A confidential report alleges that hackers could flip votes if they gained access to Georgia’s touchscreens, drawing interest from the U.S. Department of Homeland Security, Louisiana election officials and Fox News.
One key agency hasn’t asked the court to disclose the report: the Georgia secretary of state’s office.
There’s no sign that state election officials have done anything about the vulnerability, a potential flaw dangerous enough to be kept under seal, labeled in court as “attorneys’ eyes only” six months ago.
The vulnerability hasn’t been exploited in an election so far, according to examinations of the state’s Dominion Voting Systems equipment, but election security experts say it’s a risk for upcoming elections this year. Investigations have repeatedly debunked allegations of fraud in the 2020 election.
Georgia election officials won’t say what actions they’ve taken, if any, to improve security or detect tampering. State election officials declined to answer questions about the flaw, which was discovered as part of a lawsuit aimed at forcing the state to abandon its $138 million voting system that prints out paper ballots and instead use paper ballots filled out by hand.
Several election integrity advocates said Georgia Secretary of State Brad Raffensperger shouldn’t ignore the issue, even if he believes existing protections would prevent illicit access to voting equipment.
“It’s really concerning that the Georgia secretary of state and Dominion are kind of putting their head in the sand,” said Susan Greenhalgh, an election security consultant for plaintiffs suing over Georgia’s voting system. “Common sense would say you would want to be able to evaluate the claims and then take appropriate action, and they’re not doing any of that.”….
he vulnerability was first alleged in sealed court documents in July by Alex Halderman, a computer science professor at the University of Michigan. As an expert for plaintiffs in the election security lawsuit, Halderman gained access to Georgia voting equipment for 12 weeks and produced a 25,000-word secret report.
Halderman found that malicious software could be installed on voting touchscreens so that votes are changed in QR codes printed on paper ballots, which are then scanned to record votes, according to court documents. QR codes aren’t readable by the human eye, and voters have no way to know whether they match the printed text of their choices.
The vulnerability could be exploited by someone with physical access to a voting touchscreen, such as a voter in a polling place, or by an attacker who used election management system computers, Halderman said. A hacker in a polling place could only target one touchscreen at a time, limiting the number of votes that could be changed, but an attack on election management systems could have a broader impact.
“It is important to recognize the possibility that nefarious actors already have discovered the same problems I detail in my report and are preparing to exploit them in future elections,” Halderman wrote in a September declaration. Halderman has said there’s no evidence that Dominion voting machines changed votes in the 2020 election.
Georgia election officials have previously said their security precautions keep elections safe, though they won’t discuss Halderman’s findings in the ongoing court case….
An expert for the state, University of Florida computer scientist Juan Gilbert, said Georgia’s election audit process, which reviews the printed text of voters’ choices, would expose inconsistencies between QR codes and the text. Gilbert declined to comment on Halderman’s allegation but has previously addressed protections from hacking.
“If QR codes are inconsistent with the human-readable portion of the ballot, this will be detected during the (risk-limiting audit) and may signal a full manual recount,” Gilbert wrote in a November 2019 court declaration. “The general statement that computers can be hacked is no justification to remove all computers from any type of interaction with voting and election systems.”
But others say audits would be inadequate because they might not detect fraud on a small number of ballots that could swing a close election.