(Headline USA) Electronic voting machines from a leading vendor used in at least 16 states have software vulnerabilities that leave them susceptible to hacking if unaddressed, the nation’s leading cybersecurity agency says in an advisory sent to state election officials.
The warning from the U.S. Cybersecurity and Infrastructure Agency, or CISA, cast a new light on the Dominion Voting Systems’ equipment that came under sever scrutiny in the aftermath of the 2020 election, amid reports of the company’s partisan ties to radical leftist groups both domestic and abroad.
CISA’s then head, Chris Krebs resigned from the Trump administration after leveling insubordinate and unprofessional attacks on President Donald Trump and others via social media, including his baseless claim that it was the “most secure” election in US history, which many in the leftist media echoed mindlessly.
Former Cybersecurity & Infrastructure Security Agency Director Chris Krebs: “The 2020 election was the most secure in U.S. history…while elections are sometimes messy, this was a secure election. Of that I have no doubt.”
— CSPAN (@cspan) December 16, 2020
The new advisory is based on testing by a prominent computer scientist and expert witness in a long-running lawsuit that is not directly related to the allegations of the stolen 2020 election, although it would appear to substantiate some of the concerns previously dismissed by partisan media and government officials.
University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the advisory is based, said he was looking for ways Dominion’s Democracy Suite ImageCast X voting system could be compromised. The touchscreen voting machines can be configured as ballot-marking devices that produce a paper ballot or record votes electronically.
The advisory, obtained by the Associated Press in advance of its expected Friday release, details nine vulnerabilities and suggests protective measures to prevent or detect their exploitation.
CISA Executive Director Brandon Wales said in a statement that “states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.”
Yet the advisory seems to suggest states aren’t doing enough.
It urges prompt mitigation measures, including both continued and enhanced “defensive measures to reduce the risk of exploitation of these vulnerabilities.”
Those measures need to be applied ahead of every election, the advisory says, and it’s clear that’s not happening in all of the states that use the machines.
Halderman has long argued that using digital technology to record votes is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that aren’t uniformly followed.
He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.
“These vulnerabilities, for the most part, are not ones that could be easily exploited by someone who walks in off the street, but they are things that we should worry could be exploited by sophisticated attackers, such as hostile nation states, or by election insiders, and they would carry very serious consequences,” Halderman told the AP.
One of the most serious vulnerabilities could allow malicious code to be spread from the election management system to machines throughout a jurisdiction, Halderman said.
The vulnerability could be exploited by someone with physical access or by someone who is able to remotely infect other systems that are connected to the internet if election workers then use USB sticks to bring data from an infected system into the election management system.
Several other particularly worrisome vulnerabilities could allow an attacker to forge cards used in the machines by technicians, giving the attacker access to a machine that would allow the software to be changed, Halderman said.
“Attackers could then mark ballots inconsistently with voters’ intent, alter recorded votes or even identify voters’ secret ballots,” Halderman said.
The concerns echoed those voiced by Republican supporters of Trump and vehemently denied by the corrupt leftist Establishment at the time of the legal challenges. However, one added point of contention is that the election officials—many of them compromised by the nearly half-a-billion-dollar strings-attached investments by two Mark Zuckerberg “nonprofits” sought to intentionally manipulate rather than safeguard the outcome.
In at least one case exposed by Wisconsin special counsel Michael Gableman, a political operative with ties to George Soros who was not employed by the state or local government was, nonetheless, granted complete access to the voting systems in Green Bay.
In Georgia, many of the officials overseeing the voting in several Atlanta districts were linked to a temp agency that had ties to a partisan anti-voting-integrity group founded by failed left-wing candidate Stacey Abrams, who also has Soros ties.
Halderman is an expert witness for the plaintiffs in a lawsuit originally filed in 2017 that targeted the outdated voting machines Georgia used at the time. The state bought the Dominion system in 2019, but the plaintiffs contend that the new system is also insecure.
A 25,000-word report detailing Halderman’s findings was filed under seal in federal court in Atlanta last July.
Leftist U.S. District Judge Amy Totenberg, who’s overseeing the case, has expressed concern about releasing the report, worrying about the potential for hacking and the misuse of sensitive election system information.
She agreed in February that the report could be shared with CISA, which promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions that use the machines to test and apply any protections.
In a statement, Dominion defended the machines as “accurate and secure.”
Halderman claimed it was an “unfortunate coincidence” that the first vulnerabilities in polling place equipment reported to CISA affect Dominion machines.
“There are systemic problems with the way election equipment is developed, tested and certified, and I think it’s more likely than not that serious problems would be found in equipment from other vendors if they were subjected to the same kind of testing,” Halderman said.
In Georgia, the machines print a paper ballot that includes a barcode—known as a QR code—and a human-readable summary list reflecting the voter’s selections, and the votes are tallied by a scanner that reads the barcode.
“When barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot,” the advisory says.
To reduce this risk, the advisory recommends, the machines should be configured, where possible, to produce “traditional, full-face ballots, rather than summary ballots with QR codes.”
The affected machines are used by at least some voters in at least 16 states, and in most of those places they are used only for people who can’t physically fill out a paper ballot by hand, according to a voting equipment tracker maintained by watchdog Verified Voting.
But in some places, including all of Georgia, almost all in-person voting is on the affected machines.
Georgia’s NeverTrump deputy secretary of state, Gabriel Sterling, said the CISA advisory and a separate report commissioned by Dominion recognize that “existing procedural safeguards make it extremely unlikely” that a bad actor could exploit the vulnerabilities identified by Halderman. He claimed Halderman’s warnings were “exaggerated.”
Dominion has told CISA that the vulnerabilities have been addressed in subsequent software versions, and the advisory says election officials should contact the company to determine which updates are needed.
Halderman tested machines used in Georgia, and he said it’s not clear whether machines running other versions of the software share the same vulnerabilities.
Halderman said that as far as he knows, “no one but Dominion has had the opportunity to test their asserted fixes.”
To prevent or detect the exploitation of these vulnerabilities, the advisory’s recommendations include ensuring voting machines are secure and protected at all times; conducting rigorous pre- and post-election testing on the machines as well as post-election audits; and encouraging voters to verify the human-readable portion on printed ballots.
Adapted from reporting by the Associated Press