Smartphone voting will get a trial run during November’s U.S. elections. As part of a new pilot program, West Virginia has partnered with Voatz, a Boston-based technology startup, to allow some members of the military stationed overseas to cast ballots with devices connected to a blockchain-enabled vote recording system.

Security experts have had mixed reactions to the plan, with some saying blockchain technologies aren’t yet ready for important tasks such as voting security. But defenders say the pilot program will allow veterans stationed in remote locations to make their voices heard during the midterm elections — as long as proper security measures are put in place.

Is Blockchain Ready for the Big Time?

Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, a digital rights group, believes smartphone voting is too unproven to use during this year’s elections.

“I don’t know why everyone’s solution to things lately is ‘rub some blockchain on it,'” he said. “Blockchain voting methods typically mean you are doing internet voting — which is a horrifically bad idea — and committing encrypted ballots to the blockchain.”

Current encryption schemes will be broken in coming years, Hall predicted, meaning a secret ballot this year may end up in the public domain in the future.

“Imagine if you’re a uniformed military serviceman stationed abroad, excited to be able to cast a ballot … using a remote blockchain voting system. Then imagine that in 20 years, the entire contents of your ballot are decryptable and publicly available. You may face ridicule or other kinds of blowback from your ballot from 20 years ago.”

Given these risks, Hall urged caution, noting that the voting process is not something to tinker with before conducting a “serious and deep inquiry and interrogation.”

The Benefits of Blockchain-Based Balloting

West Virginia Secretary of State Mac Warner, on the other hand, defended the pilot program. According to Mike Queen, Warner’s deputy chief of staff, the retired Army officer had been unable to vote during his deployments, and he wants to provide members of the military with better opportunities.

During a tour in Afghanistan, Queen noted that Warner didn’t have access to a phone line or a mailbox — meaning he was cut off from voting in a past election. Many other servicemen and women face the same problem. During the 2016 general election, military members and other U.S. citizens living overseas requested about 930,000 absentee ballots, 68.1 percent of which were returned, according to the U.S. Election Assistance Commission.

This isn’t the first smartphone-and-blockchain voting trial for West Virginia. A smaller pilot allowed veterans from two counties to vote on smartphones during May’s primary election, but, as Queen noted, fewer than 20 did.

Given May’s numbers, officials aren’t expecting a huge portion of veterans to participate in November’s trial. According to Queen, the November pilot project will allow overseas military members from about 15 West Virginia counties to vote on smartphones.

How Can Governments Address Voting Security Challenges?

Even so, the forthcoming trial will employ other security measures in addition to blockchain. The voting system will use two-factor authentication (2FA) — fingerprints and facial recognition — to identify and verify voters, Queen said.

“We’re not suggesting the blockchain is 100 percent foolproof,” he said, but blockchain, combined with other security measures, “is as safe as we can get.”

Some blockchain experts believe that the security of the voting system will largely depend on its implementation and ability to identify the correct user of a given device. A correctly established blockchain using multiple distributed nodes, they argue, should make the voting system extremely difficult to compromise.

With a robust blockchain, user authentication may be the most crucial security measure, said Andre McGregor, a partner at global investment and advisory firm TLDR Capital and a former FBI cyber special agent.

“While it is exciting to see blockchain being used in a very public and necessary environment such as elections, we must realize that security compromise will almost always lie with the end user — or, in this case, the voter,” McGregor said. “Vote interception malware is a real concern. Biometric compromise by a fake voter is even more of a concern.”

It would also be possible for an authenticated voter to pass his or her phone to someone else to cast a ballot, he said. That’s “the digital equivalent of having someone else walk into the voting booth under your name,” McGregor added.

“The ease in which a mobile phone vote can transfer hands in a split of an instant could very well undermine the voting process, and could even call a candidate’s victory into question.”

But while some cryptocurrency blockchains operate thousands of nodes, Voatz will provide “up to 16 nodes” for the voting pilot. Still, Voatz said the system is secure, with its voting app undergoing “frequent, rigorous red-team testing” by independent security auditors.

Even a blockchain system with as few as 16 nodes would be extremely difficult to compromise, as long as the nodes are securely set up, said Kyle Fournier, crypto analyst at blockchain training vendor CryptoManiaks. The standard blockchain compromise, called the 51 percent attack because attackers would have to take over more than half of the system’s nodes, would be difficult if the nodes are tested and verified against the rules of the system, he said.

“For a 51 percent attack to occur on a 16-node blockchain, a bad actor would need to gain control of at least nine nodes, assuming that the nodes share equal responsibility,” Fournier explained. “If the servers being used as nodes have been verified in any real sense, I would say that a 51 percent attack should not be feasible.”

What Does the Future Hold for Blockchain-Based Voting?

Fournier said he sees potential in blockchain-based voting.

“Our current method of voting is simply not good enough,” he said. “Requiring people to travel to physical locations causes low voter turnout. Counting by hand is slow. And although bringing the process online seems to open us up to hacking, hacking already exists with the way we do things now.”

Still, Jeff Anderson, blockchain expert and certified security professional, suggested it may be too soon to move toward smartphone voting using blockchain. Blockchain-based voting will require a lot of training to help voters ensure their votes are correctly recorded, he said.

The technology might be ready in five to 10 years, when more people are comfortable with blockchain, Anderson added.

“Blockchain is still an incredibly early technology,” he said. “Voting is something we want to ensure is done on tested platforms.”

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read