Voting software vulnerable in at least 16 states

ByJosephine J. Romero

Jun 3, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,


ATLANTA (AP) – Electronic voting machines from a main vendor utilized in at least 16 states have software package vulnerabilities that depart them prone to hacking if unaddressed, the nation’s main cybersecurity company suggests in an advisory despatched to state election officers.

The U.S. Cybersecurity and Infrastructure Company, or CISA, explained there is no evidence the flaws in the Dominion Voting Systems’ tools have been exploited to alter election effects. The advisory is dependent on screening by a notable computer system scientist and skilled witness in a extensive-running lawsuit that is unrelated to false allegations of a stolen election pushed by previous President Donald Trump soon after his 2020 election decline.

The advisory, obtained by The Related Push in progress of its expected Friday launch, aspects 9 vulnerabilities and implies protective measures to reduce or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA would seem to be hoping to wander a line amongst not alarming the public and stressing the need for election officers to choose action.

CISA Govt Director Brandon Wales mentioned in a assertion that “states’ regular election safety methods would detect exploitation of these vulnerabilities and in several situations would stop makes an attempt completely.” But the advisory looks to advise states are not performing more than enough. It urges prompt mitigation actions, such as both of those continued and enhanced “defensive steps to decrease the chance of exploitation of these vulnerabilities.” Individuals steps want to be utilized forward of every single election, the advisory says, and it is very clear that is not taking place in all of the states that use the devices.

College of Michigan laptop scientist J. Alex Halderman, who wrote the report on which the advisory is centered, has extended argued that employing digital technological know-how to file votes is unsafe due to the fact computer systems are inherently susceptible to hacking and therefore involve several safeguards that aren’t uniformly adopted. He and quite a few other election protection experts have insisted that making use of hand-marked paper ballots is the most safe system of voting and the only selection that permits for meaningful post-election audits.

“These vulnerabilities, for the most element, are not ones that could be easily exploited by a person who walks in off the street, but they are issues that we need to get worried could be exploited by complex attackers, this kind of as hostile nation states, or by election insiders, and they would have quite significant penalties,” Halderman advised the AP.

Problems about feasible meddling by election insiders ended up just lately underscored with the indictment of Mesa County Clerk Tina Peters in Colorado, who has come to be a hero to election conspiracy theorists and is running to turn out to be her state’s leading election official. Data from the county’s voting devices appeared on election conspiracy internet sites very last summer months shortly following Peters appeared at a symposium about the election structured by MyPillow CEO Mike Lindell. She was also lately barred from overseeing this year’s election in her county.

A person of the most significant vulnerabilities could enable malicious code to be distribute from the election management process to equipment during a jurisdiction, Halderman reported. The vulnerability could be exploited by anyone with bodily accessibility or by someone who is able to remotely infect other units that are related to the world-wide-web if election workers then use USB sticks to convey facts from an infected system into the election administration system.

Various other specifically worrisome vulnerabilities could allow for an attacker to forge playing cards made use of in the devices by specialists, giving the attacker obtain to a equipment that would make it possible for the program to be improved, Halderman reported.

“Attackers could then mark ballots inconsistently with voters’ intent, change recorded votes or even establish voters’ magic formula ballots,” Halderman said.

Halderman is an specialist witness for the plaintiffs in a lawsuit at first submitted in 2017 that focused the outdated voting machines Georgia made use of at the time. The point out acquired the Dominion process in 2019, but the plaintiffs contend that the new method is also insecure. A 25,000-word report detailing Halderman’s conclusions was submitted beneath seal in federal court docket in Atlanta very last July.

U.S. District Decide Amy Totenberg, who’s overseeing the circumstance, has expressed issue about releasing the report, worrying about the likely for hacking and the misuse of sensitive election process information. She agreed in February that the report could be shared with CISA, which promised to work with Halderman and Dominion to examine possible vulnerabilities and then enable jurisdictions that use the devices to exam and utilize any protections.

Halderman agrees that there is no proof the vulnerabilities ended up exploited in the 2020 election. But that was not his mission, he claimed. He was seeking for means Dominion’s Democracy Suite ImageCast X voting procedure could be compromised. The touchscreen voting devices can be configured as ballot-marking equipment that generate a paper ballot or file votes electronically.

In a assertion, Dominion defended the machines as “accurate and protected.”

Dominion’s methods have been unjustifiably maligned by men and women pushing the fake narrative that the 2020 election was stolen from Trump. Incorrect and sometimes outrageous statements by significant-profile Trump allies prompted the company to file defamation lawsuits. Condition and federal officials have consistently mentioned there is no proof of common fraud in the 2020 election — and no proof that Dominion products was manipulated to change outcomes.

Halderman reported it is an “unfortunate coincidence” that the to start with vulnerabilities in polling spot tools reported to CISA have an affect on Dominion devices.

“There are systemic difficulties with the way election tools is developed, analyzed and certified, and I believe it is far more most likely than not that significant issues would be identified in tools from other suppliers if they were being subjected to the exact type of tests,” Halderman mentioned.

In Georgia, the machines print a paper ballot that involves a barcode — regarded as a QR code — and a human-readable summary listing reflecting the voter’s options, and the votes are tallied by a scanner that reads the barcode.

“When barcodes are employed to tabulate votes, they might be topic to attacks exploiting the shown vulnerabilities such that the barcode is inconsistent with the human-readable part of the paper ballot,” the advisory says. To cut down this risk, the advisory recommends, the machines need to be configured, where by probable, to generate “traditional, full-face ballots, somewhat than summary ballots with QR codes.”

The affected machines are made use of by at the very least some voters in at minimum 16 states, and in most of these spots they are used only for individuals who simply cannot bodily fill out a paper ballot by hand, in accordance to a voting products tracker maintained by watchdog Confirmed Voting. But in some areas, together with all of Georgia, pretty much all in-human being voting is on the influenced devices.

Ga Deputy Secretary of State Gabriel Sterling stated the CISA advisory and a different report commissioned by Dominion understand that “existing procedural safeguards make it very unlikely” that a lousy actor could exploit the vulnerabilities identified by Halderman. He known as Halderman’s statements “exaggerated.”

Dominion has instructed CISA that the vulnerabilities have been resolved in subsequent application versions, and the advisory states election officials need to make contact with the firm to identify which updates are essential. Halderman analyzed devices made use of in Georgia, and he said it is not distinct irrespective of whether equipment functioning other versions of the software package share the same vulnerabilities.

Halderman claimed that as far as he is familiar with, “no one particular but Dominion has experienced the chance to take a look at their asserted fixes.”

To stop or detect the exploitation of these vulnerabilities, the advisory’s recommendations involve making sure voting machines are secure and secured at all situations conducting rigorous pre- and put up-election tests on the machines as properly as article-election audits and encouraging voters to verify the human-readable portion on printed ballots.


This tale has been corrected to mirror that Tina Peters has been barred from overseeing this year’s election in her county, not from running for secretary of state.

Copyright 2022 The Associated Push. All rights reserved.


Source backlink