J. Alex Halderman (Credit: CSpan)
On Wednesday, the Federal District Court for the Northern District of Georgia unsealed the 96-page Halderman Report – the Security Analysis of Georgia’s ImageCast X Ballot Marking Devices.
Georgia Secretary of State Brad Raffensperger has been hiding this report from the public for two years.
University of Michigan Professor of Computer Science and Engineering J. Halderman and Security Researcher and Assistant Professor at Auburn University Drew Sringall collaborated on the report where they discovered many exploitable vulnerabilities in the Dominion Voting Systems’ ImageCast X system.
Far-left Judge Amy Totenberg sealed and covered up the results of the investigation of Dominion voting machines in Georgia and sat on the report until this week.
The report confirms that votes can be altered in the Dominion voting machines. In fact, the report reveals that the Dominion software is vulnerable and can be hacked.
Trump-hating Secretary of State Raffensperger hid this information from the public until now. Why is that?
Here is a copy of the Halderman Report released this week.
Halderman Report on Georgi… by Jim Hoft
Professor Halderman wrote about his findings in a blog post on Wednesday.
Back in September 2020, the Court granted the Curling Plaintiffs access to one of Georgia’s touchscreen ballot marking devices (BMDs) so that they could assess its security. Drew and I extensively tested the machine, and we discovered vulnerabilities in nearly every part of the system that is exposed to potential attackers. The most critical problem we found is an arbitrary-code-execution vulnerability that can be exploited to spread malware from a county’s central election management system (EMS) to every BMD in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them.
Our report explains how attackers could exploit the flaws we found to change votes or potentially even affect election outcomes in Georgia, including how they could defeat the technical and procedural protections the state has in place. While we are not aware of any evidence that the vulnerabilities have been exploited to change votes in past elections, without more precautions and mitigations, there is a serious risk that they will be exploited in the future.
On Thursday Professor Halderman tweeted out that Georgia Secretary of State Brad Raffensperger will not install Dominion’s security patches before the 2024 election.
The known breaches in Georgia would be sufficient to uncover and exploit every vulnerability we found—and likely others we missed. Yet MITRE’s risk assessment assumes that Georgia perfectly protects the equipment from illicit access across all of its 159 counties.
— J. Alex Halderman (@jhalderm) June 14, 2023
This was taken from a recent Raffensperger statement.
Raffensperger, a vocal Never-Trumper, has been aware of the investigators’ findings for two years!
That means he ran the vulnerable machines during his reelection in 2022!
What is up with Brad Raffensperger? (The Gateway Pundit, 6/15/2023) (Archive)
Also via Gateway Pundit, 6/15/2023:
(…) Garland Favorito brought the receipts with him on The War Room.
Garland Favorito: Finally, just yesterday I believe this report was released and it has some amazing findings that basically say what we have been saying all along. What Mike (Lindell) has been saying, what you and I have been saying, and so many people, that the system is very insecure. It can be hacked.
So what Dr. Halderman did is he looked at only the ballot marking device part of the system. This (investigation and report) is limited to that. It doesn’t actually even include the scanners which have another incredibly vulnerable. Which we have already found have been compromised in the 2020 election in Fulton County. So that’s the background, Steve, of all of what’s been going on.
Steve Bannon: I just want to make sure. I want you go through the slides. Holleman’s totally independent, right? He’s some guy that’s an expert in the field. He’s a subject matter expert. He has no axe to grind on this, correct?
Garland Favorito: Absolutely. And if anything, he leans far more on the Democrat side than the Republican. But as you said, he’s an independent professor. Certainly has no axe to grind, particularly for Donald Trump or any Republicans…
…It was a titanic fight. People from all over different organizations have requested that this report be released for the security of their own voting systems. The Secretary of State of Louisiana requested that it be released. OAN requested that it would be released for part of their lawsuit. I think Fox News as well, because Dominion is suing them. It’s critical information, but it’s critical to the security of elections in the country because you could do Dr. Halderman could have done the same thing to a different vendor as well.
Slide two if Cameron has that already. But basically this is about what we call the Dominion ICX, which is the ballot marking device. And — Dr. Holleman says that… the ICX suffers from critical vulnerabilities that can be exploited to subvert all of its security mechanisms. He goes on to say that he demonstrates that these vulnerabilities provide multiple routes by which attackers can install malicious software on Georgia ballot marking devices. And he continues on, he says, “I explain how such malware can alter voters’ votes while subverting all of the procedural protections practiced by the state. That’s about as damning as you can get.
You go on to number slide three, and he says that attackers can alter the QR codes on the printed ballots to modify voter selections. The QR code, Steve, as you know, contains the votes. The votes are accumulated out of the QR code. The system does not accumulate what the voter actually can see on text. And he also found that the attackers can forge or manipulate the smart cards that the ballot marking device uses to authenticate technicians, poll works, and voters you can manipulate. He goes on to show how they are forged. He actually forged the cards and did all sorts of things as part of his analysis.
So flipping on to the next slide, he says that the software update that Georgia installed in October 2020 left Georgia’s ballot marking devices in a state where anyone can install malware with only brief physical access to the machines. And he goes on to say, I showed that this problem can potentially be exploited in the polling place even by nontechnical voters. Go on to the next slide. And he goes on to say, I demonstrate that attackers can execute arbitrary code with root supervisory privileges, which means that. You have control of everything on the machine.
And he says by altering the election definition file that county workers copy to every BMD before each election, this has been the key point of our concerns, is that this election definition file comes from the state, and the state propagates this to every county, which propagates it to every voting machine. And Professor Holland again says that attackers could exploit this to spread malware to all ballot marking devices across the county or the entire state. And we believe that has actually been done because in 2017, we found that the Secretary of State’s Election Management Server, the state server, was exposed to the Internet for virtually anyone in the world to place malware on it. So head on to the next slide. The ICX contains numerous unnecessary Android applications.
And he talks about a terminal emulator that has a supervisory command interface that overrides all of the access controls. So he goes on to say that an attacker can alter the ballot marking devices audit logs simply by opening them in the on screen text editor application. So you could literally audit you could audit the audit logs just like you would create or change a Word document. That’s how easy that would be.
Going on to the next slide. He says that I developed a series of proof of concept attacks, which he goes over in his 96-page report. And he says that – vulnerabilities in the ballot marking device could be used to change the personal votes of individual Georgia voters, it is very likely that there are other equally critical flaws that are yet to be discovered…
…He said that attackers only have to find one of the flaws. They don’t have to find them all. He found I don’t know how many, probably a dozen or more.
Next slide. He goes on to say that the ICX BMDs that’s the Dominion ICX ballot marking devices are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia… Despite the addition of a paper trail, the malware can still change individual votes and most election outcomes without detection. And then we’ve got just one or two more slides.
The next slide: Using vulnerable ICX BMDs for all in-person voters, as Georgia does, greatly magnifies the security risk compared to jurisdictions that just use handmark paper ballots but provide the ballot marking devices to the voters upon request. So in other words, if you have a voter with an impairment, they need ballot marking device. But when you give this ballot marking device to every single voter, it increases the security risk by an incredible order of magnitude. And Dr. Haldeman goes on to say that the critical vulnerabilities in the ICX indicate that it was developed without sufficient attention to security during design, software engineering and testing. Certainly, I think that is true because why would a vendor come out with a QR-coded voting system after we had 15 years of complaints against the unverifiable voting of the old paperless DREs these systems? And it’s not just Dominion, it’s E&S as well. They have one. They are ill-conceived from the point that they were originally designed.
Video via Midnight Rider