Bredt Family Professor of Computer Science and Engineering,
@UMich
: Security and privacy, election security, and Internet freedom. Co-founded
@LetsEncrypt
Today, the Federal District Court for the Northern District of Georgia unsealed a 96-page report that I wrote w/ Prof.
@_aaspring_
from
@AuburnU
. It describes serious vulnerabilities we found in Georgia's Dominion ImageCast X ballot marking devices.
I teamed up with
@NYTimes
to demonstrate how U.S. voting machines can be remotely hacked to steal votes. Yes, this is a real machine still used in almost 20 states! States and Congress need to act on
#ElectionSecurity
before it's too late. via
@nytvideo
.
This is why we need voter-verified paper ballots and manual post-election audits of the paper. That's the only practical, low-cost defense that can detect and correct attacks like we showed.
Just stole an election at
@VotingVillageDC
. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don't need physical access--we showed how malicious code can spreads from the election office when officials program the ballot design.
Just stole an election at
@VotingVillageDC
. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don't need physical access--we showed how malicious code can spreads from the election office when officials program the ballot design.
Astonishingly, Georgia Secretary of State Brad Raffensperger, who has been aware of our findings for two years, just announced that the state will not get around to installing Dominion’s security patches until after the 2024 Presidential election. 🤦
1/ There's been lots of speculation about why Antrim County, MI initially reported incorrect results on Wed. The results have since been corrected, but people are naturally wondering what happened. Here's the likely technical explanation and my assessment.
Our findings are a reminder that elections face ongoing risks that call for vigilance from policymakers, technologists, and the public. Officials like Raffensperger should uphold voter confidence by improving security, not denying or ignoring real problems. Voters deserve better.
That's worse than doing nothing. By broadcasting that Georgia is not going to patch, Raffensperger has given would-be adversaries a whole 18 months to develop and execute attacks that exploit the known-vulnerable machines.
I encourage you to read the whole report, and I've also written a blog post that provides important context for understanding the findings and their implications for election security and public policy:
That was wishful thinking when it was written, and it's ridiculous today, because we've learned that Georgia's Dominion software *has already been stolen and distributed* by unauthorized parties, who had repeated access to the voting equipment.
Despite our responsible disclosure efforts, the flaws remain unpatched in GA. Among the most critical issues is an arbitrary-code-execution vulnerability that can spread malware from a county's central election management system to all BMDs in the jurisdiction—and run it as root.
This makes it possible to attack BMDs at scale, over a wide area, without needing physical access to them. Our report explains how attackers could exploit the flaws to change votes or affect election outcomes, e.g., by changing ballot QR codes, which are what scanners count.
Can voters detect malicious manipulation of ballot marking devices?
To find out,
@UMBernhard
and our
@UMich
team had 241 people vote on BMDs we secretly hacked to change every printout. Voters missed >93% of errors!
Full study published today at
@IEEESP
:
The court's ruling recognizes that Georgia's voting machines are so insecure, they're unconstitutional. That's a huge win for election security that will reverberate across other states that have equally vulnerable systems.
1/ Colleagues and I have found a serious privacy flaw that affects Dominion ICP and ICE ballot scanners. We've already informed Dominion, CISA, EAC, and state officials, and we've created a site to help officials and the public understand the issue:
But Dominion also hired MITRE to counter our report:
MITRE didn't do any security tests, yet it asserts attacks are "operationally infeasible", dangerously contradicting CISA's finding that the problems are "real risks" and should be "mitigated promptly".
Want to know what really happened in Antrim County during the 2020 election?
I just posted a peer-reviewed paper based on the investigation I did for the Michigan SOS and AG. It will appear at
@USENIXSecurity
in August.
The known breaches in Georgia would be sufficient to uncover and exploit every vulnerability we found—and likely others we missed. Yet MITRE’s risk assessment assumes that Georgia perfectly protects the equipment from illicit access across all of its 159 counties.
We are not aware of any evidence that the vulnerabilities have been exploited to change votes in past elections, but, unless more is done to strengthen security, there is a serious risk that they will be exploited in the future.
MITRE's analysis is wrong, because it fails to account for how elections are operated in the real world. It is entirely predicated on a false assumption: MITRE says it "assumes strict and effective controlled access to Dominion election hardware and software."
Mr. President, if you're worried about voting machine vulnerabilities, there's a practical solution:
Paper ballots and risk-limiting audits let officials *publicly demonstrate* that the outcome hasn't been changed by hacking. All states could have them in time for 2024.
11/ In conclusion, it appears that Antrim's problem:
* Isn't a sign of anything nefarious.
* Was corrected quickly.
* Has nothing to do with the version of the Dominion software in use.
* Is not a security vulnerability.
* Isn't likely to impact results in other jurisdictions.
@CISAgov
advised states about these problems last summer through its coordinated vulnerability disclosure process, and Dominion subsequently released a software update, Democracy Suite 5.17, that purportedly addresses at least some of the problems.
1/ In a new research paper today,
@MSpecter
and I perform the first public, independent analysis of the security and privacy risks of Democracy Live's OmniBallot online voting platform.
Full paper:
Advice for voters:
Today,
@mspecter
,
@jimmykoppel
, and
@djweitzner
released a detailed security analysis of Voatz, a blockchain-based Internet voting app that's used in West Virginia and other states. Their findings are devastating, . But Voatz has even more problems! 1/
I've seen no credible evidence whatsoever that the 2020 presidential outcome was hacked.
Still, if anyone considers an election where millions doubt the result to be a security success, they have too narrow a definition of election security.
I've taught college-level computer security at
@UMich
for 10 years, and the most important thing we teach our students is how attackers operate. YouTube's new policy will do nothing to stop bad guys, but it will definitely make it harder for the public to learn about security.
We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out
@YouTube
gave us a strike because we teach about hacking, so we can't upload it.
YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"
Last time DC tried Internet voting, in 2010, it took my team 48 hours to hack in and change all the votes.
There haven't been any breakthroughs that make online voting fundamentally more secure today, and threats elections face are even more dangerous.
10/ When the dust settles, we can investigate further and learn from these events. Defensive software engineering should help prevent such reporting glitches even if operators make a mistake. Still, Antrim responded well, and MI's failsafes worked as designed to ensure integrity.
9/ Even if Antrim hadn't caught this problem so quickly, it would have been found and corrected during normal post-election procedures. Every Michigan jurisdiction checks the poll tapes against the reported totals before certifying results.
1/ Georgia just announced it will perform a manual audit of the presidential contest. This is a positive step for confidence and security. The race is so close that the audit will consist of a full manual count, rather than inspection of a random sample of the ballots.
Big thanks to
@MatteenM
from
@nytvideo
for telling this story, and to
@VerifiedVoting
for making the hacking demo possible with their Technology Fellowship.
2/ First, see
@MichSOS
's new statement about the issue:
It was human error, isn't a sign of anything malicious, and couldn't impact the official results in any way. But what exactly happened?
You're right, we need rigorous national standards for election security, and paper and risk-limiting audits are key components.
But there's also a need for a deeper shift in attitude: elections should be designed to generate affirmative, public evidence of their correctness.
The president spent last month telling people the election was rigged, the votes fraudulent, the count manipulated. The damage is real and we need better safeguards than just repeating there was no evidence of fraud. I wrote about basic & possible reforms.
@GabrielSterling
@MITREcorp
@realMikeLindell
@MarilynRMarks1
Gabe, the MITRE report is wrong. It assumes "strict and effective controlled access", but your Dominion software has already been stolen. The Coffee County breaches were more than sufficient access for the attacks we discovered. Y'all need to patch.
Controversial blockchain voting company Voatz, which has largely fallen out of favor with state election officials, appears to have had their website defaced by a hacktivist who doesn't care for their stance on security research. Keep clicking previous:
@wbm312
@TheFIREorg
Video guy flashed his inbox while teaching a class. One of our amazing security TAs, Jensen Hwa, noticed that it shows how the second video was faked. An old trick: he set up university mailing lists with names like "Academic-Misconduct-Committee" and used them as the senders.
@mspecter
@jimmykoppel
@djweitzner
@censysio
In my view, based on MIT's findings, no responsible jurisdiction should use Voatz in real elections any time soon. It will take major advances in security technology before Internet voting is safe enough. 11/11
6/ Antrim uses
@dominionvoting
ballot scanners, which store vote totals on memory cards. Think of the data on the card like spreadsheet, with a number for each choice. But there aren't any labels--it's the election definition that says which row corresponds to which candidate.
8/ Fortunately, the individual scanners counted correctly. Each scanner prints its results on a paper "poll tape" at the end of election night, so Antrim re-entered the data from those printouts to get the correct overall totals.
3/ The problem relates to the "election definition"--configuration files that describe the races and candidates on the ballots across the county.
In October, Antrim noticed an error in its election definition: two local races had been omitted in certain precincts.
@mspecter
@jimmykoppel
@djweitzner
The paper finds that the Voatz API server, if hacked, can change votes entirely. The authors say the app doesn't actually use a blockchain or an E2E-V protocol to secure app-server vote transmission, but essentially just a regular HTTPS connection to . 2/
In a new paper at
@ACM_CCS
, we explain how we built
@LetsEncrypt
and how it has impacted the Web:
When we started in 2012, the idea sounded crazy. Now, 7 years later, we're the world's largest provider of HTTPS certificates and help secure 180M sites!
7/ When Antrim loaded the memory cards into its reporting system, the system interpreted them using the revised election definition. The numbers from scanners that used the old definition didn't line up with the right candidates, so the initial combined totals were very wrong.
“REPORT: DOMINION DELETED 2.7 MILLION TRUMP VOTES NATIONWIDE. DATA ANALYSIS FINDS 221,000 PENNSYLVANIA VOTES SWITCHED FROM PRESIDENT TRUMP TO BIDEN. 941,000 TRUMP VOTES DELETED. STATES USING DOMINION VOTING SYSTEMS SWITCHED 435,000 VOTES FROM TRUMP TO BIDEN.”
@ChanelRion
@OANN
4/ They fixed this by recreating the election definition and installing the corrected version on the scanners for affected precincts. However, precincts where the ballot wasn't impacted by the change continued to use the original election definition.
A close election with a protracted count is very dangerous from a security perspective. In addition to disinformation and false accusations of fraud, it creates opportunities for adversaries to commit real fraud by attacking the counting process and the integrity of the ballots.
5/ Because of this, each individual scanner tabulated ballots correctly, but there was a problem when it came time to combine the results from across precincts.
The best way to adapt elections to
#COVID19
is to make broader use of vote-by-mail, which the majority of voters in several states already use.
@RonWyden
VBM isn't perfect, but the cybersecurity risks are far, far lower than when voting online.
@mspecter
@jimmykoppel
@djweitzner
@censysio
It’s not surprising that the Voatz app has the major security problems MIT found. Election security experts, including me, have been warning for years that Internet voting systems are not safe to use in real elections. 9/
6/ The overwhelming scientific consensus is that online voting cannot be secured with available technology. The National Academies and the Senate Intelligence Committee both urge against using it, even for military voters.
Georgia is getting $10 million in Federal money to improve
#ElectionSecurity
. It's time for the state to ditch its vulnerable paperless machines and implement paper ballots and risk-limiting audits.
@mspecter
@jimmykoppel
@djweitzner
@censysio
What is shocking from the MIT findings is just how primitive the Voatz app is, under the surface, compared to state-of-the-art E2E-V approaches. I myself certainly assumed from Voatz's messaging that it was doing something more sophisticated than what the researchers report. 10/
2/ We call the flaw DVSorder. It's a privacy vulnerability, so it *cannot* directly modify results or change votes. However, under some circumstances, it could allow members of the public to identify other peoples’ ballots and learn how they voted.
3/ Many people don't care if others know how they voted, but the secret ballot is an important security mechanism, and some voters—especially the most vulnerable in society—may face real or perceived threats of coercion unless the privacy of their votes is strongly protected.
1/ Remember Voatz, the “blockchain”-based Internet voting app that doesn’t really use blockchain to send votes? There's an excellent new security analysis by
@trailofbits
that confirms the issues recently reported by MIT researchers and finds *way* more problems.
Last week
@CISAgov
privately advised states about vulnerabilities in the Dominion ImageCast X that
@_aaspring_
and I discovered (as part of a lawsuit in Georgia that predates the 2020 election).
CISA has now made a version of their advisory public:
1/4
@jhalderm
and I investigated the security of the Dominion ImageCast X BMD used in Georgia and our findings aren't pretty.
@CISAgov
just published an advisory about vulnerabilities we found and I hope the full report we sent them will be available soon.
Merits of the lawsuit aside, Arizona's audit law is insufficient. 2% of vote centers/precincts isn't a large enough sample to confidently rule out fraud when the margin is this close.
For 2024, AZ should adopt a true risk-limiting audit. It'd be both less work and much stronger.
UDPATE: Ruling is up. Judge has decided to toss out Arizona GOP lawsuit requesting new Maricopa County vote audit.
A filing outlining his reasoning should be posted shortly.
4/ DVSorder is unusual in that it doesn't require exotic skills or special access to find and exploit, only public information. Fortunately, now that we know about the problem, election officials have time to prevent it from affecting voters in the midterms.
As we wrote, the presence of security weaknesses does not prove that any election has been hacked.
But more needs to be done to address those weaknesses, such as making sure all states use paper ballots, marked by hand by those who can, and that results are rigorously audited.
Michigan is planning to conduct a risk-limiting audit.
In an RLA, workers publicly inspect enough paper ballots to verify the election outcome, without having to trust potentially vulnerable computers or ballot scanners.
This is great news for security and voter confidence.
I’m thrilled that we are on track to perform a statewide risk-limiting audit of November’s general election, which we’ve been building towards and planning for over the last 22 months, as well as local procedural audits of individual jurisdictions. (2/9)
Big news from Chrome Security Team!
With HTTPS encryption now nearly ubiquitous, they're finally killing off the browser🔒icon, which tends to give users a false sense of security about other threats.
A huge milestone for web security.
h/t
@davidcadrian
@mspecter
@jimmykoppel
@djweitzner
We can look up that certificate using Censys (
@censysio
).
It turns out Voatz uses the same cert on 7 servers on 3 cloud providers. An attacker who hacked into any of these systems could likely get the private needed to intercept and change votes. 5/
So great to see election officials and technologists join forces at
@VotingVillageDC
and apply their collective experience to strengthening security. When we work together, voter confidence doesn't have to be a matter of faith--we can have evidence-based elections.
@mspecter
@jimmykoppel
@djweitzner
To protect the connection, Voatz uses certificate pinning. That means the app will only trust a specific HTTPS certificate to authenticate the server. For maximal security, the app should pin to a cert that is used only on a specific well hardened server. 3/
People, this is why Americans still don't have a secure voting system!
@eacgov
seems more concerned with creating a false sense of security than with actually boosting it. Maybe election cybersecurity should be in the hands of an agency that actually understands it.
@mspecter
@jimmykoppel
@djweitzner
@censysio
The bottom line: It looks like there’s a much greater risk than there should be that a network-based attacker, like a malicious WiFi router or ISP, could access Voatz’s private key, impersonate the Voatz API server, and then intercept and change votes. 8/
Experts' letter to
@MITRECorp
:
“If MITRE genuinely aspires to 'provide objective analysis' about election systems, it will correct the record now and retract its dangerously misleading analysis.”
Congratulations to
@UMBernhard
and the rest of our
@MichiganSystems
team for receiving the Best Student Paper Award from IEEE Security and Privacy
#sp20
!
Paper here:
Congratulations to Dr. Allison McDonald on her successful Ph.D. defense today!
@allismcdon
's work is already helping to build a safer online world for some of the most vulnerable communities, and we can't wait to see what she does next.
@wbm312
@TheFIREorg
The Canvas hack is also fake. Video guy is a TA for that class. If you look closely, he's just using the "Student View" feature while logged in with instructor privileges.
5/ The problem has to do with ballot-level election data, such as cast-vote records (data with the votes from each ballot) and ballot images (scans of each ballot). Many localities post such data as a form of public transparency, e.g.:
@mspecter
@jimmykoppel
@djweitzner
@censysio
How hard would that be? One of the servers, , returns an HTTP header indicating it runs outdated software: "Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/5.4.16". That PHP version has dozens of CVEs. 6/
6/ In other jurisdictions, ballot-level data is treated as a public record, and there has been a surge in FOIA requests for it:
People have used FOIA requests across the country to assemble data repositories like this:
7/ To protect privacy, ballot-level data is supposed to be randomly shuffled, but the DVSorder flaw makes it possible for anyone to unshuffle data from Dominion ICP and ICE scanners and learn the order the ballots were cast.
This can sometimes be used to learn how people voted.
Tomorrow I'm testifying to the House Appropriations Subcommittee on Financial Service & General Government.
My message: States urgently need more funding to eliminate vulnerable voting machines and switch to paper ballots, before attackers strike again.
Michigan's kicked off its risk-limiting audit of the presidential election. RLAs publicly confirm, without relying on potentially hackable voting equipment, that the outcome matches what's on the paper ballots. They're an essential security check that all states should practice.
Today we begin Michigan’s first ever statewide risk limiting audit. The audit, a bipartisan & transparent effort, will hand count randomly selected paper ballots to affirm the accuracy of the results of the November election. You can follow the process
@MichSoS
beginning at 11ET.
A personal first: I just voted without leaving my car.
Thanks to
@A2GOV
for providing drop boxes throughout the city, including this drive-up location next to City Hall.
#A2votes
Question
@NVElect
: It looks like your statute only calls for an audit of votes cast in person. Is there any auditing of mail-in ballots (which are counted by computer scanners)?
Fun fact: Nevada was the first state in the country to require electronic voting machines to include a paper record of every vote cast. This paper vote record is audited against the recorded electronic votes. Any vote switching would be exposed during the audit.
1/I have Dominion's response to Friday's letter from NY Board of Elections. A rare glimpse into anti-security mindset of voting machine vendors. Hacking concerns may delay Westchester's $6.1M plan to buy new voting machines via
@lohud
READ THIS THREAD
14/ Worse, the scanners essentially all follow the same fixed sequence of 1,000,000 ballot ids. It's only the starting point in this sequence that's randomized from one batch of ballots to the next.
Today my
@UMich
and
@AuburnU
colleagues are publishing info on a privacy flaw we’ve found in some U.S. voting machine models.
The vulnerability, which we’re calling DVSorder, does NOT allow manipulation of votes or election results, but it could reveal how specific people voted.
8/ (a) For example, scanners usually display a count of ballots cast. I can note the count when I vote, and if my wife uses the scanner next, I'll know her ballot number too. If my locality releases vulnerable CVRs or ballot images, I can find her ballot and see how she voted.
11/ (d) A few localities even record surveillance video in polling places. This image is from a day-long video from Georgia, obtained by others via a public records request. If the locality releases vulnerable ballot images, anyone can link each ballot to footage of who cast it.
20/ That's why we're making our findings public now, to give election officials time to safely sanitize the data they release from the midterms. Our priority is to prevent this flaw from affecting voters this November, which is ultimately the best way to uphold public trust.
1 *BILLION* certificates! Simply incredible! Huge congratulations to everyone who has been part of making
@LetsEncrypt
a reality over the past 8 years.