ATLANTA – Electronic voting machines from a leading vendor deployed in at least 16 states Software Vulnerabilities which leave them vulnerable to hacking if left untreated, says the country’s top cybersecurity agency in an advisory sent to state election officials.
The US Cybersecurity and Infrastructure Agency (CISA) said there was no evidence that flaws in the Dominion Voting System’s equipment were exploited to alter election results. The advice is based on tests by a prominent computer scientist and expert in a long-standing litigation this has nothing to do with false claims of a stolen election pushed by former President Donald Trump after his 2020 election defeat.
The advisory, obtained by The Associated Press ahead of its expected release on Friday, details nine vulnerabilities and suggests mitigations to prevent or uncover exploits. Amidst a flurry of misinformation and disinformation about elections, CISA appears to be trying to walk a fine line between not alarming the public and emphasizing the need for election officials to take action.
CISA Executive Director Brandon Wales said in a statement that “states’ standard voting security procedures would detect exploitation of these vulnerabilities and, in many cases, would prevent attempts entirely.” But the guide seems to indicate that states are not doing enough. It is urging immediate mitigation actions, including continued and increased “defensive actions to reduce the risk of exploitation of these vulnerabilities.” These measures must be applied before every election, the guide says, and it’s clear this isn’t happening in all states that use the machines.
University of Michigan computer scientist J. Alex Halderman, who authored the report on which the recommendation is based, has long argued that using digital technology to record voices is dangerous because computers are inherently vulnerable for hacking and therefore require multiple safeguards that are not consistently followed. He and many other election security experts have insisted they be used handwritten ballots is the most secure voting method and the only option that allows for meaningful post-election audits.
“For the most part, these vulnerabilities are not ones that could easily be exploited by someone coming off the street, but we should be concerned that they could be exploited by sophisticated attackers such as hostile nation-states or by election insiders, and they would have very serious consequences entail,” Halderman told the AP.
Concerns about possible interference from election insiders have recently been underscored the prosecution against Mesa County Clerk Tina Peters in Colorado, who has become a hero to election conspiracy theorists and is running to become her state’s top election official. Data from the county’s voting machines surfaced on election conspiracy websites last summer, shortly after Peters appeared at a symposium on the election organized by Mike Lindell, CEO of MyPillow. So was she recently blocked from overseeing this year’s election in her county.
One of the most serious vulnerabilities could allow malicious code from the election management system to be propagated to machines in a jurisdiction, Halderman said. The vulnerability could be exploited by someone with physical access or someone capable of remotely infecting other internet-connected systems if election officials then use USB sticks to copy data from an infected system into the election management system bring.
Several other vulnerabilities of particular concern could allow an attacker to forge cards used by technicians in the machines, giving the attacker access to a machine on which the software can be modified, Halderman said.
“Attackers could then mark ballots inconsistently with voter intent, alter recorded votes, or even identify voters’ secret ballots,” Halderman said.
Halderman is an expert witness for plaintiffs in a lawsuit originally filed in 2017 over outdated voting machines in use at the time. The state bought the Dominion system in 2019, but plaintiffs allege that the new system is also insecure. A 25,000-word report detailing Halderman’s findings was filed under seal in federal court in Atlanta last July.
US District Judge Amy Totenberg, who is overseeing the case, has expressed concern approval of the report, concerned about the potential for hacking and misuse of sensitive voting system information. She agreed in February that the report could be shared with CISAwhich promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions that use the machines to test and apply protections.
Halderman agrees that there is no evidence that the 2020 election vulnerabilities were exploited. But that’s not his mission, he said. He was looking for ways to compromise Dominion’s Democracy Suite ImageCast X voting system. The touchscreen voting machines can be configured as ballot marking devices that create a paper ballot or record votes electronically.
In a statement, Dominion defended the machines as “accurate and safe.”
Dominion’s systems have been unjustly vilified by people who have been promoting the false narrative that the 2020 election was stolen by Trump. False and sometimes outrageous claims by high-profile Trump allies prompted the company to file defamation lawsuits. State and federal officials have repeatedly said there was no evidence of widespread fraud in the 2020 election — and no evidence that Dominion equipment was tampered with to alter the results.
Halderman said it was an “unfortunate coincidence” that the first polling machine vulnerabilities reported to CISA involved Dominion machines.
“There are inherent issues with the way voting machines are designed, tested and certified, and I think it’s more likely than not that serious problems would be found in other vendors’ machines if subjected to the same type of testing” said Halderman.
In Georgia, the machines print a paper ballot that contains a barcode — known as a QR code — and a human-readable summary list that reflects the voter’s choices, and the votes are counted by a scanner that reads the barcode.
“When barcodes are used to tabulate votes, they may be subject to attacks that exploit the vulnerabilities listed, such that the barcode does not match the human-readable portion of the paper ballot,” the advisory said. To reduce this risk, the advisor recommends configuring the machines to produce “traditional, full-fill ballots instead of QR code speed dials” whenever possible.
The affected machines are used by at least some voters in at least 16 states, and in most of those locations they are only used by people who cannot physically fill out a ballot by hand, according to a voting machine tracker managed by Watchdog Verified Vote. But in some locations, including across Georgia, almost all in-person reconciliations take place on the affected machines.
Georgia Deputy Secretary of State Gabriel Sterling said the CISA assessment and a separate report commissioned by Dominion acknowledge that “existing procedural safeguards make it extremely unlikely” that a bad actor could exploit the vulnerabilities Halderman identified could exploit. He called Halderman’s claims “exaggerated”.
Dominion has informed CISA that the vulnerabilities have been fixed in later software versions, and the advisory says election officials should contact the company to determine what updates are needed. Halderman tested computers used in Georgia, and he said it’s not clear if computers running other versions of the software share the same vulnerabilities.
Halderman said that as far as he knows, “no one but Dominion has had the opportunity to test their claimed fixes.”
To prevent or detect exploitation of these vulnerabilities, the advisor’s recommendations include ensuring that voting machines are safe and secure at all times; conducting rigorous pre- and post-election testing on machines and post-election audits; and encouraging voters to check the human-readable portion on printed ballots.
This story has been corrected to reflect that Tina Peters was barred from overseeing this year’s election in her county, not from running for Secretary of State.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.
https://www.local10.com/news/politics/2022/05/31/cyber-agency-voting-software-vulnerable-in-some-states/ Voting software vulnerable in some states