Voting software vulnerable in some states, cyber agency says

A Miami-Dade election worker checks voting devices for precision at the Miami-Dade Election Office headquarters on Oct 14, 2020 in Doral, Florida. (Joe Raedle/Getty Pictures)

Digital voting devices from a major seller utilized in at minimum 16 states have software program vulnerabilities that depart them inclined to hacking if unaddressed, the nation’s foremost cybersecurity company claims in an advisory sent to state election officers.

The U.S. Cybersecurity and Infrastructure Company, or CISA, claimed there is no proof the flaws in the Dominion Voting Systems’ gear have been exploited to alter election outcomes. The advisory is based mostly on tests by a prominent laptop scientist and pro witness in a long-managing lawsuit that is unrelated to fake allegations of a stolen election pushed by previous President Donald Trump after his 2020 election reduction.

The advisory, obtained by The Affiliated Press in progress of its expected Friday launch, facts 9 vulnerabilities and suggests protecting measures to stop or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA looks to be making an attempt to walk a line among not alarming the community and stressing the will need for election officials to acquire action.

Related: OAN admits ‘no prevalent voter fraud’ by election employees soon after settling defamation lawsuit

CISA Executive Director Brandon Wales stated in a assertion that “states’ common election protection techniques would detect exploitation of these vulnerabilities and in lots of instances would stop makes an attempt entirely.” But the advisory seems to advise states usually are not accomplishing ample. It urges prompt mitigation steps, including the two ongoing and improved “defensive actions to minimize the chance of exploitation of these vulnerabilities.” 

All those actions need to be used in advance of each individual election, the advisory claims, and it really is crystal clear that is not going on in all of the states that use the equipment.

College of Michigan computer system scientist J. Alex Halderman, who wrote the report on which the advisory is based mostly, has lengthy argued that making use of digital technologies to history votes is risky because personal computers are inherently susceptible to hacking and as a result require several safeguards that are not uniformly adopted. He and quite a few other election safety professionals have insisted that employing hand-marked paper ballots is the most safe process of voting and the only option that allows for significant article-election audits.

Connected: Federal decide: Portions of Florida election legislation hurts ‘voting legal rights of Black constituents’

“These vulnerabilities, for the most section, are not ones that could be effortlessly exploited by someone who walks in off the street, but they are items that we ought to worry could be exploited by sophisticated attackers, this sort of as hostile country states, or by election insiders, and they would have pretty major consequences,” Halderman explained to the AP.

Issues about feasible meddling by election insiders were being not too long ago underscored with the indictment of Mesa County Clerk Tina Peters in Colorado, who has come to be a hero to election conspiracy theorists and is managing to develop into her state’s top election formal. 

Information from the county’s voting devices appeared on election conspiracy web sites final summer shortly just after Peters appeared at a symposium about the election organized by MyPillow CEO Mike Lindell. She was also not long ago barred from overseeing this year’s election in her county.

One of the most significant vulnerabilities could enable destructive code to be distribute from the election administration method to devices in the course of a jurisdiction, Halderman stated. The vulnerability could be exploited by anyone with actual physical obtain or by anyone who is in a position to remotely infect other units that are connected to the internet if election staff then use USB sticks to bring details from an contaminated method into the election management process.

Many other specifically worrisome vulnerabilities could enable an attacker to forge cards used in the equipment by specialists, providing the attacker accessibility to a machine that would permit the computer software to be changed, Halderman stated.

“Attackers could then mark ballots inconsistently with voters’ intent, alter recorded votes or even recognize voters’ magic formula ballots,” Halderman claimed.

Halderman is an expert witness for the plaintiffs in a lawsuit originally submitted in 2017 that focused the out-of-date voting equipment Georgia applied at the time. The point out acquired the Dominion program in 2019, but the plaintiffs contend that the new technique is also insecure. A 25,000-term report detailing Halderman’s findings was submitted beneath seal in federal courtroom in Atlanta final July.

U.S. District Choose Amy Totenberg, who’s overseeing the circumstance, has expressed worry about releasing the report, stressing about the possible for hacking and the misuse of delicate election system information. She agreed in February that the report could be shared with CISA, which promised to work with Halderman and Dominion to review likely vulnerabilities and then assistance jurisdictions that use the equipment to exam and implement any protections.

Halderman agrees that there is no evidence the vulnerabilities ended up exploited in the 2020 election. But that was not his mission, he mentioned. He was seeking for ways Dominion’s Democracy Suite ImageCast X voting program could be compromised. The touchscreen voting machines can be configured as ballot-marking gadgets that create a paper ballot or file votes electronically.

In a assertion, Dominion defended the equipment as “exact and safe.”

Dominion’s units have been unjustifiably maligned by persons pushing the phony narrative that the 2020 election was stolen from Trump. Incorrect and from time to time outrageous statements by higher-profile Trump allies prompted the business to file defamation lawsuits. Condition and federal officers have regularly explained there is no proof of common fraud in the 2020 election — and no proof that Dominion products was manipulated to change final results.

Halderman explained it is an “unfortunate coincidence” that the 1st vulnerabilities in polling location gear claimed to CISA have an impact on Dominion devices.

“There are systemic compl
ications with the way election equipment is produced, tested and licensed, and I imagine it is extra possible than not that significant difficulties would be found in machines from other distributors if they ended up subjected to the identical kind of screening,” Halderman mentioned.

In Ga, the equipment print a paper ballot that includes a barcode — acknowledged as a QR code — and a human-readable summary checklist reflecting the voter’s selections, and the votes are tallied by a scanner that reads the barcode.

“When barcodes are applied to tabulate votes, they might be issue to attacks exploiting the shown vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot,” the advisory claims. To minimize this hazard, the advisory recommends, the equipment must be configured, where by achievable, to develop “conventional, complete-encounter ballots, instead than summary ballots with QR codes.”

The affected equipment are utilised by at least some voters in at least 16 states, and in most of all those locations they are made use of only for folks who are unable to physically fill out a paper ballot by hand, according to a voting products tracker taken care of by watchdog Confirmed Voting. But in some sites, which includes all of Georgia, virtually all in-individual voting is on the impacted devices.

Ga Deputy Secretary of Condition Gabriel Sterling mentioned the CISA advisory and a different report commissioned by Dominion identify that “current procedural safeguards make it really unlikely” that a lousy actor could exploit the vulnerabilities recognized by Halderman. He called Halderman’s claims “exaggerated.”

Dominion has instructed CISA that the vulnerabilities have been dealt with in subsequent software package variations, and the advisory states election officers should really make contact with the organization to determine which updates are needed. Halderman tested machines applied in Ga, and he said it is not very clear no matter if machines operating other variations of the program share the very same vulnerabilities.

Halderman mentioned that as significantly as he appreciates, “no one particular but Dominion has had the possibility to take a look at their asserted fixes.”
To stop or detect the exploitation of these vulnerabilities, the advisory’s recommendations involve making certain voting machines are safe and shielded at all instances conducting arduous pre- and submit-election screening on the equipment as perfectly as publish-election audits and encouraging voters to verify the human-readable part on printed ballots.

This story has been corrected to reflect that Tina Peters has been barred from overseeing this year’s election in her county, not from operating for secretary of point out.