Cyber agency: Voting software vulnerable in some states

ATLANTA (AP) — Digital voting equipment from a primary seller utilized in at least 16 states have software package vulnerabilities that go away them prone to hacking if unaddressed, the nation’s main cybersecurity company suggests in an advisory despatched to condition election officials.

The U.S. Cybersecurity and Infrastructure Company, or CISA, claimed there is no proof the flaws in the Dominion Voting Systems’ gear have been exploited to change election final results. The advisory is primarily based on screening by a popular laptop or computer scientist and qualified witness in a lengthy-working lawsuit that is unrelated to phony allegations of a stolen election pushed by former President Donald Trump immediately after his 2020 election decline.

The advisory, attained by The Linked Push in progress of its predicted Friday launch, specifics 9 vulnerabilities and indicates protecting measures to protect against or detect their exploitation. Amid a swirl of misinformation and disinformation about elections, CISA seems to be trying to walk a line amongst not alarming the general public and stressing the have to have for election officers to take motion.

CISA Government Director Brandon Wales mentioned in a statement that “states’ conventional election safety methods would detect exploitation of these vulnerabilities and in numerous situations would reduce attempts solely.” But the advisory appears to propose states aren’t performing sufficient. It urges prompt mitigation measures, which include both of those continued and increased “defensive measures to decrease the threat of exploitation of these vulnerabilities.” These measures have to have to be applied ahead of each individual election, the advisory claims, and it is very clear that’s not going on in all of the states that use the equipment.

University of Michigan computer scientist J. Alex Halderman, who wrote the report on which the advisory is primarily based, has extended argued that working with digital know-how to record votes is hazardous due to the fact pcs are inherently susceptible to hacking and so require several safeguards that are not uniformly adopted. He and lots of other election safety gurus have insisted that working with hand-marked paper ballots is the most protected system of voting and the only option that makes it possible for for significant post-election audits.

“These vulnerabilities, for the most component, are not ones that could be easily exploited by someone who walks in off the avenue, but they are items that we should really be concerned could be exploited by complex attackers, such as hostile country states, or by election insiders, and they would have incredibly severe consequences,” Halderman explained to the AP.

Worries about possible meddling by election insiders were not long ago underscored with the indictment of Mesa County Clerk Tina Peters in Colorado, who has turn out to be a hero to election conspiracy theorists and is managing to develop into her state’s major election official. Knowledge from the county’s voting machines appeared on election conspiracy internet websites final summertime soon soon after Peters appeared at a symposium about the election organized by MyPillow CEO Mike Lindell. She was also just lately barred from overseeing this year’s election in her county.

A single of the most really serious vulnerabilities could let malicious code to be distribute from the election administration system to devices through a jurisdiction, Halderman claimed. The vulnerability could be exploited by a person with actual physical entry or by an individual who is in a position to remotely infect other devices that are connected to the world wide web if election employees then use USB sticks to carry knowledge from an infected procedure into the election administration technique.

Various other specially worrisome vulnerabilities could allow for an attacker to forge playing cards used in the machines by specialists, supplying the attacker accessibility to a device that would allow for the software package to be improved, Halderman claimed.

“Attackers could then mark ballots inconsistently with voters’ intent, alter recorded votes or even determine voters’ top secret ballots,” Halderman explained.

Halderman is an pro witness for the plaintiffs in a lawsuit at first filed in 2017 that focused the outdated voting equipment Ga made use of at the time. The state acquired the Dominion program in 2019, but the plaintiffs contend that the new technique is also insecure. A 25,000-phrase report detailing Halderman’s findings was submitted beneath seal in federal court in Atlanta last July.

U.S. District Choose Amy Totenberg, who’s overseeing the situation, has expressed problem about releasing the report, stressing about the probable for hacking and the misuse of delicate election technique info. She agreed in February that the report could be shared with CISA, which promised to operate with Halderman and Dominion to evaluate probable vulnerabilities and then assist jurisdictions that use the machines to take a look at and use any protections.

Halderman agrees that there’s no evidence the vulnerabilities have been exploited in the 2020 election. But that wasn’t his mission, he reported. He was hunting for methods Dominion’s Democracy Suite ImageCast X voting method could be compromised. The touchscreen voting devices can be configured as ballot-marking equipment that deliver a paper ballot or report votes electronically.

In a statement, Dominion defended the machines as “accurate and secure.”

Dominion’s programs have been unjustifiably maligned by individuals pushing the false narrative that the 2020 election was stolen from Trump. Incorrect and sometimes outrageous claims by significant-profile Trump allies prompted the enterprise to file defamation lawsuits. Point out and federal officials have frequently mentioned there’s no proof of common fraud in the 2020 election — and no proof that Dominion products was manipulated to change effects.

Halderman said it’s an “unfortunate coincidence” that the to start with vulnerabilities in polling area gear reported to CISA influence Dominion devices.

“There are systemic issues with the way election devices is designed, examined and licensed, and I feel it is additional very likely than not that major difficulties would be discovered in tools from other sellers if they were being subjected to the similar kind of testing,” Halderman stated.

In Ga, the machines print a paper ballot that incorporates a barcode — known as a QR code — and a human-readable summary checklist reflecting the voter’s choices, and the votes are tallied by a scanner that reads the barcode.

“When barcodes are employed to tabulate votes, they may perhaps be topic to assaults exploiting the outlined vulnerabilities these kinds of that the barcode is inconsistent with the human-readable portion of the paper ballot,” the advisory claims. To reduce this possibility, the advisory recommends, the machines really should be configured, exactly where doable, to create “traditional, entire-face ballots, rather than summary ballots with QR codes.”

The affected equipment are employed by at least some voters in at least 16 states, and in most of individuals places they are used only for individuals who just cannot bodily fill out a paper ballot by hand, according to a voting equipment tracker preserved by watchdog Verified Voting. But in some places, including all of Ga, pretty much all in-person voting is on the afflicted equipment.

Ga Deputy Secretary of Point out Gabriel Sterling stated the CISA advisory and a separate report commissioned by Dominion figure out that “existing procedural safeguards make it exceptionally unlikely” that a negative actor could exploit the vulnerabilities discovered by Halderman. He referred to as Halderman’s claims “exaggerated.”

Dominion has instructed CISA that the vulnerabilities have been resolved in subsequent application versions, and the advisory states election officers really should make contact with the enterprise to determine which updates are essential. Halderman tested devices utilised in Ga, and he explained it’s not apparent regardless of whether equipment operating other versions of the application share the very same vulnerabilities.

Halderman reported that as considerably as he is aware, “no one but Dominion has experienced the option to examination their asserted fixes.”

To avert or detect the exploitation of these vulnerabilities, the advisory’s tips include things like making certain voting devices are protected and secured at all instances conducting arduous pre- and put up-election tests on the devices as properly as publish-election audits and encouraging voters to confirm the human-readable portion on printed ballots.


This story has been corrected to reflect that Tina Peters has been barred from overseeing this year’s election in her county, not from jogging for secretary of condition.