The country’s leading cybersecurity agency said in an advisory sent to state election officials that electronic voting machines from a leading vendor in use in at least 16 states have software vulnerabilities that make them vulnerable to hacking if not addressed.
The US Cyber Security and Infrastructure Agency, or CISA, has said there is no evidence that flaws in Dominion Voting Systems equipment have been exploited to alter election results. The advisory is based on testing by a prominent computer scientist and expert witness in a long-running, unrelated lawsuit of false allegations of stolen elections pushed by former President Donald Trump after he lost the 2020 election.
The warning, obtained by The Associated Press in advance of its expected release on Friday, details nine vulnerabilities and suggests precautionary measures to prevent or reveal their exploitation. Amid a swirl of disinformation and misinformation about elections, CISA appears to be trying to walk a line between not alarming the public and emphasizing the need for election officials to take action.
“Standard election security procedures in countries will detect the exploitation of these vulnerabilities and in many cases prevent attempts altogether,” CISA Executive Director Brandon Wells said in a statement. However, the warning appears to indicate that states are not doing enough. It urges immediate mitigation measures, including “ongoing and enhanced defensive measures to reduce the risk of these vulnerabilities being exploited.” These measures should be implemented before every election, the consultant says, and clearly not in all states that use the machines.
University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the advisory is based, has long argued that the use of digital technology to record voices is dangerous because computers are inherently vulnerable to hacking, and thus require multiple safeguards that are not uniform. Follow. He and many other election security experts have insisted that the use of paper ballots is the safest way to vote and the only option that allows for meaningful post-election audits.
“These vulnerabilities, for the most part, are not points that can easily be exploited by someone walking down the street, but are things we should worry about that could be exploited by sophisticated attackers, such as hostile nation-states, or by elections,” Halderman told The Associated Press.
Concerns about potential election interference by insiders were recently underscored by the indictment of Mesa County Clerk Tina Peters in Colorado, who has become a hero to electoral conspiracy theorists and is running for her state’s top election official. Data from county voting machines surfaced on election conspiracy websites last summer shortly after Peters appeared at an election seminar organized by Mike Lindell, CEO of MyPillow. It was also recently barred from supervising this year’s elections in its county.
One of the most serious vulnerabilities, Halderman said, could allow malicious code to spread from the EMS to machines throughout the jurisdiction. The vulnerability could be exploited by someone with physical access or by someone who is able to infect other systems connected to the Internet remotely if election workers then use USB sticks to fetch data from an infected system into the EMS.
Several other particularly worrisome vulnerabilities, Halderman said, could allow an attacker to forge cards used in hardware by technicians, giving the attacker access to a hardware device that would allow software to be altered.
“Attackers can then correct ballot papers inconsistent with voter intent, alter registered votes or even identify secret voter ballots,” Haldermann said.
Halderman is an expert witness for the plaintiffs in a lawsuit originally filed in 2017 that targeted outdated voting machines used by Georgia at the time. The state bought the Dominion system in 2019, but prosecutors maintain that the new system is also unsafe. A 25,000-word report detailing Halderman’s findings was filed under seal in federal court in Atlanta last July.
US District Judge Amy Tottenberg, who is overseeing the case, expressed concern about the release of the report, and concern about the potential for hacking and misuse of sensitive election system information. It agreed in February that the report could be shared with CISA, which promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions using the machines to test and implement any protections.
Haldermann agrees that there is no evidence of vulnerabilities being exploited in the 2020 election, he said, but that was not his job. He was looking for ways in which he could hack the ImageCast X voting system of Dominion’s Democracy Suite. Touch voting machines can be configured as voting learning devices that produce a ballot paper or electronically record votes.
In a statement, Dominion defended the machines, calling them “accurate and safe.”
The Dominion regimes have been unnecessarily insulted by people who have pushed the false narrative that the 2020 election was stolen from Trump. Incorrect and sometimes outrageous allegations by prominent Trump allies have prompted the company to file defamation lawsuits. State and federal officials have said repeatedly that there is no evidence of widespread fraud in the 2020 election — and no evidence that Dominion’s equipment has been tampered with to alter the results.
It is an “unfortunate coincidence” that the first vulnerabilities in polling place equipment reported by CISA affect Dominion machines, Halderman said.
“There are systemic issues in the way election equipment is developed, tested and approved, and I think it is more likely than there will be no serious equipment issues from other vendors if they are subjected to the same type of testing,” Haldermann said.
In Georgia, machines print a paper ballot card that includes a barcode – known as a QR code – and a human-readable summary list that reflects a voter’s choices, and votes are counted by a scanner that reads the barcode.
“When barcodes are used to tabulate votes, they may be vulnerable to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the ballot paper,” the consultant says. To reduce this risk, the consultant recommends that machines should be configured, where possible, to produce “traditional full-face ballots, rather than summary QR codes”.
The affected machines are being used by at least some voters in at least 16 states, and in most of those places they are only used for people who can’t manually fill out a ballot paper, according to a voting equipment tracker maintained by the watchdog. Verified vote. But in some places, including all over Georgia, the affected devices are almost voted in person.
Georgia’s deputy secretary of state, Gabriel Sterling, said a CISA consultant and a separate report commissioned by Dominion acknowledge that “current procedural safeguards make it highly unlikely” that a bad player will exploit vulnerabilities identified by Halderman. He described Halderman’s allegations as “exaggerated”.
Dominion told CISA that the vulnerabilities have been addressed in subsequent software releases, and the advisory says election administrators should contact the company to determine which updates are needed. Halderman tested devices used in Georgia, and said it was not clear if devices running other versions of the software shared the same vulnerabilities.
As far as he knows, Halderman said, “no one but Dominion has had the opportunity to test his proven reforms.”
To prevent or detect exploitation of these vulnerabilities, the advisor’s recommendations include ensuring that voting machines are secure and protected at all times; Conducting rigorous pre- and post-election testing on machines as well as post-election audits; Encouraging voters to check the legibility of the printed ballot papers.