Academics outline series of changes to make OmniBallot platform safer
UPDATED Democracy Live’s OmniBallot online voting system could allow attackers to alter election results without detection, a new study by academic researchers warns.
OmniBallot was reverse engineered by Researchers Michael A. Specter of the Massachusetts Institute of Technology IT and J. Alex Halderman of University of Michigan, respectively, who concluded that the technologyit was vulnerable to vote manipulation by malware.
The academics further criticize the voting technology firm’s data handling practices.
OmniBallot has historically been used to let voters print ballots that will be returned through the mail.
In response to the coronavirus pandemic, three US states – Delaware, West Virginia, and New Jersey – are allowing voters to use the systems to make online ballot returns.
Specter and Halderman reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to investigate its operation and analyze its security. The results, detailed in a white paper (PDF), aren’t pretty.
“We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare,” the researchers conclude.
Even in cases when OmniBallot is only used to mark ballots that will be printed and returned in the mail, the software still sends the voter’s identity and ballot choices to Democracy Live, according to the researchers, who described this as an “unnecessary security risk that jeopardizes the secret ballot”.
Bug reporting criticisms
The system has never been subject of a “public, independent security review”, according to the academics, who go on to criticize the vendor’s vulnerability reporting mechanism.
The researchers write: “Democracy Live’s vulnerability reporting guidelines, shown within the web app, stipulate that researchers who report problems may not disclose them without approval.
“Although it is unclear if this policy is enforceable, such restrictions run counter to best practices and may chill responsible disclosure.”
Specter and Halderman conclude their paper by recommending changes to make the platform safer for ballot delivery and marking.
OmniBallot has historically been used primarily for voters with disabilities, or voters who cannot vote in person such as those stationed overseas in the military.
In response to queries from The Daily Swig, Democracy Live argue that the researchers report “did not find any technical vulnerabilities in OmniBallot”. “The authors take issue with online technologies in general relating to the transmission of ballots,” it said.
Democracy Live said that it agreed with the authors of the report that a vote verification tool would add further security to the system, adding that “OmniBallot will be offering a vote verification option to every future deployment of OmniBallot’s electronic return system”.
The electronic voting technology vendor accepted criticisms that contracted privacy policies ought to be made on the ballot portal, promising to change this immediately.
Democracy Live went on to argue that although the report strongly advises elections administrators to not offer electronic ballot return a majority of States in the U.S. require electronic ballot return.
“Democracy Live’s position is that leveraging a secure, federally approved portal to secure documents (ballots) is a more secure method of transmitting ballots than emailing ballot attachments and using fax machines,” it concluded.
This story has been updated to add a post publication response from Democracy Live.
READ MORE E-voting intrusion test: Swiss Post bug bounty moderator tallies submissions