Buggy Iowa Caucus App Is Buggy, Security Experts Say

Buggy Iowa Caucus App Is Buggy, Security Experts Say thumbnail

Volunteers for Democratic presidential candidate Sen. Elizabeth Warren (D-MA) lead the audience in cheers during a campaign event at Nashua Community College February 05, 2020 in Nashua, New Hampshire.
Photo: Chip Somodevilla (Getty

The phone app at the center of the clown-shoe exercise in democracy known as the Iowa Caucuses was not only riddled with technical issues and potentially susceptible to being hacked, it appears to have been designed by a greenhorn programmer in the process of learning the code. That’s according to the analyses of several security experts who’ve now had time to rip the app apart and examine its guts. 

The unimaginatively named IowaReporterApp, designed by a company called Shadow, failed so spectacularly, in fact, that nearly 48 hours after the caucuses began, the results—typically announced the night of—are still being tabulated.

The decision of the Iowa Democrats to force unproven technology onto party officials charged with reporting the results transformed the time-honored first-in-the-nation caucuses into an “inadvertent software beta-testing laboratory,” as one Washington Post reporter put it. But the humiliation of the Iowans and their fellow Democrats nationwide pales in comparison to the potential calamity that could’ve awaited them on Monday, according to several security experts.

ProPublica reported on Wednesday that the app contains an inherent “vulnerability to hacking,” citing analysis by Chris Wysopal, chief technology officer at Veracode, a Massachusetts-based cybersecurity firm. Wysopal told reporters that the app was so insecure that, in ProPublica’s words, “vote totals, passwords and other sensitive information could have been intercepted or even changed.”

J. Alex Halderman, a University of Michigan computer science professor and chief scientist at the security firm Censys, additionally told ProPublica:

“This is an extremely serious vulnerability. An adversary could exploit it to intercept and change caucus results as they were being submitted through the app. Such a change would probably be caught eventually, if officials carefully compared paper return sheets from each location to the computerized results, but it still would have cast doubt on the whole process in peoples’ minds.”

“It’s total amateur hour,” Halderman added.

Motherboard, which likewise obtained a copy of the app, submitted it for testing to six security researchers who appeared to marvel at its lack of complexity, something they portrayed as an indication it was coded by neophytes. Kasra Rahjerdi, a noted expert in mobile application design, told the site IowaReporterApp appeared as if coded by “someone following a tutorial,” adding it was not dissimilar to projects they’d done with “mentees who are learning to code.”

According to Motherboard, a team of researchers at Stanford University also found “potentially concerning code” inside the app, including hard-coded API keys, which suggests altering data submitted through the app might be possible.

Shadow, of course, remains steadfast in defending its product, despite the obviousness of its blunder. CEO Gerard Niemira told Motherboard its simplicity was intentional and that an independent audit of the app was carried out by a security firm that he refused to identify.

“While there were reporting delays, what was most important is that the data was accurate and the caucus reporting process remained secure throughout,” Niemira told ProPublica, adding: “As with all software, sometimes vulnerabilities are discovered after they are released.” 

Motherboard said that “two other experts leaned closer to Niemira’s position,” and concluded the hard-coded API keys were not alone proof the app was vulnerable to hackers.

However, Dan Guido, CEO of cybersecurity consulting firm Trail of Bits, told Motherboard that the app would apparently function on phones running a version of Android six years old, meaning election officials with phones less hardened against attacks could have been used to tabulate caucus results.

The Department of Homeland Security offered to test the app ahead of its deployment, the agency’s acting chief, Chad Wolf, told reporters on Tuesday. However, the Iowa Democrats, for whatever reason, refused the assistance.

“We determined with certainty that the underlying data collected via the app was sound,” Troy Price, chair of the Iowa Democratic Party, said in a statement. “While the app was recording data accurately, it was reporting out only partial data. We have determined that this was due to a coding issue in the reporting system. This issue was identified and fixed.”

Read More