A cybersecurity firm contracted by ProPublica has reviewed the failed Iowa caucus app and concluded that a skilled hacker could have breached the app and altered vote totals.
An Iowa precinct chair gave the app to ProPublica, which in turn sent it to Massachusetts-security firm Veracode for review. The results showed that the app lacked basic transmission protections, which allowed for data to be intercepted or even changed.
Chris Wysopal, Veracode’s chief technology officer, said the review revealed “elementary” problems, and that it was a “poor decision” by Shadow Inc. to release the app in the first place.
“It is important for all mobile apps that deal with sensitive data to have adequate security testing, and have any vulnerabilities fixed before being released for use,” he said.
Shadow’s CEO Gerard Niemira admitted that the review found a “vulnerability” which the firm had not previously been aware of. “As with all software, sometimes vulnerabilities are discovered after they are released,” he said. But Niemira defended the app’s integrity, telling ProPublica that no “hack or intrusion” occurred during the caucuses, and that “the vote in Iowa was not compromised in any way.”
“We are committed to the security of our products, including the app used during the Iowa caucuses,” he said. “While there were reporting delays, what was most important is that the data was accurate and the caucus reporting process remained secure throughout.”
Last year, Niemira criticized the Democrats’ 2016 election technology as a “sh*tshow” and a “tangled morass.”
Caucus chairs explained in the aftermath of the reporting debacle — which delayed the tallying of results to such an extent that vote totals had not been released as of Thursday morning — that they had known “the app was a problem” days before the caucus began. Despite complaints, state officials did not train county officials on how to use the app in the run-up to the caucus, and local party members experienced difficulties downloading the app, obtaining a PIN to log in, and even opening the app after obtaining a PIN.
The Nevada State Democrat Party said on Tuesday that it would not use Shadow’s app to report results for the state caucus on February 22.