The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory on vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X.
The vulnerabilities were reported to CISA by J. Alex Halderman, University of Michigan, and Drew Springall, Auburn University.
Dominion Voting Systems Democracy Suite ImageCast X is an in-person voting system used to allow voters to mark their ballot.
CISA summarized the Dominion vulnerabilities in an advisory ICSA-22-154-01 published on June 3, 2022:
The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections.
Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems. Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities.CISA
According to the CISA report, the following versions are affected:
- ImageCast X firmware based on Android 5.1, as used in Dominion Democracy Suite Voting System Version 5.5-A.
- ImageCast X application Versions 220.127.116.11 and 18.104.22.168, as used in Dominion Democracy Suite Voting System Version 5.5-A.
Moreover, the upgrade from ImageCast X versions 22.214.171.124 and 126.96.36.199 may have left “ImageCast X in a configuration that could allow an attacker who can attach an external input device to escalate privileges and/or install malicious code,” CISA stated in the advisory.
Readers can check out the advisory for more details on the vulnerabilities and recommended mitigations.