The Iowa Caucuses App Could Have Been Hacked

A security firm consulted by ProPublica found that the “IowaReporter” app used to count and report votes from individual precincts in the Iowa Democratic caucuses was vulnerable to hacking. From the report: The IowaReporterApp was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed, according to officials at Massachusetts-based Veracode, a security firm that reviewed the software at ProPublica’s request. Because of a lack of safeguards, transmissions to and from the phone were left largely unprotected. Chris Wysopal, Veracode’s chief technology officer, said the problems were elementary. He called it a “poor decision” to release the software without first fixing them. “It is important for all mobile apps that deal with sensitive data to have adequate security testing, and have any vulnerabilities fixed before being released for use,” he said.

There’s no evidence that hackers intercepted or tampered with caucus results. An attack would have required some degree of sophistication, but it would have been much easier to pull off had a precinct worker used an open Wi-Fi hotspot to report votes instead of a cell data plan. The U.S. Department of Homeland Security offered to test the app for the Iowa Democratic Party, but the party never took the government up on it, according to a U.S. official familiar with the matter who was not authorized to speak publicly. The official said the party did participate in a dry run, known as a tabletop exercise. The party did not respond to requests for comment on this issue.

Gerard Niemira, Shadow’s CEO, said in a statement to ProPublica that “we are committed to the security of our products, including the app used during the Iowa caucuses. While there were reporting delays, what was most important is that the data was accurate and the caucus reporting process remained secure throughout.”

“Our app underwent multiple, rigorous tests by a third party, but we learned today that a researcher found a vulnerability in our app. As with all software, sometimes vulnerabilities are discovered after they are released.” He added that no “hack or intrusion” occurred during the caucuses, and that “the integrity of the vote in Iowa was not compromised in any way.” The app is not currently in use, he said.

NBC News is also reporting that the phone number used to report Iowa caucus results was posted on 4chan on Monday night “along with encouragement to ‘clog the lines,’ an indication that jammed phone lines that left some caucus managers on hold for hours may have in part been due to prank calls.”