They sure use a LOT of words in this 96 page report to say "Yes, Virginia... there was election fraud in Georgia!"
Security Analysis of Georgia’s ImageCast X Ballot Marking Devices
Expert Report Submitted on Behalf of Plaintiffs Donna Curling, et al.Curling v. Raffensperger, Civil Action No. 1:17-CV-2989-ATU.S. District Court for the Northern District of Georgia, Atlanta Division
Prof. J. Alex Halderman, Ph.D.With the assistance of Prof. Drew Springall, Ph.D.
July 1, 2021
1.1 Principal FindingsI show that the ICX suffers from critical vulnerabilities that can be exploited to subvert all of its security mechanisms, including: user authentication, data integrity protection, access control, privilege separation, audit logs, protective counters, hash validation, and external firmware validation. I demonstrate that these vulnerabilities provide multiple routes by which attackers can install malicious software on Georgia’s BMDs, either with temporary physical access or remotely from election management systems (EMSs). I explain how such malware can alter voters’ votes while subverting all of the procedural protections practiced by the State, including acceptance testing, hash validation, logic and accuracy testing, external firmware validation, and risk-limiting audits (RLAs).The most serious vulnerabilities I discovered include the following:
1. Attackers can alter the QR codes on printed ballots to modify voters’ selections. Critically, voters have no practical way to confirm that the QR codes match their intent, but they are the only part of the ballot that the scanners count. I demonstrate how the QR codes can be modified by compromising theBMD printer (Section 5) or by installing malware on the BMD (Section 7).
2. The software update that Georgia installed in October 2020 left Georgia’sBMDs in a state where anyone can install malware with only brief physical access to the machines. I show that this problem can potentially be exploited in the polling place even by non-technical voters (Section 8).
3. Attackers can forge or manipulate the smart cards that the ICX uses to authenticate technicians, poll workers, and voters. Without needing anysecret information, I created a counterfeit technician card that can unlock any ICX in Georgia, allowing anyone with physical access to install malware(Section 6).
4. I demonstrate that attackers can execute arbitrary code with root (supervisory) privileges by altering the election definition file that county workers copy to every BMD before each election. Attackers could exploit this to spread malware to all BMDs across a county or the entire state (Section 9).
5. The ICX contains numerous unnecessary Android applications, including aTerminal Emulator that provides a “root shell” (a supervisory command interface that overrides access controls). An attacker can alter the BMD’s audit logssimply by opening them in the on-screen Text Editor application (Section 10).
6. In a given election, all BMDs and scanners in a county share the same set ofcryptographic keys, which are used for authentication and to protect electionresults on scanner memory cards. An attacker with brief access to a singleICX or a single Poll Worker Card and PIN can obtain the county-wide keys.
7. The ImageCast Precinct (ICP) scanner stores ballot scans in the order theywere cast. A dishonest election worker (like that emphasized by the Defendants and their expert Michael Shamos) with just brief access to the scanner’smemory card could violate ballot secrecy and determine how individual votersvoted (Section 11).
Proof-of-Concept Attacks
In addition to discovering and validating thevulnerabilities described above, I developed a series of proof-of-concept attacksthat illustrate how vulnerabilities in the ICX could be used to change the personalvotes of individual Georgia voters. I am prepared to demonstrate:
1. An attack that uses malicious hardware hidden inside the BMD’s printer toalter the votes on printed ballots (Section 5).
2. Malware that runs on the BMD and alters votes while avoiding hash validation,firmware validation, and logic and accuracy testing (Section 7).
3. An automated method of installing malware by briefly unplugging the printercable and attaching a malicious USB device (Section 8).
4. Vote-stealing malware that can be installed remotely from the EMS, by altering the BMD’s election definition file (Section 9).
Mitigation
Some of the critical vulnerabilities I discovered can be at leastpartially mitigated through changes to the ICX’s software, and I encourageDominion and the State of Georgia to move as quickly as possible to remedythem.2 However, merely patching these specific problems is unlikely to make theICX substantially more secure. I did not have the resources to find all possibleexploitable security bugs in the ICX software. Once I found one that satisfied aparticular adversarial objective, I usually turned to investigating other aspectsof the system. It is very likely that there are other, equally critical flaws in theICX that are yet to be discovered. Fully defending it will require discovering andmitigating them all, but attackers would only have to find one.
1.2 Main Conclusions
On the basis of the technical findings described in this report, I reach the following conclusions:
– The ICX BMDs are not sufficiently secured against technical compromise to withstand vote-altering attacks by bad actors who are likely to attack future elections in Georgia. Adversaries with the necessary sophistication and resources to carry out attacks like those I have shown to be possible include hostile foreign governments such as Russia—which has targeted Georgia’s election system in the past [49]—and domestic political actors whose close associates have recently acquired access to the same Dominion equipment that Georgia uses through audits and litigation in other jurisdictions.
– The ICX BMDs can be compromised to the same extent and as or more easily than the AccuVote TS and TS-X DREs they replaced.3 Both systems have similar weaknesses, including readily bypassed user authentication and software validation, and susceptibility to malware that spreads from a central point to machines throughout a jurisdiction. Yet with the BMD, these vulnerabilities tend to be even easier to exploit than on the DRE system, since the ICX uses more modern and modular technology that is simpler to investigate and modify.
– Despite the addition of a paper trail, ICX malware can still change individual votes and most election outcomes without detection. Election results are determined from ballot QR codes, which malware can modify, yet voters cannot check that the QR codes match their intent, nor does the state compare them to the human-readable ballot text. Although outcome-changing fraud conducted in this manner could be detected by a risk-limiting audit, Georgia requires a risk-limiting audit of only one contest every two years, so the vast majority of elections and contests have no such assurance. And even the most robust risk-limiting audit can only assess an election outcome; it cannot evaluate whether individual votes counted as intended.
– The ICX’s vulnerabilities also make it possible for an attacker to compromise the auditability of the ballots, by altering both the QR codes and the human readable text. Such cheating could not be detected by an RLA or a hand count, since all records of the voter’s intent would be wrong. The only practical way to discover such an attack would be if enough voters reviewed their ballots, noticed the errors, and alerted election officials, and election officials identified the problem as a systemic hack or malfunction; but human-factors studies show that most voters do not review their ballots carefully enough, and election officials likely would consider such reports the product of voter error. This means that in a close contest, ICX malware could manipulate enough ballots to change the election outcome with low probability of detection. In contrast, risk-limiting audits of hand-marked paper ballots, when used with appropriate procedural precautions, provide high confidence that individual votes are counted as intended and election outcomes are correct even if the election technology is fully compromised.
– Using vulnerable ICX BMDs for all in-person voters, as Georgia does, greatly magnifies the security risks compared to jurisdictions that use hand-marked paper ballots but provide BMDs to voter upon request. When use of such BMDs is limited to a small fraction of voters, as in most other states, they are a less valuable target and less likely to be attacked at all. Even if they are successfully compromised, attackers can change at most a small fraction of votes—which, again, creates a strong disincentive to undertake the effort and risk to change any such votes.
– The critical vulnerabilities in the ICX—and the wide variety of lesser but still serious security issues—indicate that it was developed without sufficient attention to security during design, software engineering, and testing. The resulting system architecture is brittle; small mistakes can lead to complete exploitation. Likewise, previous security testing efforts as part of federal and state certification processes appear not to have uncovered the critical problems I found. This suggests that either the ICX’s vulnerabilities run deep or that earlier testing was superficial. In my professional experience, secure systems tend to result from development and testing processes that integrate careful consideration of security from their inception. In my view, it would be extremely difficult to retrofit security into a system that was not initially produced with such a process.
My technical findings leave Georgia voters with greatly diminished grounds to be confident that the votes they cast on the ICX BMD are secured, that their votes will be counted correctly, or that any future elections conducted using Georgia’s universal-BMD system will be reasonably secure from attack and produce the correct results. No grand conspiracies would be necessary to commit large-scale fraud, but rather only moderate technical skills of the kind that attackers who are likely to target Georgia’s elections already possess. Unfortunately, even if such an attack never comes, the fact that Georgia’s BMDs are so vulnerable is all but certain to be exploited by partisan actors to suppress voter participation and cast doubt on the legitimacy of election results.