If you’ve seen HBO’s Silicon Valley, then you’re familiar with the epic fails endured by the Pied Piper team. In the third season, the team created an app that boasted file system synchronization across all devices and instant file access (with the help of their middle-out compression algorithm). Rather than using a suitable target population, the team employed their tech-savvy friends for beta testing. When the app was released to the public, consumers were “freaked out” and didn’t understand how the app worked, so people stopped using the app because they thought it was broken – the platform release crashed and burned.
When news articles came out discussing the Iowa Caucus mobile app snafu, this is exactly what came to mind; however, when I started skimming through posts on Twitter and Facebook, I realized that people were nervous about Russian influence or big Democratic National Committee conspiracies.
I can understand the sensationalism associated with a new and unknown voting technology, especially if it hiccups or fails. Based on the information available, it has been determined that the app lacked imperative configuration and security controls; however, intrusions or criminal activity are not to blame.
Shadow Inc. created the app.
Shadow Inc. is the company responsible for the development and management of IowaReporterApp, the app used to track results in the Iowa caucus. It appears that the company is quite new and is headquartered at a WeWork coworking space in Washington DC. The company’s domain states that the Shadow team are campaign and technology veterans who have built and implemented technology for political operations and big tech companies.
The Shadow GitHub page only maintains two repositories, which do not appear to maintain sensitive details. A repository associated with a possible Shadow Inc. employee was created in March 2019 and titled “shadow_frontend_assignment”, which gives context to the type of development work carried out by the Shadow team, including JavaScript, HTML, CSS, Node JS, ECMAScript 2015+ code, Babel transcompiler, and RESTful API interaction. Sourced from Shadow Inc. job descriptions, the organization also uses React/Redux (Typescript), Google Cloud Platform, Python, Node.js (Typescript), Postgres, Kubernetes, Firebase, and CircleCI.
Figure 1: Shadow Inc. GitHub
Based on our research, Shadow Inc. is allegedly owned by ACRONYM, an organization self-described as a, “nonprofit organization committed to building power and digital infrastructure for the progressive movement”. ACRONYM further claims to be affiliated with PACRONYM, a political action committee associated with the “Four is Enough” campaign, which aims to digitally combat President Trump’s election campaign via advertising campaigns on Facebook, YouTube, and other platforms. Tara McGowen, the founder of ACRONYM, uploaded a Twitter post on 17 Jan 2019 that appeared to promote her excitement for the launch of the Shadow team, then created an additional post that encapsulated her eagerness about building the underlying tech infrastructure that will enable campaigns.
Figure 2: @taraemcg’s post displaying an image of the Shadow Inc. team
Groundbase was acquired to launch Shadow Inc.
Groundbase was recently acquired by Shadow Inc. and claims to be devoted to, “making affordable and easy-to-use organizing tools for progressive organizations with teams and budgets of any size.” Groundbase features include the ability to search, contact, and manage volunteers; recruit volunteers and mobilize voters via a peer-to-peer messaging service; and integrate with various platforms. In a Tweet, Tara McGowen claimed that Groundbase is, “the best CRM + SMS tool on the political market”. Records indicate that Groundbase maintained one investor, Higher Ground Labs, which claims to be reimagining political technology and saving the face of democracy.
The app provided accurate recording but faulty reporting.
According to an interview with Shadow’s CEO, Gerard Niemira, the app successfully assisted the precinct chairs to do the math; however, an apparent bug in the app’s code caused the data to improperly transmit to the state party’s data warehouse, which, “had a catastrophic impact”. It was determined that the data was being accurately recorded, but only part of the required details were reported to the database. Niemira alludes that there was no evidence of a compromise. Confusion barriers for volunteers and caucus chairs included having a specific precinct ID, using two-factor authentication, and using a personal identification number. Further, caucus officials were instructed to download “TestFairy” (iOS) or “TestFlight” (Android), an app that allows consumers to use private software, which caused supplemental confusion and discomfort. Niemira has additionally added that these complications were foreseeable and measures were used to test them, but the app still failed.
Mandy McClure, Iowa Democratic Party’s Communication Director stated that the mobile app mishap was not a result of a hack or intrusion, but rather a reporting issue.
Figure 3: Press release from the Iowa Democratic Party
Mobile app and security researchers commented that the app appeared to be thrown together on top of a templated ReactNative App package. Further, it seemed that whoever developed the app was likely following a tutorial. Other researchers suggested that there were some concerning configuration mistakes within the code, including hardcoded API keys. Some experts claim that this is a clear flaw within the software, while others argue that API keys within code does not necessarily constitute a vulnerability; it’s an expected app development practice.
Greg Miller, cofounder of the Open Source Election Technology Institute stated that, “We were really concerned about the opacity… It was hard to know what to expect except the worst… Our message is that apps like this should be developed in the sunlight.”
Technology is the new commonplace.
Politics aside, technology is quickly moving into mission-critical events, including the United States presidential election. Due to the criminal interference that affected the 2016 presidential elections, it is understandable that Americans are more cautious and quick to point toward conspiracies or ill-will accusations. The issues faced by Iowa caucus chairs and volunteers while using the app do not appear to be related to a cyberattack or malicious acts; it is likely that the technology was unable to support its intended use. Developers and political organizations are collaborating to build more efficient and time-saving tools to add convenience and accuracy to campaigns. It is highly likely that this will persist; user training and secure software development should be paramount for successful implementation.
Third-party apps can be risky business.
Similarly, organizations are hiring third-parties and vendors to develop their internal and client-facing mobile apps. Without knowing the attack surface of the app, organizations may be vulnerable to attacks on the device, network, and data center level. Vulnerabilities within mobile apps may enable attackers to carry out clickjacking, gain unintended or escalated privileges, execute zero-day exploits, perform cross-site scripting, or conduct OS command execution. If your organization’s app maintained any of these flaws and attackers exploited them, customers may lose trust in your brand; sensitive data may be stolen; or attackers may gain a foothold in your network.
Threat actors are drawn to supply chains to gain sensitive data, which can be monetized on criminal forums, used for fraud, or offer a strategic advantage to those seeking intellectual property. As a common practice, effective third-party risk monitoring should be continual. Digital Shadows (now ReliaQuest) provides insight into your organization’s suppliers to mitigate digital risk with our instant data detection module in SearchLight, which allows organizations to discover inadvertent data leakage including misconfigured servers, protectively marked documents, and file sharing services. Additionally, Digital Shadows (now ReliaQuest) can monitor for breached credentials to avoid further compromise and give you further updates on incidents or mentions that may affect your suppliers across the clear, deep, and dark web.
With all things considered, maybe Gilfoyle should have handled this one ¯\_(ツ)_/¯.
