University of Michigan students implicated in potential voting app hack

Tuesday, October 8, 2019 - 4:29pm

.

Alec Cohen/Daily

Following an attempt to hack the voting app Voatz during the 2018 midterm elections,  the FBI revealed last week they have launched an investigation into the incident, which allegedly involved University of Michigan computer science students.

According to an article from CNN, anonymous sources revealed the FBI is investigating an individual or several individuals who tried to hack the app as a part of their University of Michigan election security course.

According to the EECS 498 course description, the class teaches students how to hack an election in order to better defend against cyber break-ins.

“To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security,” the course description reads. 

Fifty-five percent of the students’ grades are determined by a large-scale group project related to a technical or tech policy topic on election cybersecurity. However, the description goes on to explain, the class will not allow students to directly break any laws.

“Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time,” the description explains. “Our class policy is that you must respect legal and ethical boundaries of vulnerability testing at all times, or else you will fail the course.”

Voatz, a Boston-based mobile elections company, uses blockchain and current smartphone technology to make it possible for voters to participate in various elections through their phones. The company was founded in 2015 and has since processed nearly 80,000 votes in 30 separate elections.

During the 2018 election cycle, it was revealed that Voatz experienced an unsuccessful security breach targeted at votes in West Virginia. Since 2018, West Virginia has permitted members of the military and those living overseas to vote through Voatz. At a press conference on Oct. 1, CNN reported Mike Stuart, the U.S. Attorney for the Southern District of West Virginia, was told the IP addresses matched those at the University.

“During the 2018 election cycle, Secretary of State Warner referred to my office what he perceived to be an attempted intrusion by an outside party into the West Virginia military mobile voting system," Stuart said at the press conference. “No legal conclusions whatsoever have been made regarding the conduct of the activity or whether any federal laws were violated."

Nimit Sawhney, Voatz CEO and co-founder, wrote in a statement to The Daily there was no detectable security breach, but the FBI’s intervention is necessary to avoid any potential hacks in the future. 

“The Voatz system worked as designed and intended,” Sawhney wrote. “The attempt was detected, thwarted at the gate and reported to the authorities. We fully support the West Virginia Secretary of State’s office and the law enforcement agencies in their investigations under the purview of the law. Given that elections infrastructure is classified as critical infrastructure under the Department of Homeland Security, we will continue to report any such attempts in the future.”

University spokesman Rick Fitzgerald declined to comment further on the issue, noting the details have not been uncovered yet. 

“It’s not clear what someone may actually have attempted,” Fitzgerald wrote in an email to The Daily. 

This is a developing story. Please check back at michigandaily.com for more information.