Secret report finds flaw in Georgia voting system, but state in the dark

Credit: JOHN SPINK / AJC

Credit: JOHN SPINK / AJC

Hacking is possible, experts say, but there’s no sign 2020 election was rigged

A confidential report alleges that hackers could flip votes if they gained access to Georgia’s touchscreens, drawing interest from the U.S. Department of Homeland Security, Louisiana election officials and Fox News.

One key agency hasn’t asked the court to disclose the report: the Georgia secretary of state’s office.

There’s no sign that state election officials have done anything about the vulnerability, a potential flaw dangerous enough to be kept under seal, labeled in court as “attorneys’ eyes only” six months ago.

The vulnerability hasn’t been exploited in an election so far, according to examinations of the state’s Dominion Voting Systems equipment, but election security experts say it’s a risk for upcoming elections this year. Investigations have repeatedly debunked allegations of fraud in the 2020 election.

Georgia election officials won’t say what actions they’ve taken, if any, to improve security or detect tampering. State election officials declined to answer questions about a report they haven’t seen, which outlined the flaw as part of a lawsuit aimed at forcing the state to abandon its $138 million voting system that prints out paper ballots and instead use paper ballots filled out by hand.

Several election integrity advocates said Georgia Secretary of State Brad Raffensperger shouldn’t ignore the issue, even if he believes existing protections would prevent illicit access to voting equipment.

“It’s really concerning that the Georgia secretary of state and Dominion are kind of putting their head in the sand,” said Susan Greenhalgh, an election security consultant for plaintiffs suing over Georgia’s voting system. “Common sense would say you would want to be able to evaluate the claims and then take appropriate action, and they’re not doing any of that.”

Dominion became a frequent target of misinformation after the 2020 election, when election skeptics falsely claimed the company’s voting equipment produced fraudulent results. Georgia’s election results were checked by a recount of all 5 million paper ballots and multiple investigations.

Voting machine penetrated

The vulnerability was first alleged in sealed court documents in July by Alex Halderman, a computer science professor at the University of Michigan. As an expert for plaintiffs in the election security lawsuit, Halderman gained access to Georgia voting equipment for 12 weeks and produced a 25,000-word secret report.

Halderman found that malicious software could be installed on voting touchscreens so that votes are changed in QR codes printed on paper ballots, which are then scanned to record votes, according to court documents. QR codes aren’t readable by the human eye, and voters have no way to know whether they match the printed text of their choices.

The vulnerability could be exploited by someone with physical access to a voting touchscreen, such as a voter in a polling place, or by an attacker who used election management system computers, Halderman said. A hacker in a polling place could only target one touchscreen at a time, limiting the number of votes that could be changed, but an attack on election management systems could have a broader impact.

“It is important to recognize the possibility that nefarious actors already have discovered the same problems I detail in my report and are preparing to exploit them in future elections,” Halderman wrote in a September declaration. Halderman has said there’s no evidence that Dominion voting machines changed votes in the 2020 election.

Raffensperger, the state’s top election official, said Halderman is a longtime critic of Georgia’s voting technology who was only able to create the hack after a judge gave him access to voting equipment and passwords. He said voting in Georgia is more secure than ever because of audits, voter ID requirements and a ban on collecting and returning multiple absentee ballots.

“Claiming you can break into a system after being given unfettered access is like claiming you can break into a house after being given the keys and alarm codes,” Raffensperger said Wednesday.

Credit: Atlanta Journal-Constitution

Credit: Atlanta Journal-Constitution

Though the Georgia secretary of state’s office is a defendant in the court case, the judge hasn’t allowed anyone to view the details of Halderman’s report besides attorneys and expert witnesses. Halderman also produced a version of the report that redacts sensitive information, but the secretary of state’s office hasn’t seen or asked to see it.

Raffensperger said he doesn’t object to the judge making Halderman’s report public so election officials could review it for themselves.

“The smoke and mirrors techniques of Professor Halderman and the plaintiffs in this case does not serve Georgia voters well,” Raffensperger said.

Gov. Brian Kemp called on Raffensperger to safeguard Georgia’s voting machines from potential risks.

“He should immediately gather all relevant information regarding this report, thoroughly vet its findings, and assure Georgians he is doing everything possible to ensure the system, procedures and equipment are completely secure,” said Kemp spokeswoman Katie Byrd on Wednesday.

Impact extends beyond Georgia

The potential ability to hack voting touchscreens that print out paper ballots extends beyond Georgia. Dominion ballot-marking devices are used in jurisdictions in 12 states, including California, Michigan and Missouri.

While Georgia election officials aren’t saying whether they’ve increased the security of the state’s voting system, others have taken an interest.

The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, wrote a letter to the judge Jan. 21 informing her that potential vulnerabilities could be disclosed and mitigated.

Last month, Louisiana Secretary of State Kyle Ardoin asked the court to see the report because his state also uses Dominion touchscreens during early voting, a motion that U.S. District Judge Amy Totenberg denied, citing the danger of spreading information that could be used to subvert elections.

Totenberg hasn’t ruled on another request for the report this month by Fox News, which is defending itself in a defamation lawsuit by Dominion. Fox is being sued for $1.6 billion, with Dominion alleging that the network spread false conspiracy theories that the company’s election technology had rigged vote counts.

The Georgia secretary of state’s office should also take concerns about vulnerabilities seriously, several experts say. Election officials could hire consultants to review election equipment for weaknesses, strengthen audits and review the physical security of election equipment.

An expert for the state, University of Florida computer scientist Juan Gilbert, said Georgia’s election audit process, which reviews the printed text of voters’ choices, would expose inconsistencies between QR codes and the text. Gilbert declined to comment on Halderman’s allegation but has previously addressed protections from hacking.

“If QR codes are inconsistent with the human-readable portion of the ballot, this will be detected during the (risk-limiting audit) and may signal a full manual recount,” Gilbert wrote in a November 2019 court declaration. “The general statement that computers can be hacked is no justification to remove all computers from any type of interaction with voting and election systems.”

But others say audits would be inadequate because they might not detect fraud on a small number of ballots that could swing a close election.

ExploreVote-by-mail fraud more a fear than a reality in Georgia

“If there’s any way to get at these machines, that’s a vulnerability. That’s an open door, and you need to have intrusion detection systems in place to monitor it,” said Gregory Miller, co-founder of the Open Source Election Technology Institute, an organization that researches ways to increase election security and transparency. “A lot of stars have to align themselves for an immaculate hack, but it is possible, so steps should be made to mitigate that.”

Dilemma: Keep secret or go public

Noah Praetz, an election security consultant and former elections director in Cook County, Ill., said election officials should assume their equipment has vulnerabilities and develop safeguards, including audits, testing and reviews of equipment to ensure there’s no malware.

“Even an attack on one voting machine that is caught and corrected would feed a damaging narrative that’s already taken hold in some quarters of our country, so they’re advised to buckle down and be extra secure with their cyber practices and physical control over their voting systems,” Praetz said.

An evaluation of Georgia’s voting machines two weeks after the 2020 election found no signs of hacking or tampering. Former U.S. Attorney General William Barr said in December 2020 that there was no evidence of fraud on the scale that could have changed the outcome of the election, contradicting his boss, President Donald Trump.

A testing lab called Pro V&V audited a random sample of Dominion voting machines from several counties, finding that all software and firmware was the same as components certified for use by the secretary of state’s office.

Since then, it’s unclear whether the secretary of state’s office or its election security vendor, Fortalice Solutions, has done more to harden election systems against threats. Dominion also declined to comment.

“Election safeguards — from testing and certification of voting systems to canvassing and auditing — prevent malicious actors from tampering with results,” Dominion said in a December 2020 statement.

Because details of the hack are sealed from public view, available only to attorneys and experts in the court case, it’s difficult for anyone else to evaluate how dangerous it could be.

The lack of disclosure could fuel conspiracy theories by losing candidates, said David Jefferson, a computer scientist and former board member for Verified Voting, an organization that focuses on election technology. On the other hand, revealing more information about the hack would make it easier for hackers to replicate it.

“Keeping this information secret does more damage than making it public because the people who wish to cast doubt on the integrity of our elections have this weapon of saying, ‘The government knows these machines have been compromised,’ and no one is going to be able to refute that claim,” Jefferson said.

More information about the vulnerability could be made public through testimony by Halderman and other witnesses when the case goes to trial later this year.

Totenberg has signaled deep concerns about the security of Georgia’s voting equipment, writing in an October 2020 ruling that “these risks are neither hypothetical nor remote.”

So far, Totenberg has refused to release the report because its information could be misused if it fell into the hands of hackers. However, she encouraged the state to discuss the vulnerability with Halderman outside of court.

“The state has to live with how it conducts its business,” Totenberg said during a court hearing in November.