An attempted hack into a mobile voting app used during the 2018 midterm elections may have been a student’s attempt to research security vulnerabilities rather than an attempt to alter any votes, three people familiar with the matter told CNN.
Mike Stuart, the US attorney for the Southern District of West Virginia, revealed at a press conference Tuesday that an FBI investigation “is currently ongoing” after an unsuccessful attempted intrusion into the Voatz app, which West Virginia has used since 2018 to allow overseas and military voters to vote via smartphone. No criminal charges have been filed.
The sources told CNN that the FBI is investigating a person or people who tried to hack the app as a part of a University of Michigan election security course. Michigan is one of the main academic hubs of election security research in the country, housing the trailblazing Michigan Election Security Commission.
The office of West Virginia Secretary of State Mac Warner had previously communicated to Stuart that suspicious activity against the Voatz app came from IP addresses associated with the University of Michigan, one of the people familiar with the matter told CNN.
“During the 2018 election cycle, Secretary of State Warner referred to my office what he perceived to be an attempted intrusion by an outside party into the West Virginia military mobile voting system,” Stuart said in prepared remarks Tuesday. He added that “no legal conclusions whatsoever have been made regarding the conduct of the activity or whether any federal laws were violated.”
The FBI declined to comment on the matter, and the West Virginia Secretary of State’s office as well as Stuart’s office declined to offer further comment. Rick Fitzgerald, a spokesman for the University of Michigan, said he did not “have enough information at this moment to offer any response.”
Voatz co-founder and CEO Nimit Sawhney declined to share specifics of the attempted hack but told CNN Tuesday that it was the only incident from the 2018 election that felt severe enough to turn over to the FBI.
“We stopped them, caught them and reported them to the authorities,” Sawhney told CNN Tuesday.
The FBI inquiry stemmed from a particular incident in the Michigan course, where students examined current and proposed mobile voting technology but were instructed not to meddle in existing election infrastructure, according to a person familiar with the matter. This spring, one of the students emailed their professors to say the FBI had obtained a search warrant for their phone, one of the people familiar with the matter said.
The matter highlights one of the most contentious issues in cybersecurity research: One of the best ways to find potential vulnerabilities in software is to have a researcher try to think like a hacker and try to break in. But the US’ primary hacking law, the Computer Fraud and Abuse Act, is strict and carries strong penalties for someone found to have gained “unauthorized access” to a system.
West Virginia is the only state that currently uses the system and proponents of Voatz, like Warner, say that the app provides a solution to low voter participation rates among military and overseas voters, that it has passed some security tests and maintain there is no evidence hackers have changed any votes.
“Voatz has been so reluctant to have anyone inspect their system or even disclose the audits of their product that have been conducted,” said Joseph Lorenzo Hall, the chief technologist of the Center for Democracy & Technology.
“They are completely opaque, and that is the exact opposite of what a cutting-edge security product used for government elections should be,” Hall told CNN. “This gives the technical community zero confidence in their product or operations.”
“Election systems are critical infrastructure,” Sawhney said. “If you are not an authorized voter, (and) you want to experiment with the system, there are alternate approaches available.”
Voatz does participate in a “bug bounty” program run by the San Francisco company HackerOne, which invites cybersecurity researchers to find vulnerabilities. Voatz currently offers researchers a maximum of $2,000 if they identify a critical problem. Sawhney told CNN the attempted intrusion he reported to the FBI was on its “live election system” which was “out of scope” for the bug bounty program.
On Friday, Voatz updated the terms of its HackerOne program to explicitly prohibit any attempts to disrupt “a live election system,” the first time it has used that phrase.