Election Computers Are at High Risk at Manufacturers

1.     "Vendors represent an enticing target" ~US Senate Intelligence Committee

2.     Vendors send updates for election computers every year. The updates can be hacked or have bugs, but if you don't do them, machines are even less secure. (Dominion examples)

3.     Candidate list is loaded for each election, so officials access every machine, and errors can creep in.

4.     Most states only check logic and accuracy with small samples, where hackers and bugs may lie low and avoid detection.

5.     Manufacturers have limited cybersecurity staffs and haven't noticed any intrusions: Dominion, ES&S, 5 Cedars, Unisyn

6.     Phishing and insecure emails (Candidates resist security too)

7.     Insecure passwords

8.     Zero-days which hackers sell to attackers

9.     Election virus

10.  Counterfeit software

11.  Backdoors, see pages 55-61 in Georgia case for paper ballots.

12.  Machines are also vulnerable to physical access if delivered to polling places the night before the election.

13.  Entry is also usually easy, even at secure storage sites.

14.  If bad software is installed in advance, any one ballot can tell the bad software what to do: For example a write-in for Alyx Brown can be an instruction to shift votes to or from a real candidate named Brown.

15.  Software from Scytl, a Spanish company which went bankrupt in May 2020, delivers ballots to US military and other citizens overseas for 1,400 counties (half). Scytl's software also transfers results between vote-tabulation computers and the internet in 7 states with 44,000,000 registered voters (a fifth). The only software Scytl has shown to the public, for a Swiss vote, was insecure, with a flaw which let insiders or hackers change all the votes. Two outsiders found the flaw, which had not been found by Scytl or the reviewers hired by Scytl and Switzerland.

16.  Types of computerized voting in each state

17.  Short video on security flaws

18.  Overview by Zetter in NY Times Magazine 9/26/2018

19.  2009 National Intelligence Estimate "flagged supply chain attacks as a threat to the integrity of electronic voting machines, since the machines are 'subject to many of the same vulnerabilities as other computers,' although it noted that, at the time in 2009, U.S. intelligence was not aware of any attempts 'to use cyber attacks to affect U.S. elections.' "