“No evidence of exploitation of Dominion voting machine flaws, CISA finds”

Washington Post:

The federal government has found no evidence that flaws in Dominion voting machines have ever been exploited, including in the 2020 election, according to the executive director of the Cybersecurity and Infrastructure Security Agency.

CISA, an arm of the Department of Homeland Security, has notified election officials in more than a dozen states that use the machines of several vulnerabilities and mitigation measures that would aid in detection or prevention of an attempt to exploit those vulnerabilities.

The move marks the first time CISA has run voting machine flaws through its vulnerability disclosure program, which since 2019 has examined and disclosed hundreds of vulnerabilities in commercial and industrial systems that have been identified by researchers around the world. (The program is aimed at helping companies and consumers better secure devices from breaches.

The security of Dominion voting machines has become a flash point in the fraught politics of the 2020 election with supporters of former president Donald Trump claiming that the results were tainted by machines that were manipulated, while election officials — including Georgia’s Republican secretary of state and governor — insisted that there was no evidence of breaches or altered results.

There are nine flaws affecting versions of the machine called the Dominion Voting Systems Democracy Suite ImageCast X, according to a copy of an advisory prepared by CISA and obtained by The Washington Post. The ImageCast X allows voters to mark their candidate choices on a touch-screen and then produce a paper record, as was the case in Georgia. It can also be used as a paperless electronic voting machine. The flaws, many of which are highly technical and which mostly stem from machine design as opposed to coding errors, generally require an attacker to have physical access to the devices or other equipment used to manage the election, CISA said.

“We have no evidence that these vulnerabilities have been exploited and no evidence that they have affected any election results,” said Brandon Wales, CISA’s executive director in a statement to The Post. “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely. This makes it very unlikely that these vulnerabilities could affect an election.”…

CISA conducted its review in response to a report by two researchers prepared as part of long-running litigation over the security of Georgia’s voting system. The lead researcher, University of Michigan computer scientist J. Alex Halderman, served as an expert for plaintiffs who filed the case in 2017. The plaintiffs — a group of voters and voting security activists — argued that the paperless touch-screen machines Georgia was then using, which were made by a different company, were so lacking in security that they violated voters’ civil rights.

Georgia agreed to acquire a new system and in 2019 bought Dominion ImageCast X “ballot-marking devices,” which were first used in 2020. The plaintiffs now argue that this replacement system is still too vulnerable to manipulation, and that Georgia should adopt a system of hand-marked paper ballots that can be scanned and tabulated by machine.

CISA’s five-page advisory is based in part on Halderman’s 100-page report, which remains under seal in a federal court in Atlanta. The advisory is expected to be released next week after officials in all 50 states are notified….

But Halderman, who has said publicly that he has no evidence that the machines’ flaws were exploited, told The Post that the vulnerabilities were serious and could be used by an attacker. The most significant, he said, is a coding flaw that allows an attacker who gains access to a jurisdiction’s central election computers to spread malware to the ImageCast X machines.

“Voting systems rely on multiple layers of defense including physical and electronic safeguards,” he said. “These vulnerabilities show that unfortunately the electronic safeguards are not as secure as they need to be.”

Share this: