Iowa Caucus App Has Security Flaws, Hackers Could Change Passwords, Vote Tallies: Report

The app used by Democrats to count and report vote totals in the Iowa caucus was vulnerable to hacks that could have changed passwords and altered vote totals, according to a Wednesday report from nonprofit news organization ProPublica.

There is no evidence to suggest the app was hacked during Monday's caucus, but the chaos resulting from a breakdown in reporting results was blamed on "coding issues" and "inconsistencies" in the app. The software was reportedly developed on a rushed timeline of two months with a limited budget. However, the app could have caused far bigger problems than delays in reporting caucus results, according to the report.

"This is an extremely serious vulnerability," computer security expert J. Alex Halderman told ProPublica. "An adversary could exploit it to intercept and change caucus results as they were being submitted through the app."

The software, called the IowaReporterApp, could have been hacked because it did not properly safeguard against intercepted transmissions to and from the smartphones it was designed to be used on, security firm Veracode told ProPublica. The vulnerability would have been even easier to exploit had the app been used on phones connected to an open Wi-Fi hotspot.

IowaReporterApp
An Iowa Democratic party official holds a smartphone displaying the faulty "IowaReporterApp" on February 4, 2020. Alex Wong/Getty

The app was developed by a company called Shadow, Inc., which was founded about one year ago by veterans of Hillary Clinton's 2016 presidential campaign. Multiple conspiracy theories unsupported by evidence have spread through social media concerning the company, the app and Iowa caucus results.

"We will apply the lessons learned in the future, and have already corrected the underlying technology issue," the company tweeted Tuesday. "We take these issues very seriously, and are committed to improving and evolving to support the Democratic Party's goal of modernizing its election processes."

We will apply the lessons learned in the future, and have already corrected the underlying technology issue. We take these issues very seriously, and are committed to improving and evolving to support the Democratic Party’s goal of modernizing its election processes.

— Shadow, Inc. (@ShadowIncHQ) February 4, 2020

Although apparent vulnerabilities in the software have been exposed, Shadow, Inc. CEO Gerard Niemira insisted that there was "no hack or intrusion" during the caucuses and that despite delay the Iowa results were "accurate" and "remained secure" throughout the reporting process, according to the report.

"Our app underwent multiple, rigorous tests by a third party, but we learned today that a researcher found a vulnerability in our app," Niemira told ProPublica. "As with all software, sometimes vulnerabilities are discovered after they are released."

FEC filings show several state Democratic parties contracted with the company, including in Nevada, Texas and Wisconsin. Nevada Democrats have since said they will not be using an app made by the company in their upcoming caucuses on February 22.

Several Democratic presidential campaigns also did business with the company, including those of former Vice President Joe Biden, Pete Buttigieg and Sen. Kirsten Gillibrand. The Buttigieg campaign paid $42,500 for "software rights and subscriptions" in July 2019, according to the filings.

The Buttigieg campaign's dealings with the company helped fuel conspiracy theories after the former South Bend, Indiana mayor surprisingly came out on top in partial Iowa caucus returns. A spokesman for the campaign told Newsweek that they used the vendor for help with text messaging services to contact voters, and that their business had nothing to do with apps the company developed.