Now Reading
Safety Evaluation of the Dominion ImageCast X

Safety Evaluation of the Dominion ImageCast X

2023-06-19 21:56:34

J. Alex Halderman is Professor of Laptop Science & Engineering on the College of Michigan and Director of Michigan’s Center for Computer Security & Society. He has twice testified to Congress about election cybersecurity, and he co-chairs the State of Michigan’s Election Safety Advisory Fee. His course on election know-how, Securing Digital Democracy, is accessible on Coursera.

At present, the U.S. District Courtroom for the Northern District of Georgia permitted the general public launch of Security Analysis of Georgia’s ImageCast X Ballot Marking Devices, a 96-page report that describes quite a few safety issues affecting Dominion voting tools utilized in Georgia and different states.

I ready the report two years in the past, along with Prof. Drew Springall of Auburn College, as a part of a long-running voting-rights lawsuit, Curling v. Raffensperger. Again in September 2020, the Courtroom granted the Curling Plaintiffs entry to one among Georgia’s touchscreen poll marking units (BMDs) in order that they may assess its safety. Drew and I extensively examined the machine, and we found vulnerabilities in almost each a part of the system that’s uncovered to potential attackers. Probably the most important downside we discovered is an arbitrary-code-execution vulnerability that may be exploited to unfold malware from a county’s central election administration system (EMS) to each BMD within the jurisdiction. This makes it potential to assault the BMDs at scale, over a large space, with no need bodily entry to any of them.

Our report explains how attackers might exploit the issues we discovered to vary votes or doubtlessly even have an effect on election outcomes in Georgia, together with how they may defeat the technical and procedural protections the state has in place. Whereas we’re not conscious of any proof that the vulnerabilities have been exploited to vary votes in previous elections, with out extra precautions and mitigations, there’s a severe danger that they are going to be exploited sooner or later.

The report was filed below seal on July 1, 2021 and remained confidential till as we speak, however final yr the Courtroom allowed us to share it with CISA—the arm of DHS accountable for election infrastructure—by means of the company’s coordinated vulnerability disclosure (CVD) program. CISA launched a security advisory in June 2022 confirming the vulnerabilities, and Dominion subsequently created up to date software program in response to the issues. Georgia Secretary of State Brad Raffensperger has been conscious of our findings for almost two years, however—astonishingly—he just lately introduced that the state won’t set up Dominion’s safety replace till after the 2024 Presidential election, giving would-be adversaries one other 18 months to develop and execute assaults that exploit the known-vulnerable machines.

Past these implications for election follow, our work is scientifically vital. It’s the first examine in additional than 10 years to comprehensively and independently assess the safety of a broadly deployed U.S. voting machine, in addition to the first-ever complete safety evaluate of a broadly deployed poll marking system. Safety researchers studied quite a few U.S. voting machines 10-20 years in the past, and their findings clearly established that voting tools tends to undergo from safety flaws. But one may wonder if election tools bought as we speak is safer than tools produced in many years previous. Our findings recommend that the reply isn’t any. This highlights the necessity for additional enhancements to the software program engineering, testing, and certification processes for U.S. voting tools, and it underscores the significance of conducting rigorous post-election audits of each main electoral contest, as really helpful by the National Academies.

Drew and I are grateful to the Curling Plaintiffs and their authorized group for the chance to carry out this work. We additionally thank the quite a few specialists who helped explain to the Court why making the report public now’s accountable disclosure that serves the public’s interest. Adversaries looking for to assault election methods can readily uncover the identical or related issues within the Dominion ImageCast X, however unsealing the report will assist equip election officers and different policymakers with the data they should mount an efficient response.

You can read the previously-sealed “Halderman and Springall Report” here.

There have been many developments within the two years for the reason that report was written. The remainder of this publish will present essential context for understanding the findings and their implications for election safety and public coverage.

What’s the Curling lawsuit?

Since 2017, involved voters and advocates have been difficult elements of Georgia’s election know-how in federal courtroom. Their lawsuit, Curling v. Raffensperger, began when Georgia nonetheless used Diebold paperless touchscreen voting machines. A decade earlier, I helped California’s Secretary of State conduct a landmark security review that found methods to contaminate the identical Diebold fashions with vote-stealing malware (amongst different issues). California responded by decertifying the Diebold system, however Georgia used it statewide by means of the tip of 2019 with out even patching the safety flaws. After in depth skilled testimony in regards to the vulnerability of the Diebold tools, Decide Amy Totenberg ordered Georgia to switch the machines by the start of 2020.

Ignoring recommendation from election safety specialists, together with the lone cybersecurity skilled on the Governor’s fee to advocate a brand new voting system, Georgia changed the Diebold machines with a brand new voting system that’s centered across the Dominion ImageCast X (ICX) ballot-marking system. Voters use the BMD to make alternatives on a touchscreen and print a marked poll, which is then scanned and counted by a separate machine. In a lot of the U.S., voters mark ballots by hand, and BMDs just like the ICX are reserved as an assistive know-how for voters who want them. Georgia, against this, is one among only two states the place everybody who votes in-person is required to make use of a BMD statewide. This association, known as “universal-use BMDs”, creates security risks by inserting a doubtlessly hackable pc between voters and their ballots. Due to these safety considerations, the Curling go well with continued, and the Plaintiffs at the moment are difficult Georgia’s universal-use BMD system.

The Dominion ICX BMD consists of an off-the-shelf pill and laser printer.

In September 2020, the Courtroom authorized the Plaintiffs to check the safety of the BMD system, topic to strict protocols, together with a protective order to make sure confidentiality and steady video monitoring. The Curing Plaintiffs commissioned Drew and me to carry out their safety evaluate. We had been offered a Dominion ImageCast X (ICX) BMD and a Dominion ImageCast Precinct (ICP) poll scanner, each configured as they might be utilized in an actual election in Georgia. We had been additionally offered entry tokens and passwords that allowed us to function the tools as ballot employees would and conduct mock elections. (Opposite to the Georgia Secretary of State’s spin, offering such passwords is a routine a part of safety testing. The passwords aren’t essential to compromise the tools, as a result of, as our report explains, there are a number of ways in which attackers can bypass them.) I submitted an skilled report describing our findings below seal with the Courtroom on July 1, 2021, and it has remained confidential till now.

Curling Plaintiffs, Secretary Raffensperger, Dominion, and CISA have all requested that the report be unsealed. Final week, the Courtroom authorized its public launch, with a number of slender redactions that Drew and I proposed to withhold key technical particulars that will profit attackers. It was posted on the general public docket as we speak.

What vulnerabilities did you discover?

The ICX is a business off-the-shelf (COTS) pill pc working the identical Android working system utilized in units like cell phones. The voting features are offered by a customized app written by Dominion. Georgia’s model of the software program (Democracy Suite 5.5-A) makes use of Android 5.1.1, which has not been up to date (even to deal with safety vulnerabilities) since 2015.

We utilized an open-ended vulnerability testing methodology, by which we assumed the position of an attacker and tried to search out methods to compromise the system. Over roughly 12 person-weeks of investigation, we discovered vulnerabilities in virtually each vital assault floor and developed a number of proof-of-concept assaults to take advantage of them.

Probably the most important vulnerability we discovered is a software program flaw that will enable an attacker to unfold malware from a county’s central election administration system (EMS) pc to each ICX within the jurisdiction. Earlier than an election, employees use the EMS to organize an election definition—knowledge information that describe what’s on the poll—and so they copy this knowledge from the central pc to each ICX utilizing USB sticks. We found a vulnerability within the ICX software program that hundreds the election definitions. By modifying the election definition file in a exact approach, an attacker can exploit the vulnerability to put in arbitrary malicious code that executes with root privilege when the ICX hundreds the election definition. The underlying downside is a basic “Zip Slip” vulnerability (by which a modified .zip file can overwrite arbitrary filesystem paths when it’s decompressed), coupled with a badly designed system-level service that facilitates privilege escalation.

This assault is particularly harmful as a result of it’s scalable—a single intrusion to the EMS pc in a county workplace might have an effect on tools in polling locations over a really huge space.  Attackers don’t want entry to every particular person machine.

EMSs are presupposed to be nicely secured, and in most (however not all) states they aren’t presupposed to be linked to exterior networks. Nevertheless, they’re susceptible to assaults by election insiders—or outsiders with insider help. Following the November 2020 election, native officers in a number of states, together with Georgia, gave doubtlessly untrustworthy outsiders bodily entry to their EMSs and different tools. That is precisely the kind of entry that will allow the assault I’ve simply described (and lots of different assaults as nicely).

We additionally found all kinds of different vulnerabilities within the ICX. I encourage you to learn the total report for particulars, however listed below are a number of examples:

  • The ICX doesn’t appropriately restrict what sorts of USB units could be plugged in, and it doesn’t adequately stop customers from exiting the voting app. Because of a botched Dominion software program replace put in by Georgia, anybody can connect a keyboard and press alt+tab to entry Android Settings, then open a root shell or set up arbitrary software program. We present that this might even be exploited by a voter within the voting sales space, by reaching behind the printer and attaching a USB system known as a Bash Bunny to the printer cable.
  • The ICX makes use of smartcards to authenticate service technicians, ballot employees, and voters, however the smartcard authentication protocol is totally damaged. Attackers can create counterfeit technician playing cards that give them root entry to the machine, steal county-wide cryptographic secrets and techniques from entry playing cards utilized by ballot employees, and create “infinite” voter playing cards that enable a limiteless variety of ballots.
  • The ICX ships with a textual content editor and a terminal emulator that enables root entry. Anybody with entry to an ICX can use these apps to tamper with all the machine’s logs and protecting counters, utilizing solely the on-screen keyboard.

The breadth of those issues speaks to the widely poor high quality of software program engineering that went into the ICX, and the lax safety requirements below which it was examined and licensed.

Isn’t there a paper path? Why is malware a danger?

Right here is an instance of a poll produced by an ICX in Georgia. It’ll assist illustrate what an attacker might doubtlessly do by putting in malware on the BMDs. Discover that the voter’s alternatives are printed as an extended listing of small textual content on the backside of the web page. The pc scanners that rely the ballots ignore that textual content. As an alternative, the votes they rely come completely from knowledge within the QR code (the sq. barcode in the course of the web page).

An ICX poll. Poll scanners rely the votes within the QR code, not the textual content.

An attacker who desires to vary votes has two good methods: (1) Change solely the information within the QR code; or (2) Change each the QR code and the textual content, in a approach that agrees. The vulnerabilities we discovered would let an adversary perform both assault by tampering with the ICX’s software program.

If an attacker adjustments solely the QR code, voters haven’t any solution to detect the change by their ballots, since voters can’t learn the QR code. The change may be detected in a handbook recount or a risk-limiting audit (RLA) primarily based on a evaluate of the printed textual content, however that’s unlikely given Georgia’s weak audit necessities, which have recently been further diluted. Absent a rigorous audit of the paper ballots for the affected contest, this fashion of assault might change an election end result with out detection.

The opposite potential assault technique is to vary each the QR code and the poll textual content. In that case, there’s no risk for an audit to detect the fraud, since all information of the vote will probably be flawed. Solely voters might detect the fraud, by rigorously reviewing the printed  poll textual content and elevating alarms if it didn’t match their meant alternatives. This can be a downside, as a result of we all know that solely a small fraction of voters rigorously evaluate their ballots. My college students and I ran a mock election with BMDs that we secretly hacked to vary one vote on each printout, but solely about 6% of our check voters reported the errors. Actual voters in all probability wouldn’t fare a lot better. In a examine commissioned by the Georgia Secretary of State’s Workplace, College of Georgia researchers observed BMD voters in the course of the November 2020 election. Even when ballot employees prompted the voters to evaluate their ballots, 51% barely glanced at them, and fewer than 20% inspected them for even 5 seconds. The poll picture above is from that very same election. How lengthy does it take you simply to identify that one choice is for a Democrat?

If voters themselves don’t detect the errors on the printed poll, there’s no different solution to reliably catch dishonest that adjustments each the QR code and the textual content. Auditing after-the-fact wouldn’t assist, as a result of all information of the vote could be flawed in a approach that matches. And even when some voters complained that their BMDs didn’t document their votes accurately, what might officers do? In an in depth election (say, a margin of 0.5%), given reasonable poll verification charges, the BMDs might alter sufficient ballots to vary the result whereas elevating a median of lower than one voter criticism per polling place. There could be no prepared approach for officers to inform whether or not those that complained had been mendacity, telling the reality, or just mistaken. But there’d even be no solution to appropriate the result with out rerunning the election. Election officers would have no good options.

Are different states affected?

Past Georgia, the ICX is utilized in elements of 16 different states. Most states use it as an elective assistive system that’s utilized by solely a small fraction of voters, which is comparatively low danger. Nevertheless, the ICX will also be used as a DRE voting machine, both with or with out a paper path. On this mode, votes are recorded in an digital database on the ICX, relatively than being scanned from the paper by a separate system. Louisiana makes use of the ICX statewide for early voting as a paperless DRE. In Nevada, most counties use the ICX as a DRE with a paper path. A lot of our findings probably have an effect on the ICX in DRE-mode too, which might be extraordinarily harmful, however now we have not been granted the required entry to check the machine in DRE configurations.

How had been these issues disclosed to officers?

Counsel for Georgia’s Secretary of State obtained the report after I submitted it on July 1, 2021. In December 2021, the Courtroom directed the events to share the report with Dominion in order that the corporate might start mitigating the vulnerabilities to the extent potential. In February 2022, on the request of the Curling Plaintiffs, the Courtroom allowed me and Drew to speak the report back to CISA’s coordinated vulnerability disclosure (CVD) program in order that different states that use the identical tools could possibly be notified in regards to the issues. CISA validated the vulnerability findings and issued a public security advisory on June 3, 2022.

CISA’s advisory lists 9 particular person safety flaws (CVEs) affecting the tools. It concludes that “these vulnerabilities current dangers that must be mitigated as quickly as potential” and recommends a spread of mitigations to “scale back the danger of exploitation.” Nevertheless, in contrast to the skilled report made public as we speak, CISA’s advisory comprises few particulars in regards to the issues, giving states and specialists not concerned within the litigation little info to grasp why the mitigations are essential or to prioritize their implementation. The discharge of the total report helps shut this hole, allowing election officers to grasp why fast mitigation is important.

Following our disclosure, Dominion produced a brand new software program model, Democracy Suite 5.17, that purportedly addresses a number of of the vulnerabilities described within the report (the replace additionally addresses the DVSorder vulnerability, a severe privateness flaw in Dominion poll scanners that my college students and I found exterior the context of Curling). The patched software program entered federal certification testing in October 2022 and was licensed by the U.S. Election Help Fee on March 16, 2023. Drew and I wouldn’t have entry to the up to date software program (nor, to our information, does CISA), so we can’t confirm whether or not the adjustments are efficient. It’s additionally essential to notice that our findings recommend there are in all probability different, equally severe vulnerabilities within the ICX which have but to be found.

Are the machines and software program bodily secured?

States try to manage entry to voting tools, however their protections aren’t all the time efficient.

In early 2021, the ICX software program used all through Georgia was stolen and broadly distributed by unauthorized events after native election insiders gave them repeated access to the election management system and voting equipment in not less than one Georgia county for a interval of weeks. This entry, which first got here to mild as a result of Curling lawsuit, would have been ample to let malicious events develop and check assaults that exploit any of the vulnerabilities that Drew and I found, and doubtlessly different vulnerabilities that we missed. Kevin Skoglund and I every analyzed forensic proof from this breach for the Curling case, and we defined its safety implications in a pair of expert reports.

Associated breaches of native election workplaces occurred in Michigan and in Colorado, and related incidents may well happen again.

Additional proof in regards to the bodily safety of voting tools in Georgia comes from a 2021 memo (obtained below an open-records request) written by the just lately employed election director of Espresso County. He describes how, below his predecessor, the county’s Dominion tools was “saved in a room with an unlocked door to the surface of the constructing, a leaking roof, and partitions with daylight streaming by means of crevices.”

What has Georgia carried out to mitigate the issues?

Though Georgia Secretary of State Brad Raffensperger has had entry to our findings for almost two years, we’re unaware of any efficient steps the Secretary’s Workplace has taken to deal with the vulnerabilities. Particularly, it has not carried out the mitigations prescribed by CISA.

See Also

As an alternative, Secretary Raffensperger just lately introduced that Georgia won’t set up Dominion’s safety patches until after the 2024 presidential election. Saying that is worse than doing nothing in any respect, because it places would-be adversaries on discover that the state will conduct the presidential election with this specific model of software program with identified vulnerabilities, giving them almost 18 months to organize and deploy assaults.

Somewhat than patching the vulnerabilities, Georgia says it intends to carry out safety “Well being Checks” in every county that can embrace “verifying HASH [sic] values to confirm that the software program has not been modified.” Such “Well being Checks” are unlikely to be an efficient countermeasure. At finest, verifying hashes will solely affirm that the tools is working the susceptible unpatched software program. And as we clarify within the report, malware that has contaminated the ICX can utterly conceal itself from the sort of hash validation carried out in Georgia, which depends on the working software program to self-attest to its integrity.

Didn’t MITRE assert that exploiting the ICX is impractical?

In March 2022, Dominion employed MITRE to reply to our report. Dominion didn’t give MITRE entry to the voting tools or software program, so, in contrast to us, they couldn’t carry out any precise safety assessments. As an alternative, MITRE assessed the assaults described in our report with out important entry to the supply info.

MITRE’s evaluation, which is unsigned, applies defective reasoning to say that exploiting the vulnerabilities is “operationally infeasible.” This contradicts CISA’s determination that “these vulnerabilities current dangers that must be mitigated as quickly as potential.”

MITRE’s total evaluation is based on an assumption identified to be flawed. As famous on the primary web page of the doc, “MITRE’s evaluation of the researcher’s proposed assaults assumes strict and efficient managed entry to Dominion election {hardware} and software program.” That assumption was ill-considered when it was written, and it’s ridiculous as we speak, since we now know that the Georgia ICX software program has already been stolen and widely distributed and that election tools in not less than one Georgia county was repeatedly improperly accessed. It’s not credible to count on that Georgia will completely shield its election tools from illicit entry throughout all 159 counties.

MITRE’s evaluation isn’t merely flawed—it’s harmful, since it’s going to certainly lead states like Georgia to postpone putting in Dominion’s software program updates and implementing different essential mitigations. In mild of the overwhelming proof of bodily safety lapses in Georgia and different states, MITRE ought to retract the report, which fails to account for the real-world situations below which election tools is saved and operated.

Replace (2023/06/16): Greater than 25 main specialists in cybersecurity and election safety have sent a letter to MITRE CEO Jason Providakes urging him to retract MITRE’s dangerously mistaken report.

What does EAC say about these issues?

An additional implication of our findings is that present U.S. election system testing and certification doesn’t produce adequately safe know-how. The ICX was repeatedly examined by federally accredited labs and licensed by the U.S. Election Help Fee (EAC) and by a number of states, together with Georgia, however we nonetheless managed to search out vulnerabilities all through the system. What’s extra, EAC has stated that not one of the vulnerabilities we reported—together with the arbitrary-code-execution flaw—violate the relevant certification necessities!

This highlights the necessity to considerably strengthen federal certification. One essential reform is to require rigorous, adversarial-style penetration testing, which laws just lately launched by Senators Warner and Collins seeks to do. One other essential step is to decertify susceptible software program variations as soon as safety updates can be found, in order that states have the impetus to promptly set up such fixes.

Reforms like these are pressing, as a result of our findings recommend a systemic failure in voting system design and regulation. The engineering processes that produced the ICX clearly didn’t give ample precedence to safety, and the result’s a brittle system, which we absolutely count on has further, equally severe issues left to be discovered. We additionally count on that there are related issues in voting tools and software program from different producers, who function below the identical laws and incentives as Dominion, however whose tools has but to obtain the identical intense public scrutiny.

Does this show the 2020 election was stolen?

No, in fact not.

As I and other election security experts wrote in November 2020, “no credible proof has been put forth that helps a conclusion that the 2020 election end result in any state has been altered by means of technical compromise.” That is still true as we speak. The tools we examined for the Curling lawsuit didn’t comprise knowledge from previous elections, so our investigation couldn’t have uncovered traces of real-world assaults, and we’re not conscious of any proof that the vulnerabilities we discovered had been ever exploited maliciously. Nevertheless, there is an actual danger that they are going to be exploited sooner or later until states like Georgia do extra to safeguard elections.

For precisely that motive, we urge these working to debunk election conspiracy theories to rigorously distinguish between claims that the 2020 U.S. election end result was hacked—for which there isn’t any proof—and claims that U.S. elections have actual vulnerabilities and face threats from subtle attackers—which is the consensus view of the National Academies. Failure to obviously keep this distinction confuses the general public, discredits anti-disinformation efforts, and makes it much more troublesome to have essential public conversations about important election safety reforms and to implement these reforms. Voters deserve higher.

Will these findings make voters much less assured?
What must be carried out to repair the issues?

We’re sorry to be the bearers of dangerous information when belief in elections is already low, however the public wants correct details about election safety. Whether or not our findings in the end strengthen or weaken public belief will rely on how accountable officers reply.

The simplest treatment for the issues we discovered and others like them is to rely much less on BMDs. The chance of assault is far decrease when solely a small fraction of voters use BMDs, as in most states, than when all in-person voters are compelled to make use of them, as in Georgia. The place BMDs should be used, the danger of an undetected assault could be decreased by avoiding utilizing barcodes to rely votes. Officers can configure the ICX to print traditional-style ballots that don’t use QR codes. This has the advantage of forcing an attacker to make adjustments which might be (not less than in precept) seen to voters. States also needs to implement rigorous risk-limiting audits of each main contest, which the National Academies has called on all states to do by 2028.

Our findings in Georgia show that elections face ongoing safety dangers that decision for continued vigilance from policymakers, technologists, and the general public. In mild of those dangers, one of the best ways for officers to uphold voter confidence is to additional enhance safety, to not deny that issues exist.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top