Federal cybersecurity officials have verified there are software vulnerabilities in certain ballot-marking devices made by Dominion Voting Systems, discovered during a controversial Georgia court case, which could in theory allow a malicious actor to tamper with the devices, according to a draft analysis reviewed by CNN.
The vulnerabilities have never been exploited in an election and doing so would require physical access to voting equipment or other extraordinary criteria standard election security practices prevent, according to the analysis from the US Cybersecurity and Infrastructure Security Agency.
But because the subject is Dominion voting equipment, which has been the target of conspiracy theorists who falsely claim there was large-scale fraud in the 2020 election, federal and state and local officials are bracing for election deniers to try to weaponize news of the vulnerabilities ahead of midterm elections.
“While these vulnerabilities present risks that should be promptly mitigated, CISA has no evidence that these vulnerabilities have been exploited in any elections,” reads the draft CISA advisory, which the agency shared in a briefing with state and local officials on Friday.
The Washington Post first reported on the CISA advisory.
In preparing for the disclosure of the software vulnerabilities, CISA on Friday updated its “Rumor Control” website, which it used to rebut claims of election fraud during the 2020 election, with a new entry.
“The existence of a vulnerability in election technology is not evidence that the vulnerability has been exploited or that the results of an election have been impacted,” the new Rumor Control posting reads.
The vulnerabilities affect a type of Dominion ballot-marking device known as the Democracy Suite ImageCast X, according to the CISA advisory, that is only used in certain states.
“We are working closely with election officials to help them address these vulnerabilities and ensure the continued security and resilience of US election infrastructure,” CISA Executive Director Brandon Wales said in a statement to CNN. “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely. This makes it very unlikely that these vulnerabilities could affect an election.”
The CISA analysis is of a security assessment of Dominion Voting Systems’ ballot-marking devices done by a University of Michigan computer scientist at the behest of plaintiffs in a long-running lawsuit against Georgia’s Secretary of State.
The computer scientist, J. Alex Halderman, was given physical access over several weeks to the Dominion ballot-marking devices, which print out a ballot after voters make their choice on a touch screen.
Halderman’s report is still under seal with the court.
But according to Halderman and people who have seen the report, it claims to demonstrate how the software flaws could be used to alter QR codes printed by the ballot-marking devices, so those codes do not match the vote recorded by the voter. Postelection audits, which compare paper trails with votes recorded on machines, could catch the discrepancy.
The nature of computing means all software has vulnerabilities if you look closely enough, and software used in elections is no different. But election experts say physical access controls and other layers of defense, along with postelection audits, help mitigate the threat of votes being manipulated via cyberattacks.
The CISA warning notes most jurisdictions using the machines tested already have adapted the mitigations recommended by the agency. Dominion has provided updates to machines to address the vulnerability, one person briefed on the matter said.
CNN has reached out to Dominion for comment.
Separately, the Georgia’s Secretary of State’s office released a statement Friday on a review of the state’s election systems conducted by Miter Corp., a federally funded nonprofit. While the Miter report has not been made public, Gabriel Sterling, Georgia’s deputy Secretary of State, said in a statement Friday the report showed “existing procedural safeguards make it extremely unlikely for any bad actor to actually exploit any vulnerabilities.”