The Iowa Caucus from an Information Security Perspective

 

At a little-noted speech during the 2012 Hack in the Box conference, famous German hacker Felix “FX” Lindner presented his findings after reverse-engineering several Huawei devices to find out if they contained backdoors. He concluded his speech by stating that he was not sure and that it didn’t really matter since the devices contained so many regular bugs and security flaws that it was almost impossible to tell if one had been placed there on purpose.

Our team felt strongly reminded of this speech and sentiment while watching the debacle surrounding the DNC Iowa Caucus App unfold. In this briefing, we will take at the app, what the issues tell us and why speculations may not end up mattering.



 

Disclaimer

This briefing is a general assessment. It is not - and should not be interpreted as - legal or political guidance. Neither do we make the claim that any of the options we are about to discuss is accurate. All of this should go without saying, but tensions are high and some of our readers may benefit from being reminded.



 

What happened?

The New York Times provides a good general overview of the occurrences that led to the meltdown. The TL;DR summary is as follows:

  • The DNC decided to commission an App to tally votes across districts. This was supposed to make the caucuses more efficient and modern.

  • The app was developed in 2 months by an external vendor called “Shadow” with ties to Democratic candidates Biden and Buttigieg.

  • The app was hard to install and did not function as expected to the point where vote counts were incorrectly tallied.

  • The DNC initiated a manual recount of paper ballots since the digital results were no longer trustworthy.

  • Caucus results were delayed by several days and accusations from mismanagement to conspiracy to cyber-attacks were made.



 

Is two months enough?

The first question we must answer is if the app had sufficient development time. The more time developers had, the less likely accidental mistakes become since such mistakes are usually discovered during testing.

Defining enough time for development really depends on perspective. It is true that a dedicated developer could likely build the core functionality of the app and backend in a focussed afternoon of work. This is the perspective that most developers and students will take. Unfortunately, development time is not a good measure for project time. Especially since this project was developed for a political organization, it was most likely designed by committee and underwent countless changes of scope to appease the many parties involved. For such projects, two months is very little time. By and large, we would not be surprised to find glaring bugs in an app under these circumstances.



 

Why was the app kept secret?

The specifics of the app, and even its development in general, were hidden from the public. The stated reasoning behind this strategy was that hackers could not attack what they do not know about. The drawback is that the app did not undergo public testing due to all this secrecy.

Keeping development projects secret before launch is not uncommon. But believing that an election app could be kept secret from a state actor intent on influencing the election is naive at best. Public development would have allowed the bugs to come to light earlier, which in turn would have allowed officials to stop relying on the app altogether.

The secret development by itself does not imply a conspiracy but a more open development could certainly have helped to disprove such claims.



 

How normal are bugs this bad?

Apart from the usability issues, all bugs should have been caught in testing. Especially bugs relating to tallying and transmitting votes would normally be covered by unit tests. Simple mathematical equations are very easy to test and since they form the core of the project, any reasonable developer would make certain they work.

This does not necessarily mean that the bugs were introduced maliciously or on purpose. Frequent changes to the app’s specifications could lead to similar outcomes. That said, tallying bugs in an election app is inexcusable and the subsequent accusations of malice or incompetence against the developer are hard to counter.



 

Was the caucus hacked?

We see no indication that it was. But then again, it is likely we could not see the indication even if it was. Looking at the current numbers, an attacker would have had to merely swing the vote by a few tenths of a percentage point to change the outcome of the caucus. Any single bug may just have been placed there by an attacker or malicious developer. Or it may not. To paraphrase FX’s 2012 speech: Does it matter at this point?

The app was broken, results were muddled, public trust in the DNC’s technological prowess is shattered, infighting has broken out among the candidates, the electorate is unsettled, results were delayed by days and several candidates are openly accused of conspiracy.

If a state actor had wanted to harm the electoral process, they could have hardly done any better. So between the bugs, bad development practices, and potential attacks - if the outcome is among the worst possible, then whether one of the factors that led to it was a hack is of limited - and mostly philosophical - importance.