Messaging Battle: Dominion Security Vulnerabilities

By Patrick Colbeck

Remember the assertions by organizations such as CISA that the 2020 election was the “most secure election in history”? Well, 19 months after the election, we are seeing increasing evidence that this assertion was the “most disingenuous assertion in history”. The latest evidence is the release of a ICS Advisory (ICSA-22-154-01) by CISA regarding the security vulnerabilities they discovered in Dominion ICX voting machines.

This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is an in-person voting system used to allow voters to mark their ballot. The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections. 

Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems. Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities.

ICS Advisory (ICSA-22-154-01)

SECURITY VULNERABILITIES

The security vulnerabilities found in the CISA advisory are quite significant. Here is the list of vulnerabilities provided in the advisory:

2.2.1    IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

The tested version of ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media. 

CVE-2022-1739 has been assigned to this vulnerability. 

2.2.2    MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283

The tested version of ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device.

CVE-2022-1740 has been assigned to this vulnerability. 

2.2.3    HIDDEN FUNCTIONALITY CWE-912

The tested version of ImageCast X has a Terminal Emulator application which could be leveraged by an attacker to gain elevated privileges on a device and/or install malicious code.

CVE-2022-1741 has been assigned to this vulnerability. 

2.2.4    IMPROPER PROTECTION OF ALTERNATE PATH CWE-424

The tested version of ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.

CVE-2022-1742 has been assigned to this vulnerability. 

2.2.5    PATH TRAVERSAL: ‘../FILEDIR’ CWE-24

The tested version of ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS. 

CVE-2022-1743 has been assigned to this vulnerability. 

2.2.6    EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

Applications on the tested version of ImageCast X can execute code with elevated privileges by exploiting a system level service. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.

CVE-2022-1744 has been assigned to this vulnerability. 

2.2.7    AUTHENTICATION BYPASS BY SPOOFING CWE-290

The authentication mechanism used by technicians on the tested version of ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.

CVE-2022-1745 has been assigned to this vulnerability. 

2.2.8    INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The authentication mechanism used by poll workers to administer voting using the tested version of ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.

CVE-2022-1746 has been assigned to this vulnerability. 

2.2.9    ORIGIN VALIDATION ERROR CWE-346

The authentication mechanism used by voters to activate a voting session on the tested version of ImageCast X is susceptible to forgery. An attacker could leverage this vulnerability to print an arbitrary number of ballots without authorization.

CVE-2022-1747 has been assigned to this vulnerability. 

EVIDENCE SECURITY VULNERABILITIES WERE EXPLOITED

In the CISA advisory, the authors asserted that there was no evidence that any of these vulnerabilities were exploited in any elections. Is that true? Well, perhaps the specific vulnerabilities identified in their advisory may not have been exploited, but it is disingenuous to give the impression that there is no evidence of electronic voting system exploits.

The following table provides a summary of some of the more notable evidence that security vulnerabilities in Dominion voting systems were exploited.

If CISA was truthful in their assertion that they found no evidence that any security vulnerabilities were exploited, they were not looking very hard. By including this assertion in their advisory, they certainly provided significant cover for media outlets sympathetic to the “there is no election fraud” narrative.

MEDIA SPIN

The CISA security advisory was distributed to election officials a week prior to the public release. However, it was leaked to the media before the public release. While media stories about the security vulnerabilities of electronic voting systems were all the rage in the lead up to the 2020 election, such narratives were actively suppressed in the wake of the 2020 election. That’s what makes the sudden interest in stories about security vulnerabilities in the lead up to the 2022 election so interesting.

Here is a sample of the media headlines for stories reporting on the CISA advisory.

MEDIA OBJECTIVES

Headlines set the tone for any media story. One can learn a lot about the bias of the core message from the headline. The fact that the story was “leaked” to the media indicates that the “leaker” intended to shape the public sentiment regarding the advisory before the actual advisory is released.

How could the public sentiment be shaped?

Damage Control. Downplay the security vulnerabilities of Dominion Voting Systems and limit discussion of vulnerabilities to the Dominion ICX platform rather than the other components of the Dominion Democracy Suite (ICP, ICC, EMS).

False Sense of Security. In the lead up to the 2022 election, give voters the impression that CISA and other organizations responsible for the security of our elections are on the ball. This approach fits with the aggressive campaign in the wake of the 2020 election to classify any claims of election fraud as “misinformation”.

Contingency Plan. If their 2022 election plans go awry, they can always pull out advisories and media stories discussing security vulnerabilities in support of “I told you so” stories. Prior to 2020 election, media stories about the security vulnerabilities of electronic voting systems were all the rage. Afterwards, anyone who highlighted these vulnerabilities was labelled as a conspiracy theorist.

CONCLUSION

We are currently in the “Defense Phase” of the 2020 Coup. This phase features an all out effort to dismiss any assertions of 2020 election fraud as “conspiracy theories”. Despite their best efforts, more and more Americans are discovering that the 2020 election was nowhere near the “most secure election in history”. Documentaries such as 2000 Mules, Mike Lindell’s Absolute Series, and Rigged are exposing the fallacy of that assertion with each passing day. The fact of the matter is that the Dominion ICX platform highlighted in this latest CISA security advisory is not the only electronic voting system with significant security vulnerabilities. If we are to have any hope of ensuring that our 2022 elections are secure, we need to be candid about ALL of these vulnerabilities and take measures BEFORE the election to mitigate the risk that any system will be exploiting to subvert the results of our elections.