Georgia touchscreen voting machines under threat, CISA warns

(TNS) – A U.S. cybersecurity agency reported Friday that voting touchscreens used in Georgia have vulnerabilities that expose them to hacker attacks, although so far there is no evidence that these vulnerabilities have been exploited.

Election officials who rely on touchscreens manufactured by Dominion Voting Systems should increase security by conducting rigorous audits, strengthening physical device protections and patching outdated software, per recommendations from the US Cybersecurity and Infrastructure Security Agency.

The report also says state and county governments may choose to eliminate barcodes printed on ballots, which could be tampered with to change the way votes are recorded. The Georgia State Department is considering eliminating bar codes.

The CISA report supports claims made in a federal court case that hackers could turn votes if they could gain access to voting machines. After a four-month review, the agency identified nine vulnerabilities in Dominion’s touchscreens.

Other companies’ voting machines might have similar flaws, but the CISA report focused on voting touchscreens used in Georgia. The review cited risks to future elections, and government probes have repeatedly debunked allegations of fraud in the 2020 presidential election.

A Georgia election official said the real risk of hacking is low because of the security layers in devices that aren’t connected to the Internet.

The Office of the Secretary of State will review the recommendations, seek additional poll testing and look at ways to improve the training of poll workers, said Gabriel Sterling, the Office of the Secretary of State’s chief operating officer. Currently, state law only provides for one breed review every two years after the general election.

CISA Director Jen Easterly said the agency is working with election officials to address potential security deficiencies.

“Many of these mitigations, which are typically standard in jurisdictions where these devices are used, are capable of detecting exploitation of these vulnerabilities and, in many cases, would completely prevent attempts if applied carefully, which is what.” makes it very unlikely that a malicious actor could exploit these vulnerabilities to influence an election,” Easterly said.

Malicious code could be propagated if someone gains physical access to voting touch screens or the computers in the election administration system that program them. In addition, hackers could remotely infect voting machines when poll workers use USB drives to transfer data from Internet-connected computers to voting machines.

Georgia’s statewide voting system uses touchscreens to print out paper ballots, which are then fed into scanners that record the votes.

Because scanners read barcodes printed on paper ballots, voters would have no way of knowing if a hack altered the barcode to not match the printed text of their choice.

Sterling said the bugs were only found after a federal judge granted a computer scientist access to voting machines and passwords.

“There’s no way anyone can sit in a real election environment and take advantage of any of these things,” Sterling said. “Some of the vulnerabilities are there, but they are there in every system. We have many defenses in place and this is already built into our robust rules and laws.”

The vulnerabilities were discovered by Alex Halderman, a University of Michigan computer science professor who is serving as an expert witness for plaintiffs in a federal lawsuit seeking to replace Georgia’s $138 million voting system with handwritten ballots.

Halderman’s findings have been sealed in federal court since July, but CISA conducted its review to assess the threat to election security and to advise Georgia and jurisdictions in 16 other states that use the Dominion Democracy Suit’s ImageCast X voting equipment.

Election officials should seek improvements in voting technology, poll security and post-election checks, Halderman said.

“The vulnerabilities are significant and the state should take responsible steps immediately to reduce the risk of exploitation,” Halderman said. “That doesn’t mean it’s time to panic, and it doesn’t mean there’s evidence past elections were rigged. But it means it’s time to act.”

Dominion said in a statement that the security of its voting system has been proven through thousands of polls and recounts.

“These issues require unrestricted physical access to voting equipment, which is already prohibited,” a Dominion spokeswoman said.

According to the CISA report, a hack that exploited voting touchscreens could alter barcodes so that ballots don’t match the human-readable text on the ballot. In this case, voters cannot verify that their decisions have actually been counted.

The Secretary of State’s office has been debating whether to abandon barcodes in favor of full voting for more than a year, Sterling said. But this kind of change would make multi-page ballots more difficult to verify and would increase the cost of printing ballots borne by taxpayers.

Voters can help prevent the possibility of voter rigging by checking printed ballots at polling stations to make sure they’re correct, said Mark Lindeman, director of Verified Voting, a national election integrity organization focused on voting technology.

“Voters need to be able to verify their ballots,” Lindeman said. “It helps if you can hold and read a ballot.”

A study commissioned by the State Department found that only 49% of voters spent at least a second looking at their printed ballots.

The CISA advisory also suggests that election officials encourage voters to check the human-readable portion of printed ballots.

©2022 Atlanta Journal Constitution distributed by Tribune Content Agency, LLC.