HomePoliticsBREAKING: FEDS ISSUE CYBER SECURITY ALERT FOR DOMINION VOTING MACHINES Politics BREAKING: FEDS ISSUE CYBER SECURITY ALERT FOR DOMINION VOTING MACHINES June 8, 2022 Rob Lauer Political Reporter Election Alert: Tonight at the monthly Town Hall Dinner at the Ahern at 6pm (tickets),the Clark County Elections Chief, Joe Gloria, will be taking questions about election security. It wasn’t CISA itself that discovered “vulnerablitites”, according to the nation wide “Activity Alert” issue regarding Dominion Voting machines. It was J. Alex Halderman, University of Michigan, and Drew Springall, Auburn University, who reported these vulnerabilities to CISA. This week, Biden’s Cybersecurity and Infrastructure Security Agency (CISA), an operational component under Department of Homeland Security oversight, issued a declassified “Activity Alert” titled “ICSA-22-154-01 Vulnerabilities Affecting Dominion Voting Systems ImageCast X“. cisa advisory June 2022. 360 News asked the Nevada Secretary of State the following questions (no answer so far) 1. What steps has your office taken to address this report? 2. The report makes it very clear that the Dominion voting machines are vulnerable to physical accessed hacking. What security measures are being taken to protect the machines? Clark County Elections Department refuses to say what software system they are currently using to determine if its subject to this alert. “This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is an in-person voting system used to allow voters to mark their ballot. The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. While these vulnerabilities present risks that should be mitigated as soon as possible, Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. NOTE: After following the vendor’s procedure to upgrade the ImageCast X from Version 5.5.10.30 to 5.5.10.32, or after performing other Android administrative actions, the ImageCast X may be left in a configuration that could allow an attacker who can attach an external input device to escalate privileges and/or install malicious code. Instructions to check for and mitigate this condition are available from Dominion Voting Systems CISA issued the following detailed list of vulnerabilities 2.2 VULNERABILITY OVERVIEW NOTE: Mitigations to reduce the risk of exploitation of these vulnerabilities can be found in Section 3 of this document. 2.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347 The tested version of ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media. CVE-2022-1739 has been assigned to this vulnerability. 2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283 The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device. CVE-2022-1740 has been assigned to this vulnerability. 2.2.3 HIDDEN FUNCTIONALITY CWE-912 The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code. CVE-2022-1741 has been assigned to this vulnerability. 2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424 The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code. CVE-2022-1742 has been assigned to this vulnerability. 2.2.5 PATH TRAVERSAL: ‘../FILEDIR’ CWE-24 The tested version of ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS. CVE-2022-1743 has been assigned to this vulnerability. 2.2.6 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250 Applications on the tested version of ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code. CVE-2022-1744 has been assigned to this vulnerability. 2.2.7 AUTHENTICATION BYPASS BY SPOOFING CWE-290 The authentication mechanism used by technicians on the tested version of ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions. CVE-2022-1745 has been assigned to this vulnerability. 2.2.8 INCORRECT PRIVILEGE ASSIGNMENT CWE-266 The authentication mechanism used by poll workers to administer voting using the tested version of ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment. CVE-2022-1746 has been assigned to this vulnerability. 2.2.9 ORIGIN VALIDATION ERROR CWE-346 The authentication mechanism used by voters to activate a voting session on the tested version of ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization. CVE-2022-1747 has been assigned to this vulnerability. So what can be done to protect Dominion voting machines? According to CISA : Ensure all affected devices are physically protected before, during, and after voting. Ensure compliance with chain of custody procedures throughout the election cycle. Ensure that ImageCast X and the Election Management System (EMS) are not connected to any external (i.e., Internet accessible) networks Ensure carefully selected protective and detective physical security measures (for example, locks and tamperevident seals) are implemented on all affected devices, including on connected devices such as printers and connecting cables Close any background application windows on each ImageCast X device. Use read-only media to update software or install files onto ImageCast X devices. Use separate, unique passcodes for each poll worker card. Ensure all ImageCast X devices are subjected to rigorous pre- and post-election testing. Disable the “Unify Tabulator Security Keys” feature on the election management system and ensure new cryptographic keys are used for each election. As recommended by Dominion Voting Systems, use the supplemental method to validate hashes on applications, audit log exports, and application exports. Encourage voters to verify the human-readable votes on printout. Conduct rigorous post-election tabulation audits of the human-readable portions of physical ballots and paper records, to include reviewing ballot chain of custody and conducting voter/ballot reconciliation procedures. These activities are especially crucial to detect attacks where the listed vulnerabilities are exploited such that a barcode is manipulated to be tabulated inconsistently with the human-readable portion of the paper ballot. (R) Candidate Secretary of State Kristopher Dahir issued the following statement to 360 News: “The job of The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is to do just this, warn us of potential cyber threats and potential software vulnerability. The job of the SoS and Election Divisions is to take their recommendations for increased security and alert key staff to the necessary protocols. CISA issues these alerts constantly. As for this alert for election software, and now, what I can’t support is using this information to fuel the voter integrity fears of voters during the election. In no way should voters worry about voting. The only vote that won’t count this election cycle, is the one not cast. As for the future, a Kristopher Dahir Secretary of State office will do all that is necessary to answer questions and fears around voting practices. We must get this correct.” (R) Candidate Secretary of State Jim Marchant “I have worked tirelessly for the last 2 years to rid our state of Dominion voting machines because of these vulnerabilities outlined in this latest report. I have said repeatedly we cannot trust these machines. We need to start over and rebuild our election systems from the ground up to rebuild confidence.”
