‘Bombshell’ Report on Georgia’s Voting Machines Reveals the Many Ways U.S. Elections Can Be Rigged
Earlier this week, a redacted version of the much-anticipated Halderman report on Georgia’s voting machines and weak election security procedures was unsealed by a court.
The investigative report contains numerous bombshell findings that vindicate those who raised serious concerns about the weak security of the Dominion Voting Machines used for Georgia’s elections, as well as in 24 other states, and the ability of malicious actors to potentially rig elections. The key takeaways are truly disturbing…
The Forensic Investigator’s Credentials Must Be Taken Seriously
My name is J. Alex Halderman. I am Professor of Computer Science and Engineering, Director of the Center for Computer Security and Society, and Director of th Software Systems Laboratory at the University of Michigan in Ann Arbor. I hold a Ph.D. (2009), a master’s degree (2005), and a bachelor’s degree (2003), summa cum laude, in computer science, all from Princeton University.
I have published numerous peer-reviewed research papers analyzing security problems in electronic voting systems used in U.S. states and in other countries. […]
I serve as co-chair of the State of Michigan’s Election Security Advisory Commission, by appointment of the Michigan Secretary of State. […]
I received the John Gideon Award for Election Integrity from the Election Verification Network, the Andrew Carnegie Fellowship, the Alfred P. Sloan Foundation Research Fellowship, the IRTF Applied Networking Research Prize, the Eric Aupperle Innovation Award, the University of Michigan College of Engineering 1938E Award for teaching and scholarship, and the University of Michigan President’s Award for National and State Leadership. […]
I declare under penalty of the perjury laws of the State of Georgia and the United States that the foregoing is true and correct, and that this report was executed this 1st day of July, 2021.
Georgia a Prime Target for Election Fraud
My technical findings leave Georgia voters with greatly diminished grounds to be confident that the votes they cast on the ICX BMD are secured, that their votes will be counted correctly, or that any future elections conducted using Georgia’s universal-BMD [Ballot-Marking Device] system will be reasonably secure from attack and produce the correct results. No grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia’s elections already possess. Unfortunately, even if such an attack never comes, the fact that Georgia’s BMDs are so vulnerable is all but certain to be exploited by partisan actors to suppress voter participation and cast doubt on the legitimacy of election results. […]
As of November 2020, approximately 24 states used one or more components of the Dominion Democracy Suite voting system [88], which encompasses various models and versions of ballot scanners, BMDs, and election management system software. Georgia uses Democracy Suite version 5.5{A, including ImageCast X Prime (ICX) BMDs, ImageCast Precinct (ICP) precinct-count optical scanners, ImageCast Central (ICC) central-count optical scanners, and the Democracy Suite EMS.
My analysis focuses on the ICX BMD. In 2020, the ICX was used in parts of 16 states: Alaska, Arizona, California, Colorado, Georgia, Illinois, Kansas, Louisiana, Michigan, Missouri, Nevada, New Jersey, Ohio, Pennsylvania, Tennessee, and Washington. Although the vast majority of jurisdictions provide the ICX BMD to voters on request to assist with accessibility, Georgia is the only state to mandate ICX BMDs as the primary method of in-person voting state-wide. […]
Notably, both styles of ballot manipulation are far greater risks when BMDs are used for all in-person voters, as in Georgia, than when only a small fraction of voters use them, as in most other states. When few voters use BMDs, even changing every BMD ballot could only affect the outcome of contests with very narrow margins, and successful fraud would usually require cheating on such a large fraction of BMD ballots that it would likely be discovered. This makes the BMDs an unappealing target and reduces the risk that they will be attacked at all. In contrast, Georgia’s universal-use BMDs would be a very appealing target, since they expose all in-person voters to potential ballot manipulation.
Hackers Can Compromise Not Only Elections, But Audits
The ICX’s vulnerabilities also make it possible for an attacker to compromise the auditability of the ballots, by altering both the QR codes and the human readable text. Such cheating could not be detected by an RLA or a hand count, since all records of the voter’s intent would be wrong.
Georgia’s Current Voting Machines Worse in Some Ways Than Previous Models
I have identified critical vulnerabilities in the ICX software that enable an attacker to remotely execute arbitrary code on the device. These vulnerabilities can be exploited by maliciously altering the election definition files that workers copy to all ICXs before every election.
Security experts consider arbitrary code execution to be one of the most dangerous classes of vulnerabilities, particularly when it can be exploited to run code with root privileges, as it can on the ICX. In 2006, Harri Hursti discovered a similar arbitrary code execution vulnerability that affected Georgia’s old AccuVote TS-X DREs [45]. At the time, Defendants’ expert Michael Shamos called it “‘the most serious security breach that’s ever been discovered in a voting system.’ The vulnerabilities in the ICX are as or more severe.
Using these vulnerabilities, I developed functional proof-of-concept malware that automatically and invisibly installs itself on any ICX on which an infected election definition files is loaded, then manipulates voters’ printed ballots to steal votes. By compromising election definition files in this way, an attacker with access to a county’s EMS could spread malware to all ICXs in the county, and an attacker who infiltrated the systems that Dominion uses to prepare initial election projects for all Georgia counties could spread vote-stealing malware to every ICX used in Georgia. As I discussed in Section 3.2, even the ICX’s use of a paper trail poses no obstacle to vote-stealing attacks in the vast majority of elections and contests, and malware can also evade Georgia’s other technical and procedural defenses.
Remote Hackers Can Install Malware to Compromise Elections in Numerous Ways
I have described several methods by which attackers can install malware with only brief physical access to an ICX. Although these are severe vulnerabilities, the ICX is also vulnerable to an even more dangerous method of malware installation. By modifying the election definition files that election workers copy to the BMDs before each election, attackers can spread malware to them remotely, with no physical access to the individual machines. By levering this vulnerability, an attacker who infiltrates a county Election Management System (EMS) can spread malware to every ICX in the county, and infiltrating other systems could allow vote-stealing malware to be spread to all ICXs state-wide. […]
An attacker who infiltrates the facility where Dominion prepares Election Projects could modify the election definitions distributed to all Georgia counties, and thereby spread malware to every ICX used in Georgia. Such attacks could be automated through the use of further malicious software installed on infiltrated EMS systems. That software would be programmed to detect when a new Election Package was loaded. […]
Given the ability to execute arbitrary code as root, the last step to remotely installing malware is replacing the ICX App’s code with a maliciously modified version, which can be constructed as described in Section 7. An attacker could replace the app’s code by several means; I demonstrate one particularly efficient method that is a variation of a technique presented at the Black Hat Asia conference in 2015 by Paul Sabanal.
Attackers Can Obtain Root Privileges and Rig Elections for Parties, Candidates
An attacker with physical access to the BMD can manipulate the logs and counters via several routes. First, they need to escape from the ICX App, using any of the methods described in Section 8. After accessing the underlying Android operating system, it is a simple matter to locate the applicable file and change its contents to suit the attacker’s purposes.
While I describe manual modification techniques here, malware can also obtain root privileges. […]
An attacker could, of course, implement different or more complex logic to determine when and how to cheat. Malware on the ICX has access to the complete ballot design, and could be programmed to cheat in favor of candidates from a specific party, in contests for a particular office, or in particular kinds of elections. For example, it could always favor one party’s candidate in U.S. House races during general elections. An attacker also could choose to change only the QR code or both the QR code and the human-readable text. Malware with such variations could be constructed in the same manner as the proof-of-concept malware described here. […]
As a result, once at least one ballot has been voted for the attacker’s preferred candidate, subsequently printed ballots will contain QR codes that encode votes for that candidate.
For demonstration purposes, I hard-coded the target contest and favored candidate, and I programmed the device to cheat as often as possible. In practice, an attacker could remotely (e.g., using WiFi or Bluetooth) select the fraction of votes to shift and which candidate in which contest should receive them.
Similarly, the attacker could remotely enable or disable the cheating, thereby defeating any pre-election testing. With wireless control, the attack device could be installed in the printer once and cheat in any subsequent election.
Installing Malware Locally is Easy, Requires No Special Expertise
An attacker who has access to an ICX BMD has multiple ways to install malicious software, such as the vote-stealing malware described in Section 7. In this section, I describe three separate techniques for accomplishing this that I have successfully tested with the ICX from Fulton County.
These techniques do not require any secret passwords, PINs, or keys, nor does the attacker have to open the device’s chassis or break any tamper-evident seals. They only need physical access to the BMD for a few minutes. Attackers could gain such access before machines are delivered from the manufacturer, while they are in storage, while they are being prepared for use in an election, or at the polling place. As I will show, malware could potentially even be installed by regular voters, without any special level of access or technical skill.
QR Codes are Not ‘Encrypted’ in the Way Georgia Election Officials Had Claimed
Dominion’s documentation claims that the QR codes are encrypted [19, § 2.6.1.1], and, at least as recently as January 2021, Secretary of State Chief Operating Officer Gabriel Sterling has repeated this claim to the media as a security feature of Georgia’s voting system [91]. In actuality, as I testified last year, no part of the QR codes is encrypted. While voters have no practical way to read or verify the votes encoded in the QR codes, they can be decoded by attackers and can be replaced or manipulated to steal voters’ votes.
Although the QR codes are not encrypted, they use a data format this is incompatible with most off-the-shelf barcode reader software.
Although cheating by malware that changed only ballot QR codes could be detected by a rigorous risk-limiting audit if the malware altered enough votes to change the outcome of the contest targeted by the audit, the vast majority of elections and contests in Georgia (even high-profile ones) are not audited at all.
Dominion Voting Machines are Plagued by Weak Security
Dominion could have used digital signatures to secure the ICX election definition files against malicious modification. Instead, there does not appear to be any cryptographic integrity protection, beyond verifying that the decrypted file is a properly formed Zip archive. As a result, anyone with access to the encryption key and IV discussed above can decrypt the ICX.dat file, modify it, and re-encrypt it using a command similar to the one shown above. My testing shows that the ICX will accept the modified file as if it were genuine.
Fulton County Questions More Serious After Forensic Investigation
Issue: The ICP as tested did not require ballots to be printed on security paper, and it accepted ICX ballots photocopied on normal office paper.
Georgia uses special “security” paper stock for official ballots, including those printed by BMDs. However, when I tested the Fulton County ICP using ballots printed on normal copier paper, it accepted and counted them normally.
I also tested scanning photocopies of BMD-printed ballots, and the ICP again accepted and counted them normally.
Fulton County Sent Test Scanner That Failed Even Rudimentary Security Precautions
That Fulton County election workers selected an inappropriate seal and failed to properly install it on a scanner they knew would be subjected to security testing suggests that Georgia security seal practices are insufficient to reliably protect the state’s election equipment from undetected physical access.
The entire report can be read here.