Established Fact
Prof. J. Alex Halderman (Univ. of Michigan), serving as plaintiff’s expert in Curling v. Raffensperger, documented through hands-on forensic testing of the EAC-certified ICX BMD system that: (1) attackers can alter ballot QR codes (the operative data the tabulation system counts, not the human-readable text); (2) malicious software can be installed remotely from the EMS; and (3) audit log entries can be subverted. The Curling court found these opinions credible and issued injunctive relief. CISA was notified of these findings on September 2, 2021, but suppressed public disclosure for approximately 22 months – finally acknowledging nine specific vulnerabilities in a June 2022 advisory – while Georgia conducted additional elections on the same platform. The EAC’s certification of this system did not detect, and its program did not address any of these vulnerabilities.
Citations
Security Analysis of Georgia’s ImageCast X Ballot Marking Devices: https://voterga.org/wp-content/uploads/2023/06/Halderman-Security-Analysis-Dominion-ICX-BMD-.pdf | VoterGA
Security Analysis of the Dominion ImageCast X: https://blog.citp.princeton.edu/2023/06/14/security-analysis-of-the-dominion-imagecast-x/ | CITP Princeton
Halderman Declaration: https://www.coloradosos.gov/pubs/rule_making/written_comments/2022/20220524AliLaing.pdf | Colorado SOS