Cyber agency: Voting software vulnerable in some states

AP News Header

ATLANTA (AP) โ€” Electronic voting machines from a leading vendor used in at least 16 states have software vulnerabilities that leave them susceptible to hacking if unaddressed, the nationโ€™s leading cybersecurity agency says in an advisory sent to state election officials.

The U.S. Cybersecurity and Infrastructure Agency, or CISA, said there is no evidence the flaws in the Dominion Voting Systemsโ€™ equipment have been exploited to alter election results. The advisory is based on testing by a prominent computer scientist and expert witness in a long-running lawsuit that is unrelated to false allegations of a stolen election pushed by former President Donald Trump after his 2020 election loss.

The advisory, obtained by The Associated Press in advance of its expected Friday release, details nine vulnerabilities and suggests protective measures to prevent or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA seems to be trying to walk a line between not alarming the public and stressing the need for election officials to take action.

CISA Executive Director Brandon Wales said in a statement that โ€œstatesโ€™ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.โ€ Yet the advisory seems to suggest states arenโ€™t doing enough. It urges prompt mitigation measures, including both continued and enhanced โ€œdefensive measures to reduce the risk of exploitation of these vulnerabilities.โ€ Those measures need to be applied ahead of every election, the advisory says, and itโ€™s clear thatโ€™s not happening in all of the states that use the machines.

University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the advisory is based, has long argued that using digital technology to record votes is dangerous because computers are inherently vulnerable to hacking and thus require multiple safeguards that arenโ€™t uniformly followed. He and many other election security experts have insisted that using hand-marked paper ballots is the most secure method of voting and the only option that allows for meaningful post-election audits.

โ€œThese vulnerabilities, for the most part, are not ones that could be easily exploited by someone who walks in off the street, but they are things that we should worry could be exploited by sophisticated attackers, such as hostile nation states, or by election insiders, and they would carry very serious consequences,โ€ Halderman told the AP.

Concerns about possible meddling by election insiders were recently underscored withย the indictment of Mesa County Clerk Tina Peters*ย in Colorado, who has become a hero to election conspiracy theorists and is running to become her stateโ€™s top election official. Data from the countyโ€™s voting machines appeared on election conspiracy websites last summer shortly after Peters appeared at a symposium about the election organized by MyPillow CEO Mike Lindell. She was alsoย recently barredย from overseeing this yearโ€™s election in her county.

One of the most serious vulnerabilities could allow malicious code to be spread from the election management system to machines throughout a jurisdiction, Halderman said. The vulnerability could be exploited by someone with physical access or by someone who is able to remotely infect other systems that are connected to the internet if election workers then use USB sticks to bring data from an infected system into the election management system.

Several other particularly worrisome vulnerabilities could allow an attacker to forge cards used in the machines by technicians, giving the attacker access to a machine that would allow the software to be changed, Halderman said.

โ€œAttackers could then mark ballots inconsistently with votersโ€™ intent, alter recorded votes or even identify votersโ€™ secret ballots,โ€ Halderman said.

Halderman is an expert witness for the plaintiffs in a lawsuit originally filed in 2017 that targeted the outdated voting machines Georgia used at the time. The state bought the Dominion system in 2019, but the plaintiffs contend that the new system is also insecure. A 25,000-word report detailing Haldermanโ€™s findings was filed under seal in federal court in Atlanta last July.

U.S. District Judge Amy Totenberg, whoโ€™s overseeing the case, has expressed concern about releasing the report, worrying about the potential for hacking and the misuse of sensitive election system information. She agreed in February that the report could be shared with CISA, which promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions that use the machines to test and apply any protections.

Halderman agrees that thereโ€™s no evidence the vulnerabilities were exploited in the 2020 election. But that wasnโ€™t his mission, he said. He was looking for ways Dominionโ€™s Democracy Suite ImageCast X voting system could be compromised. The touchscreen voting machines can be configured as ballot-marking devices that produce a paper ballot or record votes electronically.

In a statement, Dominion defended the machines as โ€œaccurate and secure.โ€

Dominionโ€™s systems have been unjustifiably maligned by people pushing the false narrative that the 2020 election was stolen from Trump. Incorrect and sometimes outrageous claims by high-profile Trump allies prompted the company to file defamation lawsuits. State and federal officials have repeatedly said thereโ€™s no evidence of widespread fraud in the 2020 election โ€” and no evidence that Dominion equipment was manipulated to alter results.

Halderman said itโ€™s an โ€œunfortunate coincidenceโ€ that the first vulnerabilities in polling place equipment reported to CISA affect Dominion machines.

โ€œThere are systemic problems with the way election equipment is developed, tested and certified, and I think itโ€™s more likely than not that serious problems would be found in equipment from other vendors if they were subjected to the same kind of testing,โ€ Halderman said.

In Georgia, the machines print a paper ballot that includes a barcode โ€” known as a QR code โ€” and a human-readable summary list reflecting the voterโ€™s selections, and the votes are tallied by a scanner that reads the barcode.

โ€œWhen barcodes are used to tabulate votes, they may be subject to attacks exploiting the listed vulnerabilities such that the barcode is inconsistent with the human-readable portion of the paper ballot,โ€ the advisory says. To reduce this risk, the advisory recommends, the machines should be configured, where possible, to produce โ€œtraditional, full-face ballots, rather than summary ballots with QR codes.โ€

The affected machines are used by at least some voters in at least 16 states, and in most of those places they are used only for people who canโ€™t physically fill out a paper ballot by hand, according to a voting equipment tracker maintained by watchdog Verified Voting. But in some places, including all of Georgia, almost all in-person voting is on the affected machines.

Georgia Deputy Secretary of State Gabriel Sterling said the CISA advisory and a separate report commissioned by Dominion recognize that โ€œexisting procedural safeguards make it extremely unlikelyโ€ that a bad actor could exploit the vulnerabilities identified by Halderman. He called Haldermanโ€™s claims โ€œexaggerated.โ€

Dominion has told CISA that the vulnerabilities have been addressed in subsequent software versions, and the advisory says election officials should contact the company to determine which updates are needed. Halderman tested machines used in Georgia, and he said itโ€™s not clear whether machines running other versions of the software share the same vulnerabilities.

Halderman said that as far as he knows, โ€œno one but Dominion has had the opportunity to test their asserted fixes.โ€

To prevent or detect the exploitation of these vulnerabilities, the advisoryโ€™s recommendations include ensuring voting machines are secure and protected at all times; conducting rigorous pre- and post-election testing on the machines as well as post-election audits; and encouraging voters to verify the human-readable portion on printed ballots.

___

*This story has been corrected to reflect that Tina Peters has been barred from overseeing this yearโ€™s election in her county, not from running for secretary of state.

By Kate Brumback

Read Original Article on APNews.com

The Thinking Conservative
The Thinking Conservativehttps://www.thethinkingconservative.com/
The goal of THE THINKING CONSERVATIVE is to help us educate ourselves on conservative topics of importance to our freedom and our pursuit of happiness. We do this by sharing conservative opinions on all kinds of subjects, from all types of people, and all kinds of media, in a way that will challenge our perceptions and help us to make educated choices.

Columns

Why Fishermen Are Catching Fewer Lobsters in Maine

For veteran lobsterman Travis Dammier, it was the end of another trip at sea on a solo voyage to earn a living.

Viewers like you

There is no constitutional authority for any spending on public broadcasting โ€“ period. Any questions: See Article 1, Section 8 of the U.S. Constitution.

Beyond the Trump-Musk fallout?

We are witnessing an unprecedented, unhinged Democrat effort to use lawfare, big Democrat donors, street theater, congressional disruptions, potty-mouth videos, the administrative state, the legacy media, and discredited pollsters to stop the Trump agenda.

Trans-wormal

No worm ever said "I am anthropomorphizing, I am a butterfly" to a toad or flock of geese and expected acknowledgement and support.

In Greenlandโ€™s Icy Capital, Past Troubles Haunt Hopes for the Future

As geopolitical realities and ongoing economic growth raise the stakes, U.S. interest in Greenland and the dream of independence may change things in a big way.

News

Musk Mulls New Political Party Amid Feud With Trump

Elon Musk is considering launching a new political party in wake of his public fallout with President Trump over a major Republican tax and spending bill.

Citigroup Reverses Course on Controversial Firearm Policies

Citigroup reversed its policy requiring retail business clients to refrain from selling firearms to those who havenโ€™t passed background checks.

Supreme Court Sides With DOGE in Social Security, Records Cases

The Supreme Court handed DOGE two big wins late on June 6 in its effort to reduce the size of the federal government.

Kilmar Abrego Garcia Returns to US to Face Criminal Charges

Kilmar Abrego Garcia, a citizen of El Salvador, is on his way back to the US, where he will face criminal charges for allegedly smuggling illegal immigrants.

White House Adviser Gives Update on DOGEโ€™s Future Amid Muskโ€“Trump Spat

A top White House adviser said DOGEโ€™s work will likely continue amid a spat between its former chief, Elon Musk, and President Donald Trump.

Trump Administration Asks Supreme Court to Allow Dismantling of Education Department

Trump admin asked Supreme Court to allow it to resume dismantling U.S. Dept of Education, following a lower courtโ€™s previous order halting process.

FTC Warns of Rising Student Loan Scams, Says Fraudsters Took Millions From Borrowers

FTC is warning borrowers to steer clear of student loan debt-relief scams, after shutting down group of companies that allegedly charged millions in illegal fees and left customers worse off.

Walmartโ€™s Drone Delivery Coming to 5 More US Cities

Walmart is set to launch its drone delivery service in five more U.S. cities: Atlanta, Charlotte, Houston, Orlando, and Tampa, the company.
spot_img

Related Articles