Mail-in-Voting Should Be Restricted in the United States
Paper Ballots - Hand Counts Save and Secure Elections
Making mail-in- voting available for the elderly and disabled, is obviously a fair idea. But that is not what the law not prescribes. Now ANYBODY can mail in their ballots for no reason whatsoever. This situation leads to problems of ID verification. How are these ballots verified to be from the actual voter on the roster if the ID is not checked for signature verification?
Mail in voting also can invite “Vote Harvesting” wherein hundreds of ballots are bundled together and put into a dropbox with no verification of IDs whatsoever.
The most fair and secure way to have an election is for voters to vote in person at theire preescibed precinct and produce valid identification to the poll worker who can check the signature on your ID to the signature you provide while signing in to vote.
Allowing mail in voting exclusively for the elderly and disabled is the safest and most secure way to handle elections in this nation.
Voting machines should be forbidden in America, they have been the bane to elections since their advent. There is no valid reason that can be cited for using voting machines. Paper ballots hand marked by the voter is the most sensible manner inwhich to carry out an election. No chads, no cheating via the adjudication function on voting machines, just simple hand marked ballots and handcounts by poll workers. That is the way elections were run before the digital age, and they worked splendidly.
Eric Coomer lead sales representative for Dominion Voting Machines demonstrates the manner inwhich the Adjudication Function can change, or flip votes in any manner the operator chooses.
This video is from the State Farm Arena surveillance video, showing Shay Moss and her mother Ruby Freeman telling the poll monitors and the newsteam that they were shutting down ballot counting for the night, and then continuing to count the ballots after they left.
ICS Advisory (ICSA-22-154-01)
Vulnerabilities Affecting Dominion Voting Systems ImageCast X
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
1. SUMMARY
This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is an in-person voting system used to allow voters to mark their ballot. The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. While these vulnerabilities present risks that should be mitigated as soon as possible.
Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems. Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities.
2. TECHNICAL DETAILS
2.1 AFFECTED PRODUCTS
The following versions of the Dominion Voting Systems ImageCast X software are known to be affected (other versions were not able to be tested):
ImageCast X firmware based on Android 5.1, as used in Dominion Democracy Suite Voting System Version 5.5-A
ImageCast X application Versions 5.5.10.30 and 5.5.10.32, as used in Dominion Democracy Suite Voting System Version 5.5-ANOTE: After following the vendor’s procedure to upgrade the ImageCast X from Version 5.5.10.30 to 5.5.10.32, or after performing other Android administrative actions, the ImageCast X may be left in a configuration that could allow an attacker who can attach an external input device to escalate privileges and/or install malicious code. Instructions to check for and mitigate this condition are available from Dominion Voting Systems.
Any jurisdictions running ImageCast X are encouraged to contact Dominion Voting Systems to understand the vulnerability status of their specific implementation.
2.2 VULNERABILITY OVERVIEW
NOTE: Mitigations to reduce the risk of exploitation of these vulnerabilities can be found in Section 3 of this document.
2.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347
The tested version of ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.
CVE-2022-1739 has been assigned to this vulnerability.
2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283
The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device.
CVE-2022-1740 has been assigned to this vulnerability.
2.2.3 HIDDEN FUNCTIONALITY CWE-912
The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.
CVE-2022-1741 has been assigned to this vulnerability.
2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424
The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.
CVE-2022-1742 has been assigned to this vulnerability.
MITIGATIONS
CISA recommends election officials continue to take and further enhance defensive measures to reduce the risk of exploitation of these vulnerabilities. Specifically, for each election, election officials should:
Contact Dominion Voting Systems to determine which software and/or firmware updates need to be applied. Dominion Voting Systems reports to CISA that the above vulnerabilities have been addressed in subsequent software versions.
Ensure all affected devices are physically protected before, during, and after voting.
Ensure compliance with chain of custody procedures throughout the election cycle.
Ensure that ImageCast X and the Election Management System (EMS) are not connected to any external (i.e., Internet accessible) networks.
Ensure carefully selected protective and detective physical security measures (for example, locks and tamper-evident seals) are implemented on all affected devices, including on connected devices such as printers and connecting cables.
Close any background application windows on each ImageCast X device.
Use read-only media to update software or install files onto ImageCast X devices.
Use separate, unique passcodes for each poll worker card.
Ensure all ImageCast X devices are subjected to rigorous pre- and post-election testing.
Disable the “Unify Tabulator Security Keys” feature on the election management system and ensure new cryptographic keys are used for each election.
As recommended by Dominion Voting Systems, use the supplemental method to validate hashes on applications, audit log exports, and application exports.
Encourage voters to verify the human-readable votes on printout.
Conduct rigorous post-election tabulation audits of the human-readable portions of physical ballots and paper records, to include reviewing ballot chain of custody and conducting voter/ballot reconciliation procedures. These activities are especially crucial to detect attacks where the listed vulnerabilities are exploited such that a barcode is manipulated to be tabulated inconsistently with the human-readable portion of the paper ballot. (NOTE: If states and jurisdictions so choose, the ImageCast X provides the configuration option to produce ballots that do not print barcodes for tabulation.)
Contact Information
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
_______________________________________________________________
'Online and vulnerable': Experts find nearly three dozen U.S. voting systems connected to internet
A team of election security experts used a “Google for servers” to challenge claims that voting machines do not connect to the internet and found some did.
According to a team of 10 independent cybersecurity experts who specialize in voting systems and elections. While the voting machines themselves are not designed to be online, the larger voting systems in many states end up there, putting the voting process at risk.
That team of election security experts say that last summer, they discovered some systems are, in fact, online.
“We found over 35 [voting systems] had been left online and we’re still continuing to find more,” Kevin Skoglund, a senior technical advisor at the election security advocacy group National Election Defense Coalition, told NBC News.
“We kept hearing from election officials that voting machines were never on the internet,” he said. “And we knew that wasn't true. And so we set out to try and find the voting machines to see if we could find them on the internet, and especially the back-end systems that voting machines in the precinct were connecting to to report their results.”
Skoglund and his team developed a tool that scoured the internet to see if the central computers that program voting machines and run the entire election process at the precinct level were online. Once they had identified such systems, they contacted the relevant election officials and also provided the information to reporter Kim Zetter, who published the findings in Vice’s Motherboard in August.
The three largest voting manufacturing companies — Election Systems &Software, Dominion Voting Systems and Hart InterCivic — have acknowledged they all put modems in some of their tabulators and scanners. The reason? So that unofficial election results can more quickly be relayed to the public. Those modems connect to cell phone networks, which, in turn, are connected to the internet.
The largest manufacturer of voting machines, ES&S, told NBC News their systems are protected by firewalls and are not on the “public internet.” But both Skoglund and Andrew Appel, a Princeton computer science professor and expert on elections, said such firewalls can and have been breached.
“AT&T and Verizon and so on try and protect as best they can the security of their phone network from the rest of the internet, but it’s still part of the internet,” Appel explained. “There can still be security holes that allow hackers to get into the phone network.”
Th 35 systems Skoglund’s team found represent a fraction of total voting systems nationwide, though he believes they only captured a portion of the systems that are or have been online. Earlier this week, Skoglund showed NBC three election systems were still online even after officials had been told they were vulnerable.
For election systems to be online, even momentarily, presents a serious problem, according to Appel.
“Once a hacker starts talking to the voting machine through the modem, the hacker cannot just change these unofficial election results, they can hack the software in the voting machine and make it cheat in future elections,” he said.
The National Institute of Standards and Technology, which provides cybersecurity frameworks for state and local governments and other organizations, recommends that voting systems should not have wireless network connections.
Skoglund said that they identified only one company among the systems they detected on line, ES&S. ES&S confirmed they had sold scanners with wireless modems to at least 11 states. Skoglund says those include the battleground states of Michigan, Wisconsin and Florida.
While the company’s website states that “zero” of its voting tabulators are connected to the internet, ES&S told NBC News 14,000 of their DS200 tabulators with online modems are currently in use around the country.
NBC News asked the two other major manufacturers how many of their tabulators with modems were currently in use. Hart said that it has approximately 1,600 such tabulators in use in 11 counties in Michigan. Dominion did not respond to numerous requests from NBC News for their sales numbers.
'Vulnerable to hacking'
With the 2020 presidential election only ten months away, Appel and Skoglund believe all modems can and should be removed from election systems.
“Modems in voting machines are a bad idea,” said Appel. “Those modems that ES&S [and other manufacturers] are putting in their voting machines are network connections, and that leaves them vulnerable to hacking by anybody who can connect to that network.”
Experts find more than 30 U.S. voting systems connected to internet
Michael Hayden was CIA director from May 2006 to February 2009. Hayden was probably the Bush Administration official who most consistently misled Congress and the administration; the torture report contains approximately 37 pages of examples of Hayden’s testimony to the Senate Intelligence Committee where he provided misleading or incorrect information. Highlights of this false testimony include: that "[a]ll those involved in the questioning of detainees [were] carefully chosen and screened for demonstrated professional judgment and maturity;” that "[a]fter the use of these techniques, Abu Zubaydah became one of our most important sources of intelligence on al-Qa'ida;" that "in […] classified and private conversations, none of the Members [of Congress] expressed the view that the CIA interrogation program should be stopped, or that the techniques at issue were inappropriate;” that “[a]ny deviations from approved procedures and practices that are seen [were] to be immediately reported and immediate corrective action taken;” that the CIA’s interrogation program was “‘the most successful program being conducted by American intelligence [at the time]’ for ‘preventing attacks, disabling al Qa'ida;’” that “the least coercive measures [were used] to create cooperation at a predictable, reliable, sustainable level;” that International Committee of the Red Cross reports contained “numerous false allegations of physical or threatened abuses and faulty legal assumptions and analysis;” that "[p]unches and kicks are not authorized and have never been employed;" that “CIA medical officers [never] threatened a detainee, [or stated] that medical care was conditional on cooperation” (see the case of Hassan Ghul for an example of where CIA psychologists suggested that a detainee’s medical problems were a result of not being truthful); that Abu Zubaydah’s “liquid diet [was] quite appropriate because he was recovering from abdominal surgery at the time” and was not an interrogation technique; that "waterboarding cannot take place any more than five days out of a total of 30 days” and “there cannot be more than two sessions per day” (see the cases of Khalid Sheikh Mohammad (KSM) and Abu Zubaydah for examples of where these guidelines were ignored); that waterboarding of KSM directly led to information; that detainees were "not paraded [nude] in front of anyone;" that “the most serious injury that [he was] aware of […] is bruising as a result of shackling" and that no one died (see the case of Gul Rahman); and that detainees were not shackled with their hands “above the head.” “Michael Hayden sent a letter to the president formally requesting that the president issue the Executive Order interpreting the Geneva Conventions in a manner to allow the CIA to interrogate [a detainee] using the CIA's enhanced interrogation techniques.” On the day of George W. Bush's September 2006 speech, which contained several inaccuracies about the success of the program, Hayden stated “w
https://thefederalist.com/2022/08/16/u-s-postal-service-just-institutionalized-election-interference-with-new-mail-in-ballot-division/