Cyber ​​Agencies: Voting software is vulnerable in some states

ATLANTA (AP) – Leading vendor electronic voting machines used in at least 16 states have vulnerabilities in software that …

ATLANTA (AP) – Leading vendor electronic voting machines used in at least 16 states have software vulnerabilities that make them vulnerable to hacking if left unchecked, according to a recommendation from state election officials.

The U.S. Cybersecurity and Infrastructure Agency, or CISA, said there was no evidence that flaws in Dominion Voting Systems equipment were used to alter the election results. The recommendation is based on testing a well-known computer scientist and expert witness in a lengthy trial that is not linked to false allegations of stolen elections by former President Donald Trump after his defeat in the 2020 election.

A recommendation received by the Associated Press prior to its expected release on Friday details nine vulnerabilities and proposes safeguards to prevent or detect their use. Amid a twist of misinformation and misinformation about the election, CISA seems to be trying to cross the line between not disturbing the public and stressing the need for action for election officials.

CISA Executive Director Brendan Wales said in a statement that “standard state security procedures in the states will detect the exploitation of these vulnerabilities and in many cases completely prevent attempts.” However, the recommendation seems to suggest that states are not doing enough. He called for immediate mitigation measures, including long-term and intensified “protective measures to reduce the risk of exploiting these vulnerabilities.” These measures need to be taken before every election, the consultation said, and it is clear that this is not happening in all states that use the machine.

Computer scientist from the University of Michigan J. Alex Halderman, who wrote the report on which the consultation is based, has long argued that the use of digital technology to record voices is dangerous because computers are inherently vulnerable to hacking and therefore require many protections that are not the same. followed. He and many other election security experts have insisted that the use of hand-marked paper ballots is the safest method of voting and the only option that allows for meaningful post-election verification.

“These vulnerabilities, for the most part, are not ones that could be easily exploited by those who come from the streets, but we need to worry that they could be exploited by perfect intruders such as hostile nation-states, or through elections. insiders, and this will have very serious consequences, ”Halderman told the AP.

Concerns about possible insider interference in the election were recently highlighted by the indictment of Mesa County clerk Tina Peters in Colorado, who has become a hero of conspiracy theorists and claims to be the top election official in her state. Data from constituencies appeared on election conspiracy sites last summer shortly after Peters appeared at an election symposium hosted by MyPillow CEO Mike Lindell. She was also recently banned from observing this year’s elections in her constituency.

One of the most serious vulnerabilities could allow malicious code to spread from an election management system to machines across jurisdictions, Halderman said. The vulnerability could be exploited by someone with physical access or someone who could remotely infect other systems connected to the Internet if voters then use USB drives to transfer data from the infected system to the election management system.

Several other particularly alarming vulnerabilities could allow an attacker to forge cards used in machines by technicians, giving the attacker access to a machine that would allow software to be altered, Halderman said.

“The attackers could have marked ballots that did not correspond to the intentions of the voters, altered the recorded votes or even identified the secret ballot,” Halderman said.

Halderman is an expert witness for the plaintiffs in a lawsuit originally filed in 2017 against obsolete voting machines used by Georgia at the time. The state bought the Dominion system in 2019, but plaintiffs claim the new system is also dangerous. The 25,000-word report detailing Halderman’s findings was filed under seal in federal court in Atlanta last July.

U.S. District Judge Amy Tottenberg, who oversees the case, expressed concern over the publication of the report, concerned about the possibility of hacking and misuse of confidential information of the electoral system. In February, she agreed that the report could be passed to CISA, which promised to work with Halderman and Dominion to analyze potential vulnerabilities and then help jurisdictions that use machines to test and apply any protection.

Halderman agrees that there is no evidence that the vulnerabilities were exploited in the 2020 election. But that was not his mission, he said. He was looking for ways to disrupt Dominion’s Democracy Suite ImageCast X voting system. Touch screen voting machines can be configured as ballot marking devices that produce a paper ballot or record votes electronically.

In a statement, Dominion defended the cars as “accurate and safe”.

The Dominion systems have been unjustifiably slandered by people who incite the false story that the 2020 election was stolen from Trump. False and sometimes outrageous allegations by high-profile Trump allies have prompted the company to file defamation lawsuits. State and federal officials have repeatedly stated that there is no evidence of widespread rigging in the 2020 election – and no evidence that Dominion equipment has been manipulated to change the results.

Halderman said it was an “unfortunate coincidence” that the first vulnerabilities in polling station equipment reported to CISA affected Dominion cars.

“There are systemic problems with how election equipment is designed, tested and certified, and I think serious problems would most likely be found in other vendors’ equipment if they were subjected to the same tests,” he said. Halderman. .

The CISA recommendation does not specifically recommend the use of machines as they are configured in Georgia, where a printed ballot paper contains both a barcode and a readable list that reflects the choice of voters, and votes are counted by a scanner that reads the barcode.

“If barcodes are used to sum up votes, they may be attacked using the listed vulnerabilities, so that the barcode does not match the readable part of the paper ballot,” the recommendation said. He recommends that voting machines should be configured, if possible, to produce “traditional face-to-face ballots” rather than consolidated ballots that use barcodes.

Affected cars are used by at least some voters in at least 16 states, and in most of these places they are only used by people who are physically unable to fill out a paper ballot by hand, according to a voting observer supported by Watchdog. Verified voting. But in some places, including across Georgia, almost all personal voting is conducted on affected cars.

Georgia’s Deputy Secretary of State Gabriel Sterling said the CISA advisory report and a separate report commissioned by Dominion recognized that “existing procedural safeguards make it very unlikely” that a bad actor could exploit the vulnerabilities identified by Halderman. He called Halderman’s claims “exaggerated.”

Dominion told CISA that the vulnerabilities had been fixed in subsequent versions of the software, and the consultation said election officials should contact the campaign to determine what updates are needed. Halderman tested the machines used in Georgia and said it was unclear whether the machines had the same vulnerabilities as other versions of the software.

Halderman said that, as far as he knew, “no one but Dominion had the opportunity to verify their claimed corrections.”

To prevent or detect the use of these vulnerabilities, the advisory’s recommendations include ensuring the safety and protection of voting machines at all times; conducting rigorous pre-election and post-election testing of the apparatus, as well as post-election audit; and encouraging voters to check the readable part of printed ballots.

___

This story has been corrected to reflect that Tina Peters was barred from observing this year’s election in her constituency instead of running for secretary of state.

Copyright © 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, written or distributed.

Source link