Halderman Report: Dominion Machines Can Be Defeated During Certification Testing and Can Spread Malware Throughout a County
By Brian Lupo Jun. 19, 2023
Prof. Halderman states in his blog based on the report that “the most critical problem we found is an arbitrary-code-execution vulnerability that can be exploited to spread malware from a county’s central election management system (EMS) to every BMD in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them.”
While Halderman offers an overview of how malware can be spread throughout a county with simple access to the EMS, he also explains in the report how this can defeat the testing of the machines in two ways: one through Hash Validation and the other through Logic and Accuracy Testing.
Hash Validation
Let’s start with the SHA-256 Hash Validation. Hash Validation is a method of checking that the system itself is exactly the same as the system that was installed. Any changes should return a SHA-256 hash that does not match the hash provided.
Halderman states in his report:
“…a maliciously modified app can simply show the expected hash value instead of its real one, thereby avoiding detection.
The demonstration malware changes vote data before the app computes the MAC. This allows such malware to add, remove, change, or spoil votes in the QR code while ensuring that the MAC remains valid. Alternatively, since the secret key used to generate the MAC is necessarily accessible to the ICX App, malicious logic in a modified app could use the key to generate valid MACs itself.“
This implies that a malicious code installed on the machine could not only alter votes, but it could do so while remaining undetectable to testing performed on the machines before the election.
Raffensperger was able to rush that update to all of the state’s BMDs in less than a month. But now, with 36-months lead time, the Georgia Secretary of State said the task would require “tens of thousands of manhours” and therefore won’t be done until after 2024.
Logic and Accuracy Testing
The Logic and Accuracy test (LAT) is a public test that runs a selected number of ballots through the system to ensure it is properly counting the votes. Notably, in the 2020 Election, Fulton County, GA had to delegate the LAT to Dominion themselves due to a COVID outbreak at their English Street warehouse just before the election. They did this at the cost of $2,000 per hour and $5,000 per hour on Election Day, for a total of $2 million.
The LAT is meant to ensure to the public that these machines are working effectively. There has been recent controversy regarding the 2022 primaries in Colorado, where Trump-endorsed former Mesa County Clerk Tina Peters lost to CTCL Board Chair Pam Anderson. A controversial machine recount was funded by the losing candidates in El Paso County. Despite a 53% rejection rate in the recount’s LAT prior to the official recount, election officials refused a hand recount as an alternative after the controversial failure.
Fast forward to the report, Halderman outlines how the LAT can be subverted. This is extremely concerning. In Section 7.5 of the report, Halderman states that:
“…demonstration malware simply tracks how many ballots have been printed since the machine was turned on and skips cheating on the first n ballots (for an attacker-configuration number). If Georgia were to improve its LAT process by testing with a greater number of ballots, attackers could simply increase the number of ballots the malware skipped accordingly.
“No practical method of pre-election or parallel testing can rule out malware-based fraud. Although the QR code contains a cryptographic message authentication code (MAC) that scanners use to verify its integrity, this poses no obstacle to the ICX malware.”
In Summary:
The Halderman Report acknowledges that malware can be installed on these machines that would undetectable using Hash Validation testing
Malware can subvert the Logic and Accuracy Testing and can “skip cheating” until the LAT is complete.
No practical method of pre or parallel election testing would detect it
Georgia has known about these vulnerabilities for two years, yet will not upgrade their machines until after the 2024 Election
Georgia officials have fought arduously to prevent quality inspection of the physical paper ballots after numerous discrepancies were found mainly via Open Records Request in the 2020 and 2022 elections
Georgia has previously updated all of their systems in less than a month’s time, however, three and a half years is not sufficient for this imperative security update
The vulnerable election software was used in 2022, while the Georgia Sec. of State was aware of the problem and was also a candidate in that contested election.
According to VoterGA.org, Raffensperger received 15% more votes in a Cobb County Vinings cityhood hand count audit:
The team found that Secretary Raffensperger received about 53% of the Republican Election Day votes for
Secretary of State in that precinct. That would be in line with the statewide voting percentages that enabled
him to avoid a runoff except that the Dominion voting system awarded Raffensperger 68.4% of those
same votes. Thus, the Dominion software attributed 15% more votes to Raffensperger’s totals than the
actual ballots seem to show when monitors counted Raffensperger’s votes.
