Explainer: Dominion vulns reported by Halderman
Dominion Voting Systems is the famous voting machine vendor that’s been at the center of Trump’s 2020 election denial, used in such swing states as Georgia and Arizona. Fox News paid $700 million to settle a defamation lawsuit, over claims that Dominion machines were hacked in that election, and that Dominion itself was complicit in the hacks.
There’s no evidence that Dominion machines were hacked, but they do have vulnerabilities — bugs in the product where in certain cases, they can be hacked. Last year, the government released a redacted report describing some recently discovered vulnerabilities. Specifically, the report dealt with Georgia’s implementation of Dominion’s ballot marking machines using QRcodes to count ballots.
It comes from a lawsuit in Georgia where voting activists hired a university professor, J. Alex Halderman, to review Dominions ballot marking devices.
Yesterday, the full unredacted report was released, showing even more details (a separate blogpost by Halderman goes into more detail). It shows a pressing need to fix them, though it’s not immediately catastrophic if not fixed.
In this blogpost, I present an independent review. I don’t think I disagree with Halderman (the report’s author) on any key point, but I’ll describe things differently, and stress different conclusions.
The summary of this:
Just because we say something can be hacked doesn’t mean it will be hacked (or has been). There are multiple hurdles involved. For example, you leave your home safe open, it doesn’t mean it’ll get robbed, the burglar would first have to penetrate the home and find the safe. There can simultaneously be an urgent need to fix a problem, yet not be catastrophic if not fixed.
This is unrelated to the 2020 Presidential race, where recounts and audits were performed to verify there was no such hacking. Even a poorly done audit should’ve found discrepancies.
It’s important to fix this problems before the 2024 election, but if not fixed, then we should demand recounts or audits to verify these vulnerabilities weren’t exploits.
The underlying problem is Georgia’s use of QRcodes, preventing voters from verifying the printed ballot matches their intent.
It’s damning for Georgia election officials and the independent firm MITRE who continue to deny the vulnerabilities. It’s not going to lead to catastrophe, but their behavior is irresponsible.
Computers still may be more reliable than human beings.
Why computers in the first place?
The reason we have computers is because humans are unreliable. Sure, computers have problems of their own, but many experts trust them more than humans.
When human mark ballots while voting, they make mistakes.
I apologize for saying this, since most of you reading this are probably human, but human beings are idiots. Election workers struggle to create ballots that aren’t confusing. Voters struggle to follow simple directions. Voters sometimes vote for both candidates for president. Sometimes they leave stray marks on the page that confusing counting.
This article by Garret Archer gives a bunch of examples of confused humans marking ballots. Even though voters are clearly instructed to fully fill the oval and not use an X, they still mark the ballot wrong.
To fix this, ballots can be adjudicated. Election workers examine the ballot to figure out the voter’s intent. Sometimes it’s clear and the vote can be fixed, sometimes it’s too vague and the vote must be rejected.
Such adjudication threatens election integrity because partisan election workers can favor their own candidates, either switching votes, or throwing out votes for the opposition.
This is the reason for computer ballot marking devices or BMDs — they don’t allow voters to make these sorts of mistakes. Voters can’t mismark a ballot. Voters can’t vote for more than one Presidential candidate. The computer software stops them.
The ballot marked by a computer is unambiguous and never needs adjudication.
These computers are still marking devices, they produce paper ballots. It’s not purely electronic voting where your vote zips across the Internet somewhere (like the older Diebold DRE machines that Dominion BMDs replaced). That would leave no accountability. Instead, once the voter is done, a paper ballot is printed and later counted on a separate machine. The voter can then check the ballot to make sure that what’s printed is what they intended. Later, recounts can recount that paper ballot. In theory (though see below), even if the ballot-marking devices were hacked by the Russians, the vote would be secure, because it’s the paper ballot and not electronic bits that is the official record.
[This assumes human voters are diligent and double-check the printout, but this is a debate for another day.]
The leads to the next step, counting the votes, called tabulating. Potentially, they can take the paper ballot out of the printer and immediately feed it into a scanner.
Again, humans are fallible and possibly corrupt. Data from hand recounts show that (honest) humans fail about 1% of the time. This is an enormous failure rate when you consider many elections are decided by less than this. By having machines count/tabulate the votes instead of humans, we fix those problems. Every time paper ballots are run through the machine, they should produce the same results.
There are other reasons for using computers, such as efficiency. But the primary reason for computers is accuracy. We use computers because we believe them less fallible than humans. This belief may be wrong, many experts disagree, but it’s the reason.
The QRcode problem
At the center of this conflict isn’t computer vulnerabilities or hacking, but Georgia’s insistence on using QRcodes on the printed/marked ballots.
You should be familiar with QRcodes. They look like the following. They are designed to contain a lot of binary data that the computer can easily read, error free. They usually contain a URL — aim your mobile phone camera at it, and it’ll pop up a website. But they can contain any data, such as all the votes in an election.
The ballot-marking device is really just a standard off-the-shelf tablet and printer. The tablet runs the Android operating system, the same as half the mobile phones out there.
Dominion calls their ballot-marking product “ImageCast X”. It’s just software on this standard off-the-shelf hardware.
The voter uses the touchscreen to cast votes for all the races, ballot issues, and so on. When they are done, the printer spits out their marked ballot. It looks something like the one below.
Notice that this has both a QRcode containing the votes, but also printed version of the votes. They should match.
At this point, the voter needs to review the ballot, to make sure that it reflects what they selected on the tablet. If it now says “Trump” when then intended to vote for “Biden”, they need to fix it. This ballot gets shredded and they start the voting process again to create a new ballot.
Later, the ballots will be counted. The paper will be sent through another machine, a tabulator. The tabulator will read the QRcode.
The problem is that when the tabulator counts your vote, it looks only at the QRcode, and not the human readable names. Even it appears you voted for Trump, the QRcode may say Biden. If hackers break into the Android device, or the printer, they can secretly change the QRcode’s votes, and the voter won’t be able to detect the difference.
One solution to this is risk limiting audits, where they pull out random ballots and check that the QRcode matches the human readable votes. There are complex statistical formulas for how many you need to examine to make sure there’s no problem. I’m not a fan, I think we should pursue other solutions, but it’s workable.
Another solution is a full hand count of a race, like the one Georgia performed for the 2020 Presidential race. Even if the Russians were in full control of the ImageCast X ballot marking machines in 20202 using the vulnerabilities Halderman found, we still know that they didn’t flip votes, because the Georgia recounts/audits would’ve discovered this — but didn’t.
The problem here is that only the 2020 Presidential race was checked. Other races in Georgia were not. Maybe hackers changed votes in other races, such as Senator or a local city’s fire marshal.
Back when Georgia (under Brian Kemp as Secretary of State) selected Dominion Voting Systems, this issue with QRcodes was hotly debated. Georgia ignored experts at that time complaining that voters couldn’t verify their own ballots.
These new vulnerabilities don’t change this. Even if fixed, there could be other lurking vulnerabilities that hackers may discover. The QRcode hole still needs to be fixed. We need printed ballots that read the same thing voters do.
Stages of vulnerability denial
One of the defining features of the cybersecurity industry is that techies are constantly finding vulnerabilities in products, and non-techies keep denying that they are a concern. That’s what we see here with Halderman claiming important vulnerabilities, denied by Georgia, Dominion, and the MITRE consultants.
It’s complicated. There are lot of crazies out there pretending vulnerabilities exist. Microsoft, Apple, and Google are flooded with crazy claims of vulnerabilities which they rightly reject. But at the same time, serious people notify them of serious problems that need to be fixed. These companies do a good job of responsibly updating their software, which is why you have to update your desktop, phone, and web browser every other month.
As leading tech companies, Google, Microsoft, and Apple are at the forefront of taking vulnerabilities seriously. The entire elections industry (including Dominion) is at the trailing edge, living in denial of the problem. Whereas the leading tech companies respond to vulnerabilities within about 3 months, Georgia is ignoring these vulnerabilities in Dominion for 3 years. They likewise ignored the vulnerabilities in the previous system (Diebold) until a court order forced them to change.
That’s the background behind this press release, with Georgia Secretary of State Raffensperger saying:
Election deniers and those with similar claims in the courts may want us to irresponsibly move faster to make this change. However, I have told our team we will move in a responsible, deliberate, and mature way that will put the needs of voters and our election workers first. I’m an engineer. To build a solid structure, you need a strong well laid foundation. That is what this plan does.
In his vulnerability denial, he’s pretending the rest of us experts are election deniers. He’s certainly right that there are a lot of Trump election deniers who want to pretend these vulnerabilities were meaningful in the 2020 presidential race. But he’s got everything backwards, he’s behaving the opposite of “responsible”. I would not want to live in a structure built by this engineer.
To defend themselves from the Halderman report, Dominion hired famed tech consulting company MITRE, who produced a report denying the seriousness of the vulnerabilities.
MITRE’s report is fatally flawed.
MITRE claims security-through-obscurity. It’s such a common fallacy in the industry that we all need to point at them and laugh and laugh and laugh. That it’s a fallacy was explained 140 years ago, back in the 1880s. It’s been reinforced time and again over the last 3 decades of the Internet.
The proof that it’s a fallacy is what we’ve seen in the past couple years, such as Tina Peters (Colorado) leaking Dominion’s EMS software on the Internet, and Trump loyalists stealing the ImageCast X software in Georgia. By the 2024 election, Russian hackers will have had years to play with the software Georgia will be using to find the necessary techniques to exploit them.
They argue that most of the attacks aren’t scalable. Yes, while a coger can smuggle a USB drive into the precinct, then plug it into the ballot-marker’s USB port and install malware, this will only flip a few hundred votes — not enough to overturn an election. You’d need a conspiracy of a hundred such voters to overturn an election, and thus working backwards, no individual would attempt it because they know it wouldn’t change the outcome.
But that’s an excuse. There are other scenarios. Let’s say shortly before an election, Russian hackers post a program that that any voter can download onto a USB drive. They’ve done such things before, such as aiming DDoS attacks against adversaries. You’d suddenly make a non-scalable exploit scalable — without a conspiracy that would inevitably leak the plot.
It’s irresponsible how Georgia plans to allow this as a possibility in the 2024 election.
In any case, one of the attacks is scalable, sending out malware infected ballot definitions from the central county office. The county’s central service creates the ballots for the election, which then sent to the thousands of ballot marking machines. There’s a bug in this process that allows the ballot definitions to include malware.
The centralized server is airgapped (not accessible from the Internet) and physically locked in a room. It would take some sort of commando to break in and do the hack. Or it would take a rogue election employee.
We know there are rogue election officials, like the infamous Tina Peters from Mesa County, Colorado. It’s a scalable attack that affects all the election machines in a county, able to flip enough votes to decide an election.
The upshot is this: that MITRE report is normal vulnerability denial. While it rightly lists the reasons we shouldn’t panic and assume the machines have been (or will be hacked), it wrongly claims that the vulnerabilities aren’t a concern. It’s not simply wrong, it’s wrong in the same ways that vulnerability denial has been wrong for decades.
How to the vulnerabilities work?
The threats here are the following:
voters have physical access to the ballot marking devices in the privacy of a voting booth, and can mess with them
evil precinct workers have greater opportunity mess with more than one machine
evil election workers, at the central county office, can potentially mess with all the machines in the county
The computers are designed with protections against such threats, but techies look for ways around such protections.
That’s what happened here, Halderman found six vulnerabilities, bugs in the system, that would allow hackers to do something bad. Specifically, if successful, they’d be able to change that QRcode on the printed ballots.
The most important issue is probably that of a county employee. Each county has a central election management server that employees use to define the ballot for the election. Elections combine federal, state, and county races together, so every county has different ballots.
There’s a bug with processing zip files, a rather classic bug of messing with filenames. When the zip is extracted, instead of all the files going into the target location on the hard drive, they can instead overwrite other parts of the system — thereby installing software.
Thus, a single county employee can get malware installed on all the ballot marking devices that will flip votes — thousands of votes, enough to change the outcome of an election.
The other issues relate to what can be done to individual ballot marking devices (or their associated printers).
Among the problems that can happen is that a voter can walk into the booth, plug in a thumbdrive, and install malware that will flip votes on all further votes cast on that machine.
A normal thumbdrive wouldn’t work, it’d have to be something like the popular BashBunny. Simply having malware on a drive wouldn’t work, you’d need some way to activate it. The BashBunny is not only a “drive” but also a “keyboard” and “mouse”. It can then perform the necessary typing and mouse clicks needed to activate the malware.
This is certainly an irresponsible thing to allow to happen, but it’s not immediately an emergency. Flipping a few hundred votes isn’t much of a threat to a presidential election.
That’s why the MITRE report dismisses these threats as not being scalable.
But they are wrong. Just because they can’t think of ways to scale this doesn’t mean it can’t happen. For example, hackers could post a BashBunny package on Reddit or Twitter making it easy for any voter to do the trick. Now instead of a single voter doing it, you’ve got potentially hundreds. Now you’ve got enough votes flipped to change an election.
It gets worse. Instead of a voter, it might be a precinct worker with access to 20 machines. Or it might be an employee or even just a temp worker, hired for this election, who does this to a thousand machine before they are sent out to the precincts.
The solution to these problems is update the software, namely fixing the zip file problem, and removing the ability for USB drives to act as keyboard/mouse. Dominion claims to have such a fix available, but Georgia refuses to install the update until after the 2024 election. It’s back to the vulnerability denial mentioned above: these sorts of systems require regular update, and Georgia bought these systems without intending to update them. Now that these vulnerabilities have been made public, it’s extraordinarily irresponsible to avoid updating them.
Conclusion
The key takeaways are this:
This wasn’t an issue in the 2020 presidential race, and won’t be in the 2024 presidential races (assuming competent audits), but could be an issue for other races on the ballot.
Georgia State election officials are vulnerability deniers, they should’ve planned for regular updates when they purchased the software, maybe not as often as your mobile phone, but certainly not every 4 years.
MITRE were hilarious vulnerability deniers, seriously arguing for security-through-obscurity.
It’s important but not an emergency. It’s like when the taillight fails on your car, it’s a safety hazard you have a responsibility to fix, which may lead to an accident, but it’s also not a big deal if you wait a few days to fix it. Because of this, both sides are going to go bonkers, one arguing that it’s important, and the other side arguing it’s not an emergency. It’s irresponsible that Georgia won’t fix the problems, but not catastrophic.
"There’s no evidence that Dominion machines were hacked."
Is there a report on how this conclusion came to be? Which machines were investigated and where?
There's a potential vulnerability in all these paper-based systems that nobody ever talks about. Or maybe I'm stupid and this isn't real: evil precinct workers can print out a lot of ballots for their candidate and insert them into the pile, i.e. stuff the ballot box.
Is this not really a thing?