Fact-check: CISA Dominion ImageCast Vulnerabilities

How does this fit with the "most secure election in history"?

Claim: CISA’s recent advisory showing Dominion ImageCast vulnerabilities means they aren’t secure.

Rebuttal: This is just the normal vulnerability disclosure process and doesn’t mean there was any problem in the 2020 election.

Verdict: misunderstood

In June of 2022, CISA released an advisory pointing out nine vulnerabilities in Dominion’s ImageCast X product that hackers can potentially exploit. How does this fit with their claims that the 2020 election was the most secure in history?

The truth is that this is just the tip of the iceberg, that Dominion has a lot more vulnerabilities than just those. A ton more. I’ve looked at Dominion systems, and can confirm they have a lot of problems they need to be fixed.

But this is just the normal vulnerability disclosure process. It doesn’t mean hackers can easily hack the system, or that systems have been hacked. It’s like when you ignore safety recall notices on your car — it doesn’t mean you are immediately going to crash.

Every month you have to apply patches for your Windows desktop computer, your iPhone or Android, and for your web browser. This is to fix vulnerabilities that hackers can potentially exploit. But only in specific circumstance — you are rarely in much danger is you wait a few months. Companies that disclose vulnerabilities are the trustworthy ones, and they all have vulnerabilities. It’s companies that hide vulnerabilities that you have to worry about.

This discussion might mislead somebody into thinking that these vulnerabilities weren’t important — some were. My favorite is probably the one labeled CWE-24 (“path traversal”) — the sort of bug I’ve exploited a lot on non-election computers in my hacking career.

But all of these bugs would require malicious election workers. The systems are airgapped, meaning they aren’t connected to the Internet. (If they were connected to the Internet, then they’d have a lot more problems).

This means humans are the weakest link. We saw how this can impact security when Tina Peters, the election clerk for Mesa County in Colorado, illegally published an image of a Dominion EMS system on the Internet.

Even if computers were perfect, malicious election workers can still impact elections. That doesn’t mean we can ignore computer security, but it does mean that we need to keep improving them to make such malicious actions more difficult and more detectable. It only means that fears of vulnerabilities in airgapped systems are misplaced.