ATLANA (AP) – Leading vendor electronic voting machines used in at least 16 states have software vulnerabilities that make them vulnerable to hacking if left unaddressed, says the leading national cybersecurity agency in a council sent to state election officials.
The U.S. Cybersecurity and Infrastructure Agency, or CISA, said there was no evidence that deficiencies in Dominion Voting Systems equipment were used to change election results. The council is based on testing by a prominent computer scientist and expert witness in a lengthy trial that has nothing to do with false allegations of stolen elections made by former President Donald Trump after his loss in the 2020 election.
The statement, received by the Associated Press ahead of Friday’s expected release, details nine vulnerabilities and suggests safeguards to prevent or detect their exploitation. Against the backdrop of a whirlwind of misinformation and misinformation about the election, CISA seems to be trying to move along the line between not worrying the public and stressing the need for election officials to take action.
CISA Executive Director Brandon Wells said in a statement that “standard security procedures in state elections would detect the exploitation of these vulnerabilities and in many cases would completely prevent attempts.” Still, the council seems to suggest that states are not doing enough. He urged swift mitigation measures, including both ongoing and enhanced “defense measures to reduce the risk of exploitation of these vulnerabilities”. These measures must be applied before each election, the adviser said, and it is clear that this does not happen in all states that use the machines.
University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the council is based, has long argued that the use of digital voice recording technology is dangerous because computers are inherently vulnerable to hacking and thus require many precautions that are not the same followed. He and many other election security experts insist that the use of hand-marked ballots is the safest method of voting and the only option that allows meaningful post-election audits.
“For the most part, these vulnerabilities are not those that can be easily exploited by someone entering from the street, but they are things we need to worry about that can be exploited by sophisticated attackers, such as hostile nation-states, or by elections insiders, and they would have very serious consequences, “Halderman told the AP.
Fears of possible election interference were recently highlighted by charges against Mesa County spokeswoman Tina Peters in Colorado, who has become a hero of election conspiracy theorists and is running for senior state election official. Data from the county’s voting machines appeared on election conspiracy websites last summer shortly after Peters appeared at a symposium on the election hosted by MyPillow CEO Mike Lindell. In addition, she was recently banned from observing this year’s elections in her constituency.
One of the most serious vulnerabilities could be the spread of malicious code from the election administration system to machines across the jurisdiction, Halderman said. The vulnerability could be exploited by someone with physical access or by someone who is able to remotely infect other systems connected to the Internet if election officials then use USB sticks to import data from an infected system into the system. election management.
Several other particularly vulnerable vulnerabilities could allow an attacker to falsify cards used in machines by technicians, giving the attacker access to a machine that would allow the software to be altered, Halderman said.
“The attackers could then mark ballots contrary to voters’ intentions, change the recorded votes, or even identify secret ballots,” Halderman said.
Halderman is an expert witness for the plaintiffs in a lawsuit originally filed in 2017 targeting obsolete voting machines used by Georgia at the time. The state bought the Dominion system in 2019, but the plaintiffs claim that the new system is also uncertain. A 25,000-word report describing Halderman’s findings was published in federal court in Atlanta last July.
U.S. District Judge Amy Tottenberg, who is overseeing the case, expressed concern about the report’s publication, worrying about the potential for hacking and misuse of sensitive information from the electoral system. In February, she agreed that the report could be shared with CISA, which promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions that use machines to test and enforce any protections.
Halderman agrees that there is no evidence that the vulnerabilities were exploited in the 2020 elections. But that is not his mission, he said. He was looking for ways in which Dominion’s Democracy Suite ImageCast X voting system could be compromised. Touch screen voting machines can be configured as ballot markers that produce paper ballots or record votes electronically.
In a statement, Dominion defended the machines as “accurate and safe”.
Dominion systems have been unjustifiably harassed by people forcing the false story that the 2020 election was stolen by Trump. Incorrect and sometimes scandalous allegations by high-ranking Trump allies have led the company to file defamation lawsuits. Government and federal officials have repeatedly said there is no evidence of widespread fraud in the 2020 election – and no evidence that Dominion equipment has been manipulated to change results.
Halderman said it was a “coincidence” that the first vulnerabilities in polling station equipment reported to CISA affected Dominion machines.
“There are systemic problems with the way election equipment is developed, tested and certified, and I think it is more likely than not that serious problems are more likely to be found in equipment from other suppliers if it has been subjected to the same type of testing.” said Halderman.
The CISA board explicitly advises against using machines as configured in Georgia, where the printed paper ballot includes both a barcode and a human-readable voter list, and votes are counted by a scanner that reads the barcode.
“When barcodes are used to count votes, they may be subject to attacks using the listed vulnerabilities so that the barcode is incompatible with the human-readable portion of the paper bulletin,” the council said. He recommends that voting machines be configured, if possible, to produce “traditional full-face ballots” and not aggregated ballots that use a barcode.
Affected machines are used by at least some voters in at least 16 states, and in most of these places are used only for people who are physically unable to fill out a paper ballot by hand, according to voting tracking equipment maintained by watchdog Verified Voting. But in some places, including all of Georgia, almost all personal voting is on the affected machines.
Georgia’s Deputy Secretary of State Gabriel Sterling said the CISA consultant and a separate report commissioned by Dominion acknowledged that “existing procedural safeguards make it extremely unlikely” a bad actor would exploit the vulnerabilities identified by Halderman. He called Halderman’s allegations “exaggerated.”
Dominion told CISA that the vulnerabilities had been fixed in future versions of the software, and the consultant said election officials should contact the company to determine which updates are needed. Halderman is testing machines used in Georgia, and he said it is unclear whether machines running other versions of the software share the same vulnerabilities.
Halderman said that, as far as he knew, “no one but Dominion has had the opportunity to test their hard fixes.”
To prevent or detect the use of these vulnerabilities, the wizard’s recommendations include ensuring that voting machines are secure and protected at all times; conducting rigorous pre- and post-election tests of the machines, as well as post-election audits; and encouraging voters to check the human-readable part of printed ballots.
___
This story has been corrected to reflect that Tina Peters is barred from observing this year’s election in her county instead of running for secretary of state.
Add Comment