The Iowa caucuses app had another problem: It could have been hacked

While there is no evidence hackers intercepted or tampered with the results, a security firm consulted by ProPublica found that the app lacks key safeguards.

A glitch in the smartphone app used to count and report votes from individual precincts continues to delay results from Monday’s Iowa caucuses. But a closer look shows that the app had a potentially graver problem that apparently did not come into play: its vulnerability to hacking.

MORE INFO

Iowa caucuses did one thing right: Require paper ballots

In November, some voters in at least nine states will cast their ballots electronically on systems that do not leave a paper trail. Read more.

Confusion reigned in Iowa caucus -- even before the chaotic results

While Iowans had access to more caucusing locations, confusion about the system kept some from being counted and left advocates for the disability community frustrated with remaining barriers. Read more.

US could learn how to improve election protection from other nations

The problem is of protecting democracy and securing voting machines is global, and would benefit from an internationally coordinated solution among both advanced and emerging democracies. Read more.

The IowaReporterApp was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed, according to officials at Massachusetts-based Veracode, a security firm that reviewed the software at ProPublica’s request. Because of a lack of safeguards, transmissions to and from the phone were left largely unprotected.

Chris Wysopal, Veracode’s chief technology officer, said the problems were elementary. He called it a “poor decision” to release the software without first fixing them. “It is important for all mobile apps that deal with sensitive data to have adequate security testing, and have any vulnerabilities fixed before being released for use,” he said.

The weaknesses reinforce concerns about political parties managing elections, especially in an era of heightened sensitivity to digital security issues -- and about the Iowa Democratic Party’s actions in particular. Party officials, who touted the new technology as a fast way to tally votes, may have given short shrift to assuring not only the app’s effectiveness but also its security, experts said.

There’s no evidence that hackers intercepted or tampered with caucus results. An attack would have required some degree of sophistication, but it would have been much easier to pull off had a precinct worker used an open Wi-Fi hotspot to report votes instead of a cell data plan.

Still, the turmoil over counting the votes in Iowa has raised fresh doubts about the election’s integrity. “It absolutely hurts confidence overall because you have folks looking at this and saying: ‘Did my vote matter? Did it count?’” said Amber McReynolds, the former elections director in Denver and now CEO of the National Vote at Home Institute. “And they’ll ask those questions again in November.”

The Iowa Democratic Party referred questions about testing and vulnerabilities to the app’s maker, Shadow Inc. Mandy McClure, the party’s spokeswoman, said all “electoral data and results have been exported from the application and are in the process of being verified through the paper record.”

Gerard Niemira, Shadow’s CEO, said in a statement to ProPublica that “we are committed to the security of our products, including the app used during the Iowa caucuses. While there were reporting delays, what was most important is that the data was accurate and the caucus reporting process remained secure throughout.

“Our app underwent multiple, rigorous tests by a third party, but we learned today that a researcher found a vulnerability in our app. As with all software, sometimes vulnerabilities are discovered after they are released.” He added that no “hack or intrusion” occurred during the caucuses, and that “the integrity of the vote in Iowa was not compromised in any way.” The app is not currently in use, he said.

The app was plagued with data-reporting problems and curious error messages, according to screenshots published by Motherboard, which was first able to download and install a copy of the app this week. The app’s failure prevented some precinct workers from transmitting local election results to the state’s Democratic Party. Because there wasn’t enough backup staffing, officials encountered long delays to phone in tallies. Some still have not been posted.

The U.S. Department of Homeland Security offered to test the app for the Iowa Democratic Party, but the party never took the government up on it, according to a U.S. official familiar with the matter who was not authorized to speak publicly. The official said the party did participate in a dry run, known as a tabletop exercise. The party did not respond to requests for comment on this issue.

Political parties have less training and experience in administering the vote than do state and county governments, which will manage most of the upcoming primaries along with the general election. Government agencies must adhere to state and federal information security standards, which do not necessarily apply to parties. The Nevada State Democratic Party, which paid Shadow Inc. $58,000 in August for “technology services,” said it will not employ the app during its Feb. 22 caucuses.

ProPublica obtained a version of the app from an Iowa precinct chair and sent it to Veracode for review this week. ProPublica is not publishing the specific problems with the app to avoid giving a detailed blueprint to hackers, should a similar version of the software be used again.

“This is an extremely serious vulnerability,” said J. Alex Halderman, a University of Michigan computer science professor and chief scientist at the security firm Censys. “An adversary could exploit it to intercept and change caucus results as they were being submitted through the app. Such a change would probably be caught eventually, if officials carefully compared paper return sheets from each location to the computerized results, but it still would have cast doubt on the whole process in peoples’ minds.”

In 2015, Halderman and another researcher found a similar security issue in one of Australia’s online voting platforms. That problem, he said, would have allowed an attacker to change votes during transmission.

“With all the attention that’s supposed to be going into election security, it’s shocking that code with this problem made it into production,” Halderman said. “It’s total amateur hour.”

This article was first posted on ProPublica.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.