CISA issues vulnerability advisory for select Dominion voting equipment, urges updates
Vulnerabilities within some Dominion voting machines used in roughly a dozen states should be mitigated “as soon as possible,” the U.S. government’s top cybersecurity officials said in advisory issued Friday afternoon.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advisory notes that while the technical flaws notes that while the technical flaws within the Dominion Voting Systems Democracy Suite ImageCast X — an in-person voting system that allows voters to mark their ballots — should be “mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections.”
Attackers looking to exploit the identified vulnerabilities “would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded” to the devices, the advisory reads, giving some experts doubt as to the real-world applicability of the concerns.
The advisory included a slate of recommended mitigations, such as ensuring software and firmware updates are made, physical protection of machines at all times and ensuring that the machines are not connected to any external internet networks.
“Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities,” the statement read.
CISA Director Jen Easterly tweeted that the mitigations, if in place, would make it “very unlikely that a malicious actor could exploit these vulnerabilities to affect an election.”
The CISA advisory comes after it reviewed the machines in response to research conducted by election security experts as part of long-running litigation over Georgia’s voting system, The Washington Post reported May 28.
A report produced by University of Michigan professor J. Alex Halderman, who served as an expert for the plaintiffs arguing that the systems are insecure, was part of the basis for the CISA review. Halderman explained in a series of tweets Friday that CISA’s review examined nine vulnerabilities he and another researcher submitted to CISA in February.
Dominion told CNN Friday that its machines “are accurate and secure,” and that “the issues raised in the advisory are limited to ballot marking devices, not vote tabulators.”
A separate analysis of Georgia’s voting system, conducted by the federally funded Mitre Corp. and also not-yet-public, affirmed that “existing procedural safeguards make it extremely unlikely for any bad actor to actually exploit any vulnerabilities,” Georgia Deputy Secretary of State Gabriel Sterling told CNN.
Dominion has been at the center of fervent conspiracy theories pushed by former President Donald Trump and his supporters who baselessly assert that the 2020 election suffered widespread fraud enabled, in part, by malicious manipulation of Dominion voting equipment. Denver-based Dominion has filed multiple lawsuits related to the claims, including defamation lawsuits against Trump attorneys Rudy Giuliani and Sidney Powell.
