The Cybersecurity and Infrastructure Security Agency (CISA) recently announced that it had found nine vulnerabilities in Dominion Voting machines, or, as the company calls them, systems. The vulnerabilities listed by the government applied to the company’s Imagecast X (ICX) system, pictured below.
These systems are in use in the following states, which does not mean that every county in these states uses these machines. The information comes from the Dominion website.
Of course, if we look at the last election, which some have contested, some states using these machines would appear to be more important than others. These were Arizona, Michigan, Wisconsin, Pennsylvania, and Georgia.
There are a couple of points to be aware of before I enter into a discussion of the vulnerabilities themselves. First of all, CISA is being very careful with this information. They state right from the beginning that “CISA has no evidence that these vulnerabilities have been exploited in any elections.” They don’t want to be drawn into any discussion on the validity of the 2020 election. That said, this seems to be the only angle the media is pushing while others have ignored the story completely. As usual, the truth is somewhere in the middle and that’s what I’d like to focus on.
The CISA report is based on a study on vulnerabilities in Dominion voting systems conducted by J. Alex Halderman. This 97 page report was suppressed by the court because it was feared that the vulnerabilities it exposed could be exploited by hackers. This could still be true but the CISA report gives mitigation strategies if not many details.
In some respects there’s nothing new about this story. Finnish data-security expert, Harri Hursti, has been hacking Dominion machines for years. He even made an HBO documentary on this called, Kill Chain. Will Baggett, a forensic investigator, gave an overview of Hursti’s finding in 2018. He sums up his findings by claiming that “they are very basic, rudimentary systems with no security.” For those interested, here is a short clip of him discussing his investigation.
Despite Dominion’s claims to the contrary, these vulnerabilities exist. Whether subsequent updates have solved all of these problems remains to be determined. And, although it’s possibly true that these vulnerabilities were not exploited to influence the outcomes of any elections, there is no way of knowing this for sure, especially if nation-state hackers were behind such attacks and were able to hide their tracks and delete machine logs. Hursti himself says as much when he discussed the CISA report. “Again, vulnerabilities do not mean that those would had been exploited out in the wild, there is (so far) no evidence that malicious activity would had taken place in 2020 election.” So we need to take a look at these vulnerabilities and find out how they could be exploited by hackers. I should note that my initial impression of the security procedures surrounding these machines is that they are quite good and comprehensive. Most of the information I received on this came from a video entitled, The ICX Voting Machine Assembly and Disassembly.
A quick look through the advisory and information from other sources indicates that the main vulnerability would be through a USB connection. A USB could be used to install malware onto the voting machine and, basically, take control of it, or, as the advisory states, “ImageCast X may be left in a configuration that could allow an attacker who can attach an external input device to escalate privileges and/or install malicious code.” Such an installation could be programmed to begin automatically and could establish a remote connection, if one was available. The disclaimer here is that such a tactic could only be done physically. That’s why one of the main mitigation strategies given is to “ensure all affected devices are physically protected before, during, and after voting.” So does the voting center need to have someone guarding the USB port on all machines? Possibly, but it seems that the main threat in this scenario would be insiders with access to the machines. If they were computer savvy or were given a USB by someone who was, they could launch an attack. But more on that later.
First, it’s important to see how these machines are built. The machine arrives with its four doors containing USB ports sealed with different colored, numbered seals with barcodes.
All except the one with the red seal, named ‘results’ will be opened. All of their numbers will be checked against an accompanying list to see if they match. This will insure they have not been tampered with.
Here are photos of the vulnerable components; those featuring USB ports.
In addition to the USB/external device vulnerability, the advisory seems to concur with one that was found in an investigation done by the State of California. When the system was tested , the investigators were concerned about the autocast configuration setting that allows the voter to choose, “don’t eject the ballot for my review, just print it and cast it without me looking at it.” In this case, if “fraudulent software were installed, it could change all the votes of any voter who selected this option, because the voting machine software would know in advance of printing that the voter had waived the opportunity to inspect the printed ballot.” In other words, the malware could change all ballots that would never be reviewed by the voter and have these votes cast in the way the malware developers want them.
After the voting has finished, voting officials turn off the machines. They are then told to “break the seal on the door labeled ‘results’ and remove the flash drive” which is shown in the photo above. This door has a red, plastic security seal. The number on this security seal was matched with the number on an enclosed list when the machine was unpacked. However, the instructions do not say the number on this seal should be re-checked after the voting has concluded. Would it be possible for someone to cut this seal and either remove or exchange the flash drive? The seal itself can be replaced. Anyone can buy these seals online. Here’s some for sale.
Would an alarm go off if the flash drive was removed while the machine was on? What happens if someone pulls the plug? We simply don’t know. We only know that this port could be used to introduce malware. Also, there is nothing particularly unique about this flash drive. Anyone can buy them. In fact, it appears, from other sources, that if the same brand of flash drive is inserted in the port, no error messages will be triggered. This means that the drive could be exchanged with ones from the same company with pre-recorded results which will appear to be the actual results from that voting machine.
It should be noted that. after the voting has concluded, all of the flash drives from all of the machines are put into a special case before being sent to be processed. The advisory rightly warns those in control of these drives to be cautious to “ensure compliance with chain of custody procedures throughout the election cycle.” In other words, if this case was swapped with one containing drives with preset vote tallies, the entire election could be compromised.
Although these are possible scenarios, it would take a highly organized attack to take advantage of these vulnerabilities. A hacking group or an individual hacker could not do enough on their own to compromise an election based on these vulnerabilities. Only a nation-state, an associated intelligence agency, or an organized group of insiders would have the access and know-how to pull off an attack that would have enough scope to compromise an election. If that was the case in any previous election, these groups are smart enough to hide any evidence of their attack.
In conclusion, I would have to say that Dominion does a good job in making sure that elections using its machines produce valid results. Vulnerabilities exist and will likely continue to be found, however, for the moment, they can only be exploited by highly experienced individuals or insiders who have malicious intentions. But it is not only the company that needs to be vigilant. Access to the machines or their components needs to be strictly controlled throughout their production and deployment to ensure absolute election security.