsim.com uses a wildcard certificate for *.nimsim.com. 4/
@mspecter @jimmykoppel @djweitzner We can look up that certificate using Censys (@censysio). censys.io/ipv4?d996355c5…
It turns out Voatz uses the same cert on 7 servers on 3 cloud providers. An attacker who hacked into any of these systems could likely get the private needed to intercept and change votes. 5/
@mspecter @jimmykoppel @djweitzner @censysio How hard would that be? One of the servers, censys.io/ipv4/52.5.126.…, returns an HTTP header indicating it runs outdated software: "Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/5.4.16". That PHP version has dozens of CVEs. cvedetails.com/vulnerability-… 6/
@mspecter @jimmykoppel @djweitzner @censysio SSLLabs gives the same server a C. 7/
@mspecter @jimmykoppel @djweitzner @censysio The bottom line: It looks like there’s a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatz’s private key, impersonate the Voatz API server, and then intercept and change votes. 8/
@mspecter @jimmykoppel @djweitzner @censysio It’s not surprising that the Voatz app has the major security problems MIT found. Election security experts, including me, have been warning for years that Internet voting systems are not safe to use in real elections. 9/
@mspecter @jimmykoppel @djweitzner @censysio What is shocking from the MIT findings is just how primitive the Voatz app is, under the surface, compared to state-of-the-art E2E-V approaches. I myself certainly assumed from Voatz's messaging that it was doing something more sophisticated than what the researchers report. 10/
@mspecter @jimmykoppel @djweitzner @censysio In my view, based on MIT's findings, no responsible jurisdiction should use Voatz in real elections any time soon. It will take major advances in security technology before Internet voting is safe enough. 11/11
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with J. Alex Halderman

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Eric Mill
@konklone
Today, the NYT covered research by @mspecter, @jimmykoppel, and @djweitzner into the security of Voatz, a mobile app that's been used for online voting in US elections:

nytimes.com/2020/02/13/us/…

This found serious issues, but they're just some of the many problems with @Voatz. 1/
The researchers here reported these issues to @CISAgov, rather than @Voatz directly, out of concern for potential retaliation.

Their fear is well justified. In October, Voatz reported a student at U of Michigan to authorities for analyzing their app: 2/

magazine.cointelegraph.com/2020/02/07/saf…
@CISAgov @Voatz And in response to the researchers' work today, rather than acknowledging any of the issues in the paper, @Voatz accuses them of acting in bad faith, with the goal of sowing discord in elections:

blog.voatz.com/?p=1209
Read 13 tweets
Profile picture
Specter
@mspecter
Today, myself and co-authors @jimmykoppel and @djweitzner released a paper discussing a slew of vulnerabilities we found in @voatz, a blockchain voting app that's been used in US federal elections. You can read about it in the @nytimes! nytimes.com/2020/02/13/us/…
Or the paper itself here! internetpolicy.mit.edu/securityanalys…
Also, MIT News: news.mit.edu/2020/voting-vo…
Read 3 tweets
Profile picture
Rev. Scott Anthony ❌
@ScottAnthonyUSA
🚨 THE STORM PREDICTION CENTER HAS PLACED SIGNIFICANT SECTIONS OF CENTRAL U.S. AT ELEVATED RISK FOR TORNADOES, SEVERE WIND AND HAIL AGAIN TODAY, SATURDAY 5/25/19.... ADDITIONAL DETAILS TO FOLLOW...
Severe thunderstorms are likely this afternoon into tonight from the Texas & Oklahoma Panhandles into western/northern Oklahoma & Kansas.

Other severe storms are expected across the upper Ohio River Valley and Allegheny Plateau, and possibly other portions of the Midwest.
🔥 CRITICAL FIRE RISK FOR NEW MEXICO... as well as elevated fire risks in southern Georgia, northern Florida, SW South Carolina and far east Alabama
Read 35 tweets
Profile picture
Matthew Willemsen
@mwill_crypto
0/ The last day in February is here. Already over 15% through the year!

As always, there was a ton going on in the #blockchain/#crypto space today. Let's look back at some events from the past 24 hours!
1/ 🔲 Square, the payments giant led by Twitter's Jack Dorsey, reported its 4Q18 earnings. In total, users of Square's Cash App sold >$166M worth of #bitcoin in 2018 and $52.5M in 4Q. Considering the timeframe, that's some very solid QoQ growth! Graphic from @TheBlock__.
2/ 🤓 @BinanceResearch published an in-depth research report on @IOStoken [ $IOST ], a #blockchain-as-a-service platform focussed on mass adoption. Love this initiative from @Binance. info.binance.com/en/research/IO…
Read 16 tweets
Profile picture
Matthew Willemsen
@mwill_crypto
0/ Surprise surprise, it's been another hot start to the week for the #crypto/#blockchain ecosystem. Encouraging to see!

Below is a 18-part thread I created to help you keep informed re industry news that broke over the past ~24 hours. Hope you enjoy it!
1/ 🌐 An ann. from Elliott Suthers (Comms. Director, @Coinbase) revealed that "high-volume @CoinbasePro and Prime customers in Asia and Europe [can now] use cross-border wire transfers to fund their Coinbase accounts."

Now *that* is progress! blog.coinbase.com/announcing-new…
2/ 🙋🏻‍♂️ Staying with @Coinbase, news emerged that the top-tier #crypto exchange hired Quito Zuba as its Head of Market Operations last November.

Formerly, Quito spent over 6 years as the Global Head of Operations for @ThomsonReuters. Big get for Coinbase!
Read 20 tweets
Profile picture
Matthew Willemsen
@mwill_crypto
0/ Another doozy of a thread for you!

The past ~24hrs saw a great many #blockchain projects share development updates and partnership news. Amid this, the #crypto space was ripe with discussion on several topics.

On what, exactly? Well that's for you to find out 😉
1/ 🇺🇸 @AugurProject [ $REP ] - yeah, that #Ethereum-powered decentralized prediction market everyone wrote off post-#mainnet as quickly as @Novogratz revises a #bitcoin price forecast (😘) - well the #USmidterms have seemingly awoken punters from far and wide. Those numbers!
2/ 🔎 @adam3us's leading #bitcoin and #blockchain technology firm @Blockstream announced its new block explorer, blockstream.info.

Now, users can search and view specific data published in real-time to the Bitcoin #blockchain, Bitcoin #testnet and Liquid #sidechain. Neat!
Read 30 tweets

Trending hashtags

#airdrops #TRON #Melbourne #TCDisrupt #Bezant #Alibaba #crypto #DeFi #UT #TX #DemCastMS #Senate #decentralize #OriginTrail #Paradex #GFW #Ethash #SoundMoney #IL #blockchain #WestVirginia #Chainlink #MO #KY #stablecoin
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!