Don’t leave your car key in the glove compartment. And don’t key all the vehicles in your fleet with the same key, and leave that key in every glove compartment.
For over a decade 2004-2018, Georgia was using voting machines so insecure it was like having a fleet of vehicles that didn’t even use keys — anyone could just get in and drive off, or rather, it was easy to propagate a vote-stealing virus that would count votes for whatever candidate the hacker wanted. In 2019 the Georgia legislature finally replaced those machines with something that seemed a bit more modern and at least had some kind of paper trail: the Dominion ICX touchscreen ballot-marking device, along with Dominion ICP optical scanners and the Dominion election-management software used in each county’s election office.
Back in 2021, Federal Court for the Northern District of Georgia, an expert witness presented a devastating report on the insecurity of this new system. Georgia’s Secretary of State was made aware of the problem in 2021 but chose to do nothing — not even apply Dominion’s security patches. The report was finally released to the public in 2023. But the focus of that report was mostly on the touchscreen device.
More recently, a new analysis shows the remarkable insecurity of Dominion’s entire system, including the election-management software, the ballot databases, the pollworker cards, the scanners, and the touchscreens. Phillip Davis, Marilyn Marks, and Professor Drew Springall presented “Dominion Touchscreen: Simple Hacks and Daunting Recoveries” at the DEFCON Voting Village 2025. (Slide deck; video) DEFCON is a long-established cybersecurity+hacking convention, and the “Voting Village” focuses on election cybersecurity.
It’s a long slide deck, but what caught my attention was on page 34: for encryption and authentication, Dominion uses (only) a symmetric-key cryptosystem, and the key is the same for every voting machine in the county, and (on page 69) it’s easy to extract the key from every pollworker card. That kind of cryptography has been obsolete since the 1970s (scientifically) and since the 1990s (in internet commerce). Let me explain. From the time of Julius Caesar until the 1970s, if you used a secret key to encrypt a message, the same key would be used to decrypt it. The scientific innovation circa 1970 was public key cryptography, in which different keys are used for encryption and decryption. That scientific advance was applied to the internet in 1996: If you’ve made a purchase on the Internet any time since 1999, the transmission of your credit-card number has been secured by the Secure Sockets Layer (now named Transport-Layer Security).
When used for authentication, public-key cryptography allows the signing key to be different from the checking key. If you want to sign documents, you create a key-pair, you publish the checking key, and you keep the signing key secret. This method has been standard on the internet for over 25 years, and it’s widely understood by engineers.
But apparently not at Dominion. In the system that Dominion sold to Georgia in 2019, authentication of election definitions is done by the old-fashioned, decades-obsolete, insecure single-key method. Copies of that key appear on every election database (including files posted online from five Georgia counties, see slides 3 and 32 of the Davis presentation). Copies of that key are in the pollworker access cards given to thousands of pollworkers (see slide 69 and also Section 6 of Halderman’s report). Copies of that key were in the election database files taken in the 2020 Coffee County election equipment breach. The FBI raid of Fulton County’s election office may have taken those keys too. So now every Tom, Dick, Harry, and Kash has the authentication keys for George election definition files.
But what could a bad guy do with these keys? How do you rig an election? In some of my other work I’ve discussed deep hacks, that alter the vote-counting software, but Davis et al. focus on much simpler attacks that are easy to accomplish without a lot of technical sophistication. Just modify the election-definition file given to the Dominion ICX touchscreen, and you can choose any of the following tricks:
- [page 56] Switching the order of two candidates will record the vote for the opposite candidate (the printed ballot card will appear correct to the voter, but the QR code will count for the wrong candidate)
- [page 52] Changing the text of a referendum question can completely alter its meaning to the voter.
- [page 49] Changing a vote-for-2 contest to a vote-for-1 will force the voter into an undervote.
- [page 48] Altering the name of a candidate’s party could discourage many voters from choosing that candidate.
These hacks are scalable: any pollworker card gives the keys for all the voting machines in the county. They can be hacked either individually with physical presence, or with access to the county election management system, just change the election definition files there to hack every touchscreen in the county.
Are these hacks correctable?
#1 could be corrected by a hand recount of the text on the ballot cards, but can’t be corrected by running all the cards through the optical scanners again. That’s one reason recounts should be by human inspection of the ballots.
#2 can’t be corrected by a recount, if the text on the ballot card doesn’t have the same long-form text as on the touchscreen.
#3 can’t be corrected, because the ballot card won’t give an indication that the touchscreen prevented the voter from choosing more than one.
#4 can’t be corrected if the ballot card lists the correct party — and the voter won’t see that if the party-alteration caused them not to choose that candidate at all.
Because many of these hacks are not correctable after the election, what’s the best defense against them?
All these hacks are manipulations of the Ballot-Marking Devices, the Dominion ICX touchscreens that print out paper ballot cards for the voters. To avoid all such manipulations, voters should mark their ballots by hand: fill in the ovals on an optical-scan ballot. Every Georgia county already owns optical scanners that can count hand-marked ballots: (1) the high-speed optical scanners that count their mail-in ballots, and (2) the polling-place scanners that currently count their BMD-marked ballots can also count hand-marked bubble ballots.
Between now and November 2026, although there isn’t time to replace the entire insecure Dominion election system, there is certainly time to use that same system with hand-marked paper ballots. Mail-in ballots are hand-marked. And polling-place ballots in most states are hand-marked. It’s not that hard!
Dominion has a new owner who has renamed the company to Liberty Vote. I hope that future voting systems engineered by Liberty Vote will use more modern methods of securing election definition files. Some other voting-system companies are way ahead of them; see for example my report on the Hart Verity Vanguard system.
Leave a Reply