According to a bulletin issued Friday by the Cybersecurity and Infrastructure Security Agency, the U.S. did not find any evidence that voting machines from Dominion were ever exploited.
The advisory states that while these vulnerabilities are dangerous and should be addressed as soon as possible, CISA does not have any evidence that they were exploited in elections.
Jen Easterly, Director of CISA, stated Friday that she had been working with election officials to find out about vulnerabilities in certain versions Dominion Voting Systems software. She added, “Today we are releasing the information publicly.”
CISA’s vulnerability disclosure program was used to examine voting machines for the first time in this bulletin, which was circulated among state election officials earlier in the week. It was also shared publicly online on Friday. This program was established for the first time in 2019. It has already disclosed hundreds of vulnerabilities that can be used in industrial and commercial use. The vulnerability disclosure program was flagged by researchers around the world.
Easterly stated that CISA is “closely involved with election officials across the nation to help them address these vulnerability by applying the mitigations suggested in the advisory.”
CISA discovered nine flaws in certain versions of Dominion Voting Systems ImageCastX software. Some of the flaws are directly related to machine design and would require anyone attempting to exploit them to have physical access to voting machines and/or equipment polling management equipment.
CISA advisory previously reported by Washington Post recommends several mitigation steps for states that use voting machines to prevent or detect exploit of identified vulnerabilities.
In her statement, the director stated that many of CISA’s mitigations are “common practice in jurisdictions where such devices are used” and that they “are able detect exploitation of those vulnerabilities and in many instances would prevent attempts completely if diligently applied. This makes it extremely unlikely that a malicious actor could exploit these weaknesses to affect an election.”
The advisory points out that there are many obstacles to taking advantage the flaws in voting machines.
The advisory states that to exploit these vulnerabilities, one must have physical access to each ImageCast X device, the Election Management System (EMS), and the ability to modify files prior to they are uploaded to ImageCast X. These vulnerabilities can be prevented and/or detected by ensuring that jurisdictions follow the recommendations in the advisory. This includes technical and operational controls to limit unauthorised access to voting systems.
CISA identified a flaw in the authentication mechanism that voters use to activate a vote session on ImageCast X. According to the advisory, this vulnerability is vulnerable to forgery. An attacker could use this vulnerability to print arbitrary numbers of ballots without authorisation.
ImageCast X allows voters to select their favorite candidates via touch screen. Then, they can print a paper record similar to the one Georgia voters used during the 2020 election. The device can be used as an electronic voting machine without the need for paper ballots.
Dominion voting systems was a manufacturer of voting devices used in 28 states. Trump supporters claimed that the machines were used to alter or rig votes, but this claim was disproved by fact-checkers. Top election officials, including Georgia’s Republican secretary-of-state and governor, repeatedly claimed there was no evidence of election fraud or breaches. A Georgia judge dismissed a suit alleging voter fraud in 2020.
Dominion filed a $1.3 million defamation suit against Sidney Powell in January 2021. She cited Powell’s repeated claims that Dominion had changed Trump’s votes to Biden’s. Rudy Giuliani, a former Trump campaign advisor, has been sued by Dominion for similar statements. The litigation is ongoing.