hacking reuters full 1559645243937

U.S. cybersecurity agency says voting machines in 16 states may have software vulnerabilities

Electronic voting machines used by at least 16 states have software vulnerabilities from leading vendors that could lead to hacking without an address, according to advice sent to state election officials by the country’s leading cybersecurity agency.

The US Cybersecurity and Infrastructure Agency, or CISA, has stated that there is no evidence that Dominion voting systems used flaws to alter election results. The advice was based on a testimony by a leading computer scientist and expert in a lengthy lawsuit unrelated to false allegations of rigged elections that ousted former President Donald Trump after his 2020 election defeat.

The advice, received in advance of its release by the Associated Press on Friday, outlines nine vulnerabilities and suggests protective measures to prevent or identify their exploitation. Between the swing of misinformation and misinformation about the election, the CISA seems to be trying to walk a line between intimidating the public and emphasizing the need for election officials to take action.

CISA Executive Director Brandon Wales said in a statement that “the standard electoral security policies of the states recognize the exploitation of these vulnerabilities and in many cases completely prevent attempts.” However, the advice seems to suggest that states are not doing enough. It called for immediate mitigation measures, including “continuous and better protection measures to reduce the risk of exploitation of these vulnerabilities.” Those measures should be applied before every election, the advice says and it is clear that this is not happening in all states that use machines.

J. Alex Holderman, a computer scientist at the University of Michigan, wrote the report based on advice that it has long been argued that the use of digital technology to record votes is dangerous because computers are inherently vulnerable and therefore require multiple protections that are not uniform. Followed. He and several other election security experts emphasize that the use of hand-marked paper ballots is the safest voting method and the only option that allows for meaningful post-election audits.

“These vulnerabilities are, for the most part, not easily usable by anyone walking down the street, but we should be concerned that they could be exploited by sophisticated attackers such as enemy states or elections. They are insiders, and they can have very serious consequences,” Halderman told the AP.

Concerns about the involvement of insiders in the recent election have been highlighted on Tina Peters, a Mesa County clerk in Colorado who has become a hero to election conspiracy theorists and is vying to become the state’s top election official. Data from county voting machines appeared on election conspiracy websites shortly after Peters appeared at a symposium about the election hosted by MyPillow CEO Mike Lindell last summer. She was recently banned from overseeing elections this year in her county.

Halderman said one of the most serious vulnerabilities could be allowing malicious code to spread from the electoral management system to jurisdictional machinery. If election staff use USB sticks to bring data from an infected system into the election management system, those with physical access or anyone who can remotely infect other systems connected to the Internet can use the vulnerability.

Holdermann said that many other particularly vulnerable vulnerabilities could allow an attacker to duplicate the cards used by the technicians in the machine, giving the attacker access to a machine that would allow them to change the software.

“Attackers can detect ballots inconsistent with the intent of voters, alter recorded votes or even detect secret ballots of voters,” Holderman said.

Halderman is an expert witness to the plaintiffs in a lawsuit filed in 2017 targeting outdated voting machines used by Georgia at the time. The state bought the Dominion system in 2019, but plaintiffs argue that the new system is also insecure. A 25,000-word report containing details of Halderman’s discovery was filed under seal in federal court in Atlanta last July.

U.S. District Judge Amy Tottenberg, who is overseeing the case, expressed concern over the release of the report, citing the potential for hacking and misuse of sensitive electoral system information. In February she agreed to share the report with the CISA, which promised to work with Holderman and Dominion to analyze potential vulnerabilities and then assist the jurisdiction to use the machines to test and apply any defenses.

Holderman agreed that there was no evidence that vulnerabilities had been exploited in the 2020 election. However he said that was not his goal. He is looking for ways to compromise on the Dominion’s Democracy Suite Imagecast X voting system. Touchscreen voting machines can be configured as ballot-marking devices that produce paper ballots or record votes electronically.

In a statement, Dominion defended the machines as “accurate and safe”.

Dominion systems have an unjustified reputation for pushing the false story that the 2020 election was stolen from Trump. The wrong and sometimes outrageous claims made by high-ranking Trump allies prompted the company to file a defamation suit. State and federal officials have repeatedly said there was no evidence of widespread fraud in the 2020 election – and that there was no evidence that Dominion equipment was tampered with to change the outcome.

Holderman said it was “unfortunate coincidence” that the first vulnerability in polling station equipment reported to the CISA had an impact on Dominion machines.

“There are systemic issues with the process of developing, testing and certifying election materials and I think there is a possibility of serious problems from other vendors if the equipment is subjected to the same type of testing,” Holderman said. .

In Georgia, machines print a ballot paper containing a barcode – called a QR code – and count the votes by a human-readable summary list that reflects voter options and a scanner that reads the barcode.

“When barcodes are used to table votes, they may be subject to attacks that exploit the listed vulnerabilities, meaning that the barcode is inconsistent with the human readable portion of the paper ballot,” it advised. To reduce this risk, the consultant recommends that machines be configured where possible to produce “traditional, full-face ballots rather than summary ballots with QR codes”.

Affected machines are used by at least some voters in at least 16 states, and according to the voting equipment tracker operated by Watchdog, most of them are used only by people who can not physically fill out a paper ballot by hand. Certified voting. But in some places, including the whole of Georgia, almost the entire individual vote is in the affected machines.

Georgia Deputy Secretary of State Gabriel Sterling said the CISA advice and special report commissioned by Dominion found that “current procedural defenses are highly unlikely” and that a bad actor could take advantage of the vulnerabilities identified by Halderman. He called Holderman’s arguments “exaggerated.”

The adviser said vulnerabilities had been fixed in subsequent software versions of the Dominion CISA and that election officials should contact the company to determine if any updates were needed. Holderman tested the machines used in Georgia and said it was unclear whether machines running other versions of the software would share the same vulnerability.

As far as Halderman knows, “no one but the Dominion has the opportunity to test their definitive solutions.”

To prevent or identify the exploitation of these vulnerabilities, it is important to ensure that voting machines are always safe and secure as recommended by the adviser; Conducting pre- and post-election inspections on machines as well as post-election inspections; And encouraging voters to verify the portion that can be read by humans on printed ballots.


Leave a Comment

Your email address will not be published.