June 14, 2023 ~ Today, the U.S. District Court for the Northern District of Georgiaย permittedย the public release ofย Security Analysis of Georgiaโs ImageCast X Ballot Marking Devices, a 96-page report that describes numerous security problems affecting Dominion voting equipment used in Georgia and other states.
Security Analysis of Georgiaโs ImageCast X Ballot Marking Devices PDF
gov.uscourts.gand_.240678.1681.0I prepared the report two years ago, together with Prof. Drew Springall of Auburn University, as part of a long-running voting-rights lawsuit, Curling v. Raffensperger. Back in September 2020, the Court granted the Curling Plaintiffs access to one of Georgiaโs touchscreen ballot marking devices (BMDs) so that they could assess its security. Drew and I extensively tested the machine, and we discovered vulnerabilities in nearly every part of the system that is exposed to potential attackers. The most critical problem we found is an arbitrary-code-execution vulnerability that can be exploited to spread malware from a countyโs central election management system (EMS) to every BMD in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them.
Our report explains how attackers could exploit the flaws we found to change votes or potentially even affect election outcomes in Georgia, including how they could defeat the technical and procedural protections the state has in place. While we are not aware of any evidence that the vulnerabilities have been exploited to change votes in past elections, without more precautions and mitigations, there is a serious risk that they will be exploited in the future.
The report was filed under seal on July 1, 2021 and remained confidential until today, but last year the Court allowed us to share it with CISAโthe arm of DHS responsible for election infrastructureโthrough the agencyโs coordinated vulnerability disclosure (CVD) program. CISA released a security advisory in June 2022 confirming the vulnerabilities, and Dominion subsequently created updated software in response to the problems. Georgia Secretary of State Brad Raffensperger has been aware of our findings for nearly two years, butโastonishinglyโhe recently announced that the state will not install Dominionโs security update until after the 2024 Presidential election, giving would-be adversaries another 18 months to develop and execute attacks that exploit the known-vulnerable machines.
Read Full Article on Freedom-To-Tinker.com
Georgia Secretary of State Refusing to Testify
December 26, 2023 ~ Last month U.S. District Judge Amy Totenberg ruled that a lawsuit against Georgiaโs use of electronic voting machines must go to a non-jury trial in January. She ordered Secretary of State Brad Raffensperger to defend the stateโs utilization of electronic voting prior to the upcoming presidential primary election because the lawsuit questions whether Georgiaโs current system of computerized voting is safe or whether it is vulnerable to potential hacking.
However, the state (spending taxpayer money) is now appealing to the 11th Circuit Court of Appeals to keep Raffensperger from testifying.
Says one lawyer to James Magazine Online familiar with the case: โRaffensperger selected the system, repeatedly defends the system as secure, but now canโt take an hour or so in federal court to defend it.โ
By Phil Ken
