Voting software vulnerable in some states, cyber agency says

ByMelinda D. Loyola

Jun 4, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

A Miami-Dade election worker checks voting machines for accuracy at the Miami-Dade Election Division headquarters on Oct 14, 2020 in Doral, Florida. (Joe Raedle/Getty Illustrations or photos)

Digital voting equipment from a major seller utilized in at least 16 states have computer software vulnerabilities that go away them vulnerable to hacking if unaddressed, the nation’s major cybersecurity agency claims in an advisory despatched to condition election officials.

The U.S. Cybersecurity and Infrastructure Company, or CISA, reported there is no evidence the flaws in the Dominion Voting Systems’ devices have been exploited to alter election final results. The advisory is centered on testing by a popular pc scientist and qualified witness in a prolonged-running lawsuit that is unrelated to phony allegations of a stolen election pushed by previous President Donald Trump following his 2020 election reduction.

The advisory, acquired by The Associated Push in progress of its envisioned Friday release, facts 9 vulnerabilities and suggests protecting measures to avert or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA appears to be to be attempting to stroll a line concerning not alarming the public and stressing the want for election officials to consider motion.

Associated: OAN admits ‘no widespread voter fraud’ by election personnel immediately after settling defamation lawsuit

CISA Executive Director Brandon Wales said in a statement that “states’ conventional election security techniques would detect exploitation of these vulnerabilities and in quite a few instances would avoid tries completely.” Yet the advisory appears to be to suggest states aren’t undertaking enough. It urges prompt mitigation actions, such as both equally ongoing and improved “defensive steps to reduce the chance of exploitation of these vulnerabilities.” 

Those measures want to be applied in advance of each and every election, the advisory suggests, and it is really obvious which is not going on in all of the states that use the devices.

University of Michigan personal computer scientist J. Alex Halderman, who wrote the report on which the advisory is centered, has very long argued that utilizing electronic know-how to history votes is unsafe mainly because desktops are inherently vulnerable to hacking and hence need numerous safeguards that are not uniformly adopted. He and several other election security experts have insisted that applying hand-marked paper ballots is the most secure strategy of voting and the only possibility that lets for meaningful post-election audits.

Connected: Federal judge: Parts of Florida election regulation hurts ‘voting rights of Black constituents’

“These vulnerabilities, for the most part, are not types that could be effortlessly exploited by somebody who walks in off the road, but they are points that we should get worried could be exploited by advanced attackers, these kinds of as hostile country states, or by election insiders, and they would have extremely really serious penalties,” Halderman explained to the AP.

Issues about doable meddling by election insiders were being not long ago underscored with the indictment of Mesa County Clerk Tina Peters in Colorado, who has grow to be a hero to election conspiracy theorists and is running to turn out to be her state’s top election official. 

Info from the county’s voting devices appeared on election conspiracy internet websites last summertime soon immediately after Peters appeared at a symposium about the election organized by MyPillow CEO Mike Lindell. She was also lately barred from overseeing this year’s election in her county.

A person of the most severe vulnerabilities could enable destructive code to be unfold from the election administration method to equipment through a jurisdiction, Halderman claimed. The vulnerability could be exploited by an individual with physical access or by an individual who is equipped to remotely infect other units that are connected to the world wide web if election staff then use USB sticks to carry details from an contaminated system into the election management process.

Several other especially worrisome vulnerabilities could permit an attacker to forge cards utilized in the devices by specialists, providing the attacker access to a machine that would enable the software package to be improved, Halderman stated.

“Attackers could then mark ballots inconsistently with voters’ intent, change recorded votes or even identify voters’ mystery ballots,” Halderman said.

Halderman is an specialist witness for the plaintiffs in a lawsuit initially filed in 2017 that targeted the outdated voting machines Ga used at the time. The point out bought the Dominion technique in 2019, but the plaintiffs contend that the new process is also insecure. A 25,000-term report detailing Halderman’s conclusions was filed under seal in federal court docket in Atlanta last July.

U.S. District Decide Amy Totenberg, who’s overseeing the case, has expressed concern about releasing the report, stressing about the possible for hacking and the misuse of sensitive election program data. She agreed in February that the report could be shared with CISA, which promised to perform with Halderman and Dominion to assess potential vulnerabilities and then aid jurisdictions that use the devices to test and use any protections.

Halderman agrees that there is no proof the vulnerabilities were exploited in the 2020 election. But that was not his mission, he said. He was wanting for approaches Dominion’s Democracy Suite ImageCast X voting technique could be compromised. The touchscreen voting machines can be configured as ballot-marking products that produce a paper ballot or record votes electronically.

In a statement, Dominion defended the devices as “correct and safe.”

Dominion’s units have been unjustifiably maligned by persons pushing the bogus narrative that the 2020 election was stolen from Trump. Incorrect and sometimes outrageous promises by higher-profile Trump allies prompted the corporation to file defamation lawsuits. Point out and federal officers have repeatedly said there is no evidence of widespread fraud in the 2020 election — and no evidence that Dominion equipment was manipulated to alter effects.

Halderman reported it’s an “regrettable coincidence” that the initially vulnerabilities in polling put products claimed to CISA have an effect on Dominion machines.

“There are systemic problems with the way election gear is designed, tested and qualified, and I imagine it is a lot more probably than not that major challenges would be observed in gear from other suppliers if they ended up subjected to the similar type of tests,” Halderman stated.

In Georgia, the devices print a paper ballot that features a barcode — regarded as a QR code — and a human-readable summary checklist reflecting the voter’s options, and the votes are tallied by a scanner that reads the barcode.

“When barcodes are made use of to tabulate votes, they may possibly be issue to attacks exploiting the mentioned vulnerabilities this kind of that the barcode is inconsistent with the human-readable part of the paper ballot,” the advisory claims. To lessen this threat, the advisory suggests, the machines ought to be configured, where possible, to create “common, complete-facial area ballots, somewhat than summary ballots with QR codes.”

The afflicted devices are used by at least some voters in at the very least 16 states, and in most of individuals places they are utilized only for men and women who can not physically fill out a paper ballot by hand, in accordance to a voting tools tracker taken care of by watchdog Verified Voting. But in some spots, which includes all of Georgia, almost all in-person voting is on the influenced equipment.

Ga Deputy Secretary of State Gabriel Sterling said the CISA advisory and a different report commissioned by Dominion recognize that “current procedural safeguards make it particularly not likely” that a undesirable actor could exploit the vulnerabilities determined by Halderman. He referred to as Halderman’s statements “exaggerated.”

Dominion has advised CISA that the vulnerabilities have been resolved in subsequent software program versions, and the advisory says election officials really should call the corporation to establish which updates are essential. Halderman analyzed devices utilized in Georgia, and he explained it is not distinct no matter whether devices working other variations of the software share the identical vulnerabilities.

Halderman stated that as much as he is familiar with, “no one but Dominion has experienced the chance to examination their asserted fixes.”
To reduce or detect the exploitation of these vulnerabilities, the advisory’s tips include things like guaranteeing voting devices are protected and guarded at all times conducting demanding pre- and article-election testing on the devices as very well as write-up-election audits and encouraging voters to verify the human-readable portion on printed ballots.

This tale has been corrected to mirror that Tina Peters has been barred from overseeing this year’s election in her county, not from operating for secretary of condition.