2020 Iowa caucus app: what went wrong?

Introduction

In February, during the 2020 Iowa Democratic caucuses, usage of a mobile application called the ‘IowaReporterApp’, which had been created to facilitate and speed up votes counting, resulted in a multi-day delay in final votes counting and affected the trustworthiness of the results. The application was created and operated by a company named Shadow Inc. Their CEO, Gerard Niemira, later issued an apology:

"We sincerely regret the delay in the reporting of the results of last night's Iowa caucuses and the uncertainty it has caused to the candidates, their campaigns, and Democratic caucus-goers.”

“As the Iowa Democratic Party has confirmed, the underlying data and collection process via Shadow's mobile caucus app was sound and accurate, but our process to transmit that caucus results data generated via the app to the IDP was not. Importantly, this issue did not affect the underlying caucus results data.”

“We worked as quickly as possible overnight to resolve this issue, and the IDP has worked diligently to verify results. Shadow is an independent, for-profit technology company that contracted with the Iowa Democratic Party to build a caucus reporting mobile app, which was optional for local officials to use.”

“The goal of the app was to ensure accuracy in a complex reporting process. We will apply the lessons learned in the future, and have already corrected the underlying technology issue. We take these issues very seriously, and are committed to improving and evolving to support the Democratic Party's goal of modernizing its election processes."

So, what actually happened, and what can we learn from this? Syberry specialists were able to get their hands on the application itself to make their own conclusions.

The application

The IowaReporterApp is a mobile application, built using React Native mobile application framework to facilitate its execution on both iOS and Android platforms. Anyone interested can check meta information and signatures for the app in the VirusTotal database.

When launched, a login screen is presented:

Caption: Login screen of the 2020 Iowa caucus application.

For practical purposes, therefore, our further analysis was limited to static code review. While it is likely that the application may contain potentially exploitable vulnerabilities allowing some form of man-in-the-middle (MITM) attacks, and many were quick to blame the developer for that, it is important to note that based on our review, it is unlikely that a third-party was able to affect actual votes.

Our specialists were unable to locate any hard-coded credentials in the source code that might have allowed elevated access to the voting data, and encrypted (https) communications were used to submit the data. It was potentially possible for someone to disrupt the vote counting process by submitting duplicate data, resulting in some form of the Denial of Service (DoS) attack, but it would be unlikely for a malicious actor to actually change submitted votes without revealing the attack itself and triggering a recount (note: this statement assumes reasonable quality control checks were implemented before declaring the final results).

What is more important in our opinion is this portion of the Shadow Inc. CEO's statement: “…the underlying data and collection process via Shadow's mobile caucus app was sound and accurate, but our process to transmit that caucus results data generated via the app to the IDP was not.” This implies that operation of the back-end infrastructure required for the mobile application to work was also created by Shadow Inc., and that employees of the company were actually in a position to amend or correct voting counts, if they decided to do so.

The company

Shadow Inc.'s LinkedIn profile provides a high-level idea of the company behind the application. In 2020, they were listed as having 8 employees of the company, with the following titles:

• Director of Product (New York City)
• Chief Technical Officer (Seattle)
• Chief Executive Officer (Denver)
• Chief Operations Officer (New York City)
• Junior Frontend Developer (Denver)
• Junior Frontend Developer (New York City)
• Client Success (Iowa City)
• Director of Organizing and Client Success (Iowa City)

There are only two junior engineering positions and not a single senior engineering role (except for CTO), with no quality assurance roles. Analysis of the digital footprints indicate that source code of the application was stored on computers with users having the following names:

• jameshickey - COO of the Company
• satya - No LinkedIn profile found for an employee with name

The user ‘satya’ quite likely contributed the majority of the code for the application. If this person is an employee, they decided not to publish their workplace on LinkedIn. An alternative explanation could be that Shadow Inc. outsourced the development to another company or contractor.

Management of the company appears to be linked to Hillary Clinton's 2016 campaign, as well.

The party

As reported by CNN, the Democratic Party's official position in regards to the application is, “We did not build the application, nor did we provide 'oversight' of its development, that's the vendor's responsibility. We only provided security assistance."

It appears the Democratic Party relied on the Shadow Inc.'s expertise to build a secure application without any oversight. As the software industry has learned the hard way, security may not be achieved just through a third-party audit (and there is no indication that any security audit was even performed before using the application in Iowa).

You have to select a vendor who knows how to build secure software, especially if you can be attacked by the most sophisticated, state-sponsored hacker teams on Earth. Just requiring an application to be secure in a contract will not make it happen automatically. Moreover, given the importance of the voting data, it is a standard security practice to separate the people creating the software (Shadow Inc. in this case) from people operating and accessing actual voting data (by either having your own team in-house or using another company to operate the software). Just assuming that this is “the vendor's responsibility” implies a lack of understanding of how secure software can be built and operated.

This evidence leads to a probable root cause of the whole situation: lack of software and security expertise sufficient to use modern technologies in the first place. In other words, the lack of a qualified CTO who can drive and securely implement technology initiatives in the twenty-first century.

Learning from mistakes

We would recommend that the Democratic Party implement the following plan:

• Publish source code of the IowaReporterApp
  While binaries of the application are available to the public, the Party should publish its source code for independent audit by anyone. This will help restore the trust and allow the public to validate the Shadow Inc. CEO's statement that “the underlying data and collection process via Shadow's mobile caucus app was sound and accurate.”
• Explain the process of selecting Shadow Inc. as the software vendor
  There is likely no ‘good’ answer why the company was selected, but if there is, there is no reason to hide it. Regardless, admitting the mistake of not selecting the vendor properly (if that was the case) or presenting the evidence why it was the right choice will re-establish trust in the Party's use of the software.
• Publish results of a security audit performed by a Party-appointed third party
  If any security audit was performed, the Party should present the results as evidence that they “take the security very seriously.”
• In future, do not use the same company to build and operate your applications
  It is a well-known security practice to separate the teams responsible for building and operating your technologies. In fact, we recommend building a voting infrastructure where collected data can be submitted for more than one auditing entity for processing. This will reduce the probability of meddling by the team operating the production infrastructure itself.

• Use open source software for all voting needs
  People familiar with software security are aware that ‘security by obscurity’ is a bad practice and will not stop a qualified third-party from hacking the software. In fact, the opposite is true: while malicious actors will still be able to hack non-open source software, the ability to detect and report errors in such software will be limited.

  However, by the Party's own admission, the concept is misunderstood, and the Party wrongly believes that keeping technology used in the voting process a secret has security benefits, as referenced in the above-linked Wikipedia article:

  In January 2020, NPR reported that party officials in Iowa declined to share information regarding the security of its caucus app, to “make sure we are not relaying information that could be used against us.” Cybersecurity experts replied that, “to withhold the technical details of its app doesn't do much to protect the system.”

  Now, even using a qualified third-party like Microsoft (suggested by some) is not good enough as it limits public ability to audit, detect, and potentially correct errors in the software. Instead, the Party should start using open source software, which will allow a wider community of software engineers to contribute to the security of the voting process. Both Parties should ideally use the same open source software, as they will benefit from collective expertise of the open source community as far as security is concerned.

• Hire a competent chief technology officer
  If the Party already had a CTO, it would appear that they showed poor judgment in this instance. The Party officials have demonstrated that they lack a very basic understanding of what makes modern software secure, and therefore the very first task for the CTO would be to establish a proper IT security education program, as well as establish basic operating rules. Hiring a qualified person (at least one) will also show the public that the Party takes security seriously.

Iowa Caucus 2016: a success story

After completing our analysis, we learned that both Parties successfully used a different technology in Iowa during the 2016 election. Microsoft published the success story, including insights from representatives of both Parties.

The technology was built and tested in advance, and the project took approximately a year to complete. It was possible to reuse the same technology, probably with very minor modifications. So why make the change? That will probably remain a mystery.