June 14, 2023 ~ Today, the U.S. District Court for the Northern District of Georgia permitted the public release of Security Analysis of Georgia’s ImageCast X Ballot Marking Devices, a 96-page report that describes numerous security problems affecting Dominion voting equipment used in Georgia and other states.
Security Analysis of Georgia’s ImageCast X Ballot Marking Devices PDF
gov.uscourts.gand_.240678.1681.0I prepared the report two years ago, together with Prof. Drew Springall of Auburn University, as part of a long-running voting-rights lawsuit, Curling v. Raffensperger. Back in September 2020, the Court granted the Curling Plaintiffs access to one of Georgia’s touchscreen ballot marking devices (BMDs) so that they could assess its security. Drew and I extensively tested the machine, and we discovered vulnerabilities in nearly every part of the system that is exposed to potential attackers. The most critical problem we found is an arbitrary-code-execution vulnerability that can be exploited to spread malware from a county’s central election management system (EMS) to every BMD in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them.
Our report explains how attackers could exploit the flaws we found to change votes or potentially even affect election outcomes in Georgia, including how they could defeat the technical and procedural protections the state has in place. While we are not aware of any evidence that the vulnerabilities have been exploited to change votes in past elections, without more precautions and mitigations, there is a serious risk that they will be exploited in the future.
The report was filed under seal on July 1, 2021 and remained confidential until today, but last year the Court allowed us to share it with CISA—the arm of DHS responsible for election infrastructure—through the agency’s coordinated vulnerability disclosure (CVD) program. CISA released a security advisory in June 2022 confirming the vulnerabilities, and Dominion subsequently created updated software in response to the problems. Georgia Secretary of State Brad Raffensperger has been aware of our findings for nearly two years, but—astonishingly—he recently announced that the state will not install Dominion’s security update until after the 2024 Presidential election, giving would-be adversaries another 18 months to develop and execute attacks that exploit the known-vulnerable machines.
Read Full Article on Freedom-To-Tinker.com
Georgia Secretary of State Refusing to Testify
December 26, 2023 ~ Last month U.S. District Judge Amy Totenberg ruled that a lawsuit against Georgia’s use of electronic voting machines must go to a non-jury trial in January. She ordered Secretary of State Brad Raffensperger to defend the state’s utilization of electronic voting prior to the upcoming presidential primary election because the lawsuit questions whether Georgia’s current system of computerized voting is safe or whether it is vulnerable to potential hacking.
However, the state (spending taxpayer money) is now appealing to the 11th Circuit Court of Appeals to keep Raffensperger from testifying.
Says one lawyer to James Magazine Online familiar with the case: “Raffensperger selected the system, repeatedly defends the system as secure, but now can’t take an hour or so in federal court to defend it.”
By Phil Ken