Thus far in this series from The Gateway Pundit, Dr. J Alex Halderman, a University of Michigan Professor of Computer Science, was able to exploit critical vulnerabilities of the Dominion ICX BMD (ballot marking system) voting machine in federal court as part of a demonstration in the long-running Curling v Raffensperger lawsuit.
In Part 1 of this series, we covered the explosive testimony and demonstration of University of Michigan Professor Dr. J Alex Halderman in the federal lawsuit Curling v. Raffensperger. The Gateway Pundit covered the ease of which one could exploit the “BIC pen hack” and, further, the simple and inexpensive creation of voter, poll-worker, and, most importantly, technician Smart cards to attack the Dominion ICX BMD or ballot marking device (about $30).
In Part 2 of the series, we covered the ability to hide evidence of manipulation by deleting audit logs and automating the “attack” by simply inserting a technician card or a USB “Bash Bunny” device, which costs about $100. Dr. Halderman testified in court that all of the information one would need to program those devices to attack a Dominion ICX BMD is “remarkably” available to the public.
You can read those parts of the series here:
No One Will Know…
After the Bash Bunny installation of malware in under two minutes without breaking or removing any seals, Dr. Halderman demonstrated in his video a mock election. He had five ballots that were a “yes” or “no” contest. All five were marked with “yes” and verified as “yes” votes on the human-readable text. However, when the votes were tabulated, the results were two votes for “yes” and three votes for “no” despite the ballots all reading “yes.”
Further, this attack could be programmed to initiate only on certain ballots. Dr Halderman testified:
“Instead of cheating on every ballot, you could program malware to cheat on every second ballot, every third ballot, et cetera. So that if a voter noticed a problem and complained and then was instructed to go back to the machine, try again, we’ll see if it is a problem with the machine. When the voter repeated the same selections, the ballot would come out correctly.”
This would inevitably make the attack almost undetectable at the local level as most poll-workers would likely assume a voter simply made a mistake rather than thinking the machine was compromised.
This could also be used to program the Dominion ICX BMD to either subvert the Logic and Accuracy testing by starting only after a certain number of ballots have been created, or to detect it’s being tested based on the date and time. It can also be programmed to only become active on Election day. Oh, and it can also delete itself after an election so that it passes any audits or testing of the machine that are conducted, according to Dr. Halderman.
According the testimony, Vulnerability #7 is that “there isn’t an effective cryptographic protection in the ICX to validate that the applications installed on it actually are genuine software that comes from Dominion.”
Here again is the transcript from the court hearing and Professor Halderman’s testimony.
The Super Spreader Event…
All of the above attacks involve physical access to the BMD system and are rather centralized to just the Dominion ICX BMD that was attacked. However, Dr. Halderman described an attack that doesn’t require physical access and can seemingly be far more widespread. He testified that these attacks were “particularly concerning.”
“These vulnerabilities provide a way to install malware by piggybacking, essentially, on the normal pre-election processes that are used to install the ballot information onto all of the BMDs prior to an election.”
Dr. Halderman described the pre-election process that is undertaken before each election, where every Dominion ICX BMD is loaded with an election definition file. This file tells the BMD what is supposed to be on the ballot for that jurisdiction.
Election definition files are created for the entire state at the Center for Election Systems in the Secretary of State’s office using an election management system. The computers used to create these files are running Dominion software and are “disconnected”, or, presumably, “air gapped”. The definition files are copied onto USB sticks and then sent to the counties to be installed on their election management system, which is also “disconnected.”
An attacker could “make certain modifications to the election definition file in a way that allows the attacker to overwrite other files on the BMD when the election definition is loaded.”
This attack would not be readily observable by the user, but once installed, the attacker would “get the ability to overwrite another part of the data on the system.”
This attack could grant superuser access without as much as a prompt. Automatically. And because it originated in the election definition file, this would infect every Dominion ICX BMD in the county the attack targeted.
Dr. Halderman testified that this type of attack could originate with an “election insider” or someone who broke in or obtained physical access to the election management system computer. All that would be required is to simply switch out the election definition file and put one created by the attackers in its place.
The Façade of “Security”
Lastly, Dr. Halderman testified that the version of Microsoft Windows being run on the Election Management System servers was a 2015 version that had not received any security patches. Further, the Windows Defender anti-virus software was also significantly outdated:
“The antivirus software installed on the machine, Windows Defender, had antivirus definitions that were more than a year out of date, and as a result of that, the system contained a large number of known and unpatched vulnerabilities and not [sic] antivirus updates that would cover even known malware, let alone malware specially crafted for the purpose of attacking the server.
Among the vulnerabilities in Windows that were not patched was a known vulnerability that Microsoft had categorized as critical that would allow malicious software to automatically launch and install itself from a USB stick, exactly the sort of vulnerability that would enable a Stuxnet style attack if an infected USB stick was attached.”
He then reiterates that the EMS servers have a “known and unpatched vulnerability in Windows.”
More to come as this case progresses…
During the testimony of Dr. Halderman, attorney David Oles was not permitted to ask any questions of Dr. Halderman. Oles represents co-plaintiff Ricardo Davis of VoterGA.org. Yesterday, The Gateway Pundit reported that Oles was able to get proffers submitted to the court regarding Dr. Halderman and Dr. Philip Stark’s testimonies.
The trial this explosive testimony and live demonstration is currently underway in the Northern District of Georgia in Judge Amy Totenberg’s court.