Originally published June 20, 2023 8:16 am PDT
In a court filing recently made public, a cybersecurity expert reveals alarming vulnerabilities in the Dominion voting machines, specifically the ImageCast X Prime (ICX) Ballot Marking Devices (BMDs) used in Georgia.
The document, a comprehensive analysis of the machines, paints a worrying picture of the state of election security.
It says that the voting system “suffers from critical vulnerabilities that can be exploited to subvert all of its security mechanisms.”
This means that “[n]o grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia’s elections already possess,” according to the court document.
The expert, University of Michigan computer science professor Alex Halderman (Phd), unequivocally states, “The ICX BMDs are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia.”
This warning extends to both foreign and domestic threats, highlighting the potential for election interference on multiple fronts.
One of the most alarming findings is that “attackers can alter the QR codes on printed ballots to modify voters’ selections.”
This is a critical vulnerability as it bypasses the voter’s ability to verify their vote.
The report states, “Critically, voters have no practical way to confirm that the QR codes represent their intended votes.”
The document also raises concerns about the widespread use of these machines.
It notes, “Using vulnerable ICX BMDs for all in-person voters, as Georgia does, greatly magnifies the security risks compared to jurisdictions that use hand-marked paper ballots.”
This practice, it suggests, makes the system a more attractive target for potential attackers.
The report goes on to critique the development process of the ICX, stating, “The critical vulnerabilities in the ICX—and the wide variety of lesser but still serious security issues—indicate that it was developed without sufficient attention to security during design, software engineering, and testing.”
The result is a system that is brittle and easily exploitable.
The expert further criticizes the previous testing efforts, stating, “previous security testing efforts as part of federal and state certification processes appear not to have uncovered the critical problems I found. This suggests that either the ICX’s vulnerabilities run deep or that earlier testing was superficial.”
The report also reveals a chilling possibility: “The ICX’s vulnerabilities also make it possible for an attacker to compromise the auditability of the ballots, by altering both the QR codes and the human-readable text.”
This means that even audits or hand counts could fail to detect such an attack, as all records of the voter’s intent would be wrong.
Halderman warns that exploiting these vulnerabilities does not require significant effort or time from technical experts.
He states, “My work demonstrates that discovering and exploiting vulnerabilities in the ICX requires only a moderate time investment from technical experts. In recent months, numerous technically-skilled outside parties have gained access.”
The findings in this document leave Georgia voters with “greatly diminished grounds to be confident that the votes they cast on the ICX BMD are secured, that their votes will be counted correctly, or that any future elections conducted using Georgia’s current system will be secure.”
You can read the full document here:
