In Iowa, rather than casting votes in polling stations, registered Democrats meet in precincts to elect delegates that then support a particular Democrat candidate. It is important as it marks the start of the presidential primaries.
However, this year the Iowa caucus hit the headlines for unexpected reasons after the app used to report results malfunctioned, causing major delays.
This year, an app, named the IowaReporterApp, which was developed by technology company Shadow Inc, was used to report the results rather than being phoned in. But according to the Democrat party, a coding error in the app meant that only some of the data was reported.
On Thursday, the party declared that Pete Buttigieg had narrowly defeated Bernie Sanders by a margin of 0.1%, days later than the scheduled reporting time and after the party had to revert to alternative reporting methods, with votes re-counted. DNC chair Tom Perez said that the app would not be used again.
The Iowa Federal Election Commission has said that the app was developed in two months, costing around $60,000. According to 3 Sided Cube, apps usually take between three and nine months to develop.
Kasra Rahjerdi told Motherboard that that app, which was built on an open-source mobile application framework was a “very very off the shelf skeleton project plus add your own code kind of thing.”
Security is key
“The software was reportedly developed in two months, a notoriously short time for developing a critical communication app with strict cybersecurity requirements,” says Bill Curtis, chief scientist at CAST. “This left insufficient time to test the code functionality, let alone thoroughly evaluate its structural integrity before it was hit with live field conditions and loads.”
The app has drawn criticism for a lack of testing, with the app released only weeks before the caucus, and has highlighted the problems that insufficient technological tools can create for elections.
“Software development of any kind that impacts elections or the general public, including mobile applications, should go through a process that includes having security industry vetted requirements as part of an open design creation process”, says Tom Van de Wiele, principal security consultant at Finnish cybersecurity firm F-Secure. “Transparency must exist on how data is transmitted, processed and stored and how security industry best practices are to be implemented and verified to ensure that all relevant threat scenarios are considered.
“Mobile applications or any software that plays a role in a process as important as relaying voting results must go through rigorous testing and verification processes. In the same way that paper and non-tech processes can be manipulated and require transparency and verification.”
Although there is no evidence so far that the app was intercepted by attackers, or that the results were tampered with, cybersecurity professionals have said that vulnerabilities within the software could have put it at risk of hacking.
According to Motherboard, some researchers at Stanford University had found some “potentially concerning” code within the app, and it was also possible to run the app on old versions of Android, making it more susceptible to hacking.
The State of Technology This Week
Due to the rapid timeframe in which the app was rolled out, The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, which vets election technology before it goes live, was reportedly not informed about the app before it was deployed, so did not have an opportunity to test it.
The issue of election cybersecurity will likely be one that continues to gain attention, and even if it has not led to a hack on this occasion, lessons can be learnt for the future deployment of similar technology. In 2017, attendees at hacking conference Def Con demonstrated serious flaws in some of the hardware used in US elections, with one researcher able to gain access to a WinVote voting machine.
“The report stating the vulnerability would allow someone to ‘intercept and change’ results speaks to weaknesses in the app, the API’s and likely both”, says Rusty Carter, VP product management at Arxan. “Even if these were caught and mitigated by static analysis tools or basic security audits, preventing interception and tampering in the app or while the data is in transit, requires ensuring the security posture of the application, and the integrity and authenticity of the application as it communicates with the server (and vice versa).”
In a tweet, Shadow Inc. said that it would “apply the lessons learned in the future, and have already corrected the underlying technology issue”.
Jake Moore, cybersecurity specialist at ESET said:
“Apps dealing with sensitive information require stringent security testing. The potential cybersecurity risks surrounding the political landscape pose a huge threat and extra protection is paramount. Although a level of sophistication is required for this potential vulnerability, anything is possible and nothing should be overlooked. Lacking safeguards puts unwanted scrutiny on the security industry where we all need to work together to raise the standard.”