ATLANTA — Two reports offering dueling assessments of the security of Georgia's voting machines have been made public by a federal judge.
The reports had been under seal in the long-running lawsuit, Curling v. Raffensperger, which has sought for years - well prior to the 2020 election - to compel Georgia to use hand-marked paper ballots instead of electronic ballot-marking devices (BMDs).
Read both reports in full at the bottom of this article.
One report was prepared by MITRE, a corporation that runs a project called the National Election Security Lab. The report general finds the Dominion machines secure and was touted by Georgia Sec. of State Brad Raffensperger.
The other report was prepared by University of Michigan professor J. Alex Halderman, and alleges the machines have "critical vulnerabilities that can be exploited to subvert all of its security mechanisms, including: user authentication, data integrity protection, access control, privilege separation, audit logs, protective counters, hash validation, and external firmware validation."
The MITRE report was a response to Halderman's report, which said it demonstrated "multiple routes by which attackers can install malicious software on Georgia’s BMDs, either with temporary physical access or remotely from election management systems."
The MITRE researchers said they assessed the proposed attacks in Halderman's report, finding that all of six such attacks require "access and/or opportunity that remains unavailable in the operational environment."
The Halderman report laid out specific vulnerabilities and "proof-of-concept" attack scenarios that can be found on pages 4-6. The report outlines attacks that, it asserts, would include altering the QR codes on printed ballots without the knowledge of voters, using malicious hardware on printers, or remotely installing vote-stealing malware on BMDs.
Halderman concludes the BMDs are "not sufficiently secured against technical compromise to withstand vote-altering attacks" and "can be compromised to the same extent" as Georgia's old voting system (the original lawsuit was launched against the old system and pivoted to the new Dominion system when it was put into place in 2019).
Five of the attack scenarios were also deemed "non-scalable" by MITRE - essentially meaning that if they were achieved they would only affect "a statistically insignificant number of votes on a single device at a time."
The sixth was considered scalable but "infeasible due to access controls in place in operational election environments, access required to Dominion election software, and access required to Dominion election hardware."
The MITRE conclusion also asserts that risk-limiting audits - such as was performed through a hand-count process on Georgia's 2020 election results - would detect five of the attacks proposed by Halderman.
On Twitter, Halderman contended MITRE's "analysis is wrong, because it fails to account for how elections are operated in the real world."
"It is entirely predicated on a false assumption: MITRE says it 'assumes strict and effective controlled access to Dominion election hardware and software,'" Halderman wrote, further calling that "wishful thinking."
Gabriel Sterling, one of Georgia's top election officials, meanwhile wrote the MITRE report "completely debunks election deniers'... claims of voting machine hacks."
Halderman responded to that tweet also, pointing to the reported breach of Georgia's voting systems in Coffee County in 2021, and saying "y'all need to patch" - as in, apply updated software with newer security measures.
His report argues a patch "can be at least partially mitigated through changes to the... software, and I encourage Dominion and the State of Georgia to move as quickly as possible to remedy them," though he further contends "merely patching these specific problems is unlikely to make the (voting system) substantially more secure."
A statement by Raffensperger on Wednesday, meanwhile, says of Halderman's report: "The risks outlined in the researcher's report are theoretical and imaginary. Our security measures are real and mitigate all of them."
Sterling added in a statement: "It should be obvious that with three months of completely unlimited, completely unrestricted access to any system in a laboratory environment, smart people can create hypothetical situations showing theoretical manipulation of those systems. The procedural safeguards we have in place mitigate these hypothetical scenarios from happening. It’s extremely unlikely that any bad actor would be able to exploit our voting systems in the real world. The system is secure.”
Full Georgia voting machine security reports