Incident: Attempted Hack on Voatz Mobile Voting App During 2018 Midterm Elections

Published Date: 2019-10-05

Postmortem Analysis
Timeline 1. The software failure incident involving an attempted hack into the Voatz app used during the 2018 midterm elections happened in 2018 [90757].
System 1. Voatz mobile voting app [90757]
Responsible Organization 1. The person or people associated with the University of Michigan who attempted to hack the Voatz app as part of an election security course [90757] 2. The student(s) from the Michigan course who tried to break into the existing election infrastructure, leading to the FBI inquiry [90757]
Impacted Organization 1. Military and overseas voters in West Virginia [90757]
Software Causes 1. The software cause of the failure incident was an attempted hack into the Voatz mobile voting app used during the 2018 midterm elections [90757].
Non-software Causes 1. The attempted hack into the Voatz app was a student's attempt to research security vulnerabilities rather than an attempt to alter any votes [90757]. 2. The incident stemmed from a particular incident in a Michigan course where students were instructed not to meddle in existing election infrastructure, but one student's actions led to the FBI obtaining a search warrant for their phone [90757].
Impacts 1. The attempted hack into the Voatz app used during the 2018 midterm elections led to an FBI investigation, causing concerns about the security of the voting system [90757]. 2. The incident raised questions about the security and integrity of the mobile voting system, particularly in the context of election infrastructure [90757]. 3. The software failure incident highlighted the challenges in cybersecurity research, where researchers trying to identify vulnerabilities may face legal consequences under the Computer Fraud and Abuse Act [90757]. 4. The lack of transparency and reluctance of Voatz to disclose audits and allow inspections of their system eroded trust in the product and operations, impacting confidence in the security of the voting app [90757].
Preventions 1. Implementing stricter guidelines and controls within educational courses involving cybersecurity research to ensure that students do not inadvertently cross legal boundaries when testing software vulnerabilities [90757]. 2. Conducting thorough security audits and assessments of the software, such as the Voatz app, to identify and address any potential vulnerabilities before they can be exploited [90757]. 3. Enhancing transparency and accountability in the development and deployment of critical software systems, especially those used in elections, to build trust with the technical community and users [90757].
Fixes 1. Conducting thorough security audits and making the results transparent to build confidence in the software system [90757]. 2. Implementing strict guidelines and controls for researchers participating in security testing to prevent unauthorized access to live election systems [90757]. 3. Enhancing collaboration with cybersecurity researchers through bug bounty programs to identify and address vulnerabilities in the software system [90757].
References 1. FBI investigation and US attorney for the Southern District of West Virginia [90757] 2. Sources familiar with the matter 3. Office of West Virginia Secretary of State Mac Warner 4. Voatz co-founder and CEO Nimit Sawhney 5. Rick Fitzgerald, spokesman for the University of Michigan 6. University of Michigan 7. Joseph Lorenzo Hall, chief technologist of the Center for Democracy & Technology 8. San Francisco company HackerOne

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to an attempted hack into the Voatz app during the 2018 midterm elections in West Virginia is a unique incident that has not been reported to have happened again within the same organization or with its products and services. The incident involving the University of Michigan students attempting to hack the app as part of a security course appears to be an isolated event [90757]. (b) The software failure incident involving the attempted hack into the Voatz app during the 2018 midterm elections in West Virginia does not have any reported instances of similar incidents happening at other organizations or with their products and services. The focus of the incident was on the specific attempt by University of Michigan students to test the security of the app, rather than a widespread issue affecting multiple organizations [90757].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the attempted hack into the Voatz app used during the 2018 midterm elections. The incident was a result of a person or people trying to hack the app as part of a University of Michigan election security course, which highlighted the contentious issue in cybersecurity research of finding vulnerabilities in software by thinking like a hacker. This incident was severe enough to be reported to the FBI, indicating a failure in the design aspect of the app's security measures [90757]. (b) The software failure incident related to the operation phase can be observed in the misuse of the Voatz app during the 2018 election cycle. The attempted intrusion into the West Virginia military mobile voting system was perceived as an outside party trying to gain unauthorized access. This misuse led to the involvement of the FBI and raised concerns about the security and transparency of the app's operations, indicating a failure in the operational aspect of the system [90757].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the attempted hack into the Voatz app during the 2018 midterm elections was primarily due to factors originating from within the system. The incident involved a student or students from the University of Michigan trying to hack the app as part of an election security course, which led to the FBI investigation [90757]. Additionally, Voatz co-founder and CEO Nimit Sawhney mentioned that the attempted hack was severe enough to be reported to the authorities, indicating an internal breach within the system [90757]. (b) outside_system: The software failure incident also had contributing factors originating from outside the system. The suspicious activity against the Voatz app was traced back to IP addresses associated with the University of Michigan, suggesting an external source for the attempted intrusion [90757]. Furthermore, the incident highlighted the challenges in cybersecurity research where researchers need to think like hackers to find vulnerabilities, which can sometimes lead to legal implications due to the strict laws like the Computer Fraud and Abuse Act [90757].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident related to non-human actions: - The attempted hack into the Voatz app during the 2018 midterm elections was potentially a student's attempt to research security vulnerabilities rather than an attempt to alter any votes [90757]. - The FBI investigation into the hack was linked to a University of Michigan election security course where students were examining mobile voting technology [90757]. (b) The software failure incident related to human actions: - The FBI inquiry into the attempted hack stemmed from a particular incident in the Michigan course where students were instructed not to meddle in existing election infrastructure but potentially did so [90757]. - Voatz co-founder and CEO Nimit Sawhney mentioned that the attempted hack was severe enough to be reported to the FBI, indicating human involvement in the intrusion [90757].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The attempted hack into the Voatz app during the 2018 midterm elections was traced back to IP addresses associated with the University of Michigan, indicating a hardware-related issue as the suspicious activity originated from specific hardware devices [90757]. (b) The software failure incident related to software: - The attempted intrusion into the Voatz app was a result of a student or students trying to hack the app as part of a University of Michigan election security course, indicating a software-related issue where vulnerabilities in the software were being explored [90757].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident reported in the articles was non-malicious. It was an attempted hack into a mobile voting app used during the 2018 midterm elections, which may have been a student's attempt to research security vulnerabilities rather than an attempt to alter any votes [90757]. The FBI investigation revealed that the intrusion into the Voatz app was part of a University of Michigan election security course, where students were examining current and proposed mobile voting technology but were instructed not to meddle in existing election infrastructure. The incident was reported to the authorities, and no criminal charges were filed.
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor decisions can be seen in the incident where a student or students from the University of Michigan attempted to hack into the Voatz app as part of an election security course. The students were instructed not to meddle in existing election infrastructure but still attempted to hack the app, leading to an FBI investigation [90757]. This incident highlights the potential consequences of poor decisions made by individuals involved in the security research. (b) The intent of the software failure incident related to accidental decisions can be seen in the statement by Voatz co-founder and CEO Nimit Sawhney, who mentioned that the attempted hack was the only incident from the 2018 election that felt severe enough to turn over to the FBI. This suggests that the intrusion was not intentional but rather accidental, possibly due to the students' actions during the course [90757].
Capability (Incompetence/Accidental) accidental (a) The software failure incident related to development incompetence is not evident in the provided article. (b) The software failure incident was accidental, as it was reported that the attempted hack into the Voatz app during the 2018 midterm elections was actually a student's attempt to research security vulnerabilities rather than an attempt to alter any votes. The FBI investigation revealed that the suspicious activity against the Voatz app came from IP addresses associated with the University of Michigan, where students were examining current and proposed mobile voting technology but were instructed not to meddle in existing election infrastructure. This accidental intrusion led to the FBI inquiry and raised concerns about the strict hacking laws in the US [90757].
Duration temporary (a) The software failure incident in the Voatz app related to the attempted hack during the 2018 midterm elections can be considered as a temporary failure. The incident was a result of a student or students trying to hack the app as part of a University of Michigan election security course, which was not a permanent failure but rather a specific event caused by certain circumstances [90757]. (b) The incident was not a permanent failure as it was a specific event related to the attempted hack and intrusion into the Voatz app, rather than a continuous or ongoing issue with the software [90757].
Behaviour crash, other (a) crash: The incident involving the attempted hack into the Voatz app during the 2018 midterm elections did not result in any alteration of votes, but it was severe enough to be reported to the FBI, indicating a potential system crash [90757]. (b) omission: The system failure incident did not involve the system omitting to perform its intended functions at an instance [90757]. (c) timing: The incident did not involve the system performing its intended functions too late or too early [90757]. (d) value: The incident did not involve the system performing its intended functions incorrectly [90757]. (e) byzantine: The behavior of the software failure incident did not exhibit inconsistent responses or interactions [90757]. (f) other: The behavior of the software failure incident involved an attempted intrusion into the Voatz app, which was caught and reported to the authorities, highlighting the potential vulnerability of the system to external attacks [90757].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence theoretical_consequence, other (a) death: People lost their lives due to the software failure - No information in the provided article suggests that people lost their lives due to the software failure incident. [90757] (b) harm: People were physically harmed due to the software failure - No information in the provided article suggests that people were physically harmed due to the software failure incident. [90757] (c) basic: People's access to food or shelter was impacted because of the software failure - No information in the provided article suggests that people's access to food or shelter was impacted due to the software failure incident. [90757] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involved an attempted hack into a mobile voting app used during the 2018 midterm elections, which could potentially impact the security and integrity of the voting process. However, there is no specific mention of people's material goods, money, or data being directly impacted. [90757] (e) delay: People had to postpone an activity due to the software failure - The software failure incident did not result in any activity being postponed as per the information provided in the article. [90757] (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident primarily involved an attempted hack into a mobile voting app and the subsequent investigation by the FBI. There is no mention of non-human entities being impacted in the article. [90757] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident involving the attempted hack into the mobile voting app did have consequences, such as triggering an FBI investigation and raising concerns about the security of the voting system. Therefore, it does not fall under the category of no real observed consequences. [90757] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The article discusses potential consequences of the software failure incident, such as the security vulnerabilities being researched by a student and the implications of the Computer Fraud and Abuse Act. However, these potential consequences did not materialize into actual harm or damage. [90757] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The article mentions concerns raised by cybersecurity experts about the lack of transparency and confidence in the Voatz app's security measures. This lack of transparency could lead to a loss of trust in the election system, impacting the democratic process and public confidence in the voting technology. [90757]
Domain government (a) The failed system was related to the government industry as it involved a mobile voting app used during the 2018 midterm elections in West Virginia [90757]. (l) The failed system was specifically used for government elections in West Virginia, making it part of the government industry [90757].

Sources

Back to List