Report: Security Analysis of the Dominion ImageCast X

Report released this week on vulnerabilities of the Dominion ImageCast, used for the vast majority of the votes in Georgia <Report>

The report was actually submitted to a court on July 1, 2021 – the court considered the information so dangerous to elections that is has largely been suppressed until now!

However in two years, Dominion has made several fixes, yet Georgia Secretary of State Brad Raffensperger is in no hurry to update Georgia machines at least until after the 2024 election.

Note: After planning for a couple of months, I launched CTVoters Count in late 2007, Little did I know that the California Top To Bottom Review would be release at that time! Many are claiming that this report may rival the impact of that California report.

You do not need to read the whole report. Better to start with a summary from the author, Prof. Alex Halderman. <Summary Report>

…we discovered vulnerabilities in nearly every part of the system that is exposed to potential attackers. The most critical problem we found is an arbitrary-code-execution vulnerability that can be exploited to spread malware from a county’s central election management system (EMS) to every BMD in the jurisdiction. This makes it possible to attack the BMDs at scale, over a wide area, without needing physical access to any of them…

The report was filed under seal on July 1, 2021 and remained confidential until today, but last year the Court allowed us to share it with CISA—the arm of DHS responsible for election infrastructure—through the agency’s coordinated vulnerability disclosure (CVD) program. CISA released a security advisory in June 2022 confirming the vulnerabilities, and Dominion subsequently created updated software in response to the problems. Georgia Secretary of State Brad Raffensperger has been aware of our findings for nearly two years, but—astonishingly—he recently announced that the state will not install Dominion’s security update until after the 2024 Presidential election, giving would-be adversaries another 18 months to develop and execute attacks that exploit the known-vulnerable machines…

The right solution is Voter-Verified-Paper-Ballots and sufficient post-election audits, recounts, and sufficient ballot security. Then even with election systems subject to errors and fraud, election results can be verified and corrected.


Leave a Reply

You must be logged in to post a comment.