Last week, University of Michigan professor Dr. J Alex Halderman stood in front of a federal judge overseeing the seven-year-long Curling v Raffensperger case in Atlanta, Georgia and shocked the gallery. Halderman was able to successfully gain “super user” access to the Dominion ICX Ballot Marking Device (BMD) using nothing more than a BIC pen.
The Gateway Pundit broke the story after interviewing a local citizen journalist who witnessed the hack firsthand in the courtroom.
Transcripts show that the “pen hack” was just the tip of the iceberg.
Here is the transcript from the court hearing.
In June 2022, the Cybersecurity Infrastructure and Security Agency (CISA) published a report detailing nine critical vulnerabilities on the Dominion ICX BMDs, based on the then-sealed report prepared by Dr. Halderman. The 90-page report has since been unsealed.
For the layperson who doesn’t speak “geek,” the CISA report doesn’t articulate the seriousness of these vulnerabilities and, further, what they can accomplish once exploited. But perhaps most importantly, how easily they can be exploited, often automatically, even by minimally trained attackers.
The BIC Pen Attack
Initially, last week Dr. Halderman was able to use the BIC pen to press the power button on the back side of the Dominon ICX BMD for approximately 5 seconds, which rebooted the machine into “Safe Mode”. Dr. Halderman was able to do this without removing or breaking any of the safety seals that are installed on the machine to “prevent” tampering.
Once the Dominion ICX BMD was booted into “Safe Mode,” Dr. Halderman was able to launch the Android Launcher, which is a menu of different applications installed on the device. He noted that the Android 5.1 is severely outdated. Current Android’s run version 14. When asked if Android 5.1 is still supported by the manufacturer, Dr. Halderman answered, “it is not.”
Counsel then asked Dr. Halderman what he could do with this type of access, to which he responded. The transcript reads:
“Well, here we have the file manager. This is an application that will let me on-screen navigate through the files on the machine. You can use that to copy or delete files or to open them up in an on-screen text editor and edit or even change the contents of the file on the screen.
Here, we have the settings icon that allows you to change any of the operating systemwide settings or to remove or install software on the device.
So through the settings applications is one way that someone could directly install malware using this safe mode vulnerability.”
Dr. Halderman then discussed an application called the terminal emulator. He described it as “particularly powerful.” The terminal emulator allows you to run a command called SU, or “Super User”. This is used to bypass the operating systems security controls. Dr. Halderman said a computer would typically challenge you for a secret password to gain this type of Super User access. But utilizing this BIC pen hack, Dr. Halderman was able to simply gain that access through a simple prompt:
“Would I like to allow superuser access, allow or deny.”
Dr. Halderman described what he was able to accomplish with this type of access:
“Well, gosh, it — superuser access would allow me to — to read, to modify, or to change any of the data or software that is installed on the device.”
He was asked, “Are there any limits to what you could do to a ballot using this access?”
“To the ballot data on the machine? No,” he responded.
“Are there any limits to what you could do to the election software on the BMD with this access?”
“No.”
But this hack wasn’t discovered by Dr. Halderman. And it wasn’t discovered recently. In fact, this critical vulnerability was discovered by the US Elections Assistance Commission (EAC) on January 16, 2020, 11 months before the 2020 Presidential Election. According to Dr. Halderman, it was the first month that Georgia deployed the Dominion ICX BMDs.
Dr. Halderman previously received a Dominion ICX BMD for his initial testing and subsequent report in August of 2020, almost eight months after this vulnerability was discovered by the EAC. It wasn’t remedied then and it doesn’t seem to have been remedied to this day, a full four years later. The machine Dr. Halderman utilized in the courtroom for the demonstration was provided by Fulton County’s elections department in the configuration used currently in elections.
This was just one of many vulnerabilities that were demonstrated in Judge Amy Totenberg’s federal courtroom.
The Smart Card Hacks For Just $30
The Dominion ICX BMD has several variations of cards that are used to allow different functions. Among them, technicians have a specific card. Poll-workers have a specific card. And voters, after they check-in, are given a “one time use” card to vote.
Next, Dr. Halderman demonstrated a vulnerability using a counterfeit poll-worker card. For this ‘hack’, Dr. Halderman purchased some smart cards online for about $10 each. There are no restrictions from purchasing these cards online, as he noted. He then utilized a USB smart card reader for $20 on Amazon and was able to use that to create a counterfeit poll-worker card for the Dominion ICX BMD.
Dr. Halderman then created a voter card by utilizing his software and the same equipment mentioned above. This voter card differed from the ones issued at a polling location in that it can be used an infinite number of times and in any location countywide for the same election. Typically, a voter card issued to a voter by a poll worker is a one-time use card.
The third type of card that Dr. Halderman was able to make was more significant. This card is called a technician card and it can be utilized to install malware. Dr. Halderman testified:
“So a technician card is the third kind of Smart card for the ICX BMDs. A technician card is sort of like a master key. It unlocks a technician menu from which service workers at the county or Dominion personnel perform functions like loading the ballot designs before an election or performing software updates.”
He then inserted the technician card into the Dominion ICX BMD and bypassed the pin prompt that appeared. Then a prompt on-screen appeared and said that the menu is unavailable while the poll is open. His counterfeit technician card was able to bypass that safeguard as well.
With this access, Dr. Halderman was able to back out of the application that runs during the election and access the Android desktop. He then gained Super User access, once again, but this time with a simple Smart card he created using items purchased online for about $30 and “without access to any secret information.” This would be undetectable as inserting a card into the Dominion ICX BMD is a required function by the voter when they use the machine.
Counsel then asked him:
“Can automated commands be used to cause the machine to print ballots that do not reflect the voter’s intentions?”
“Yes, they can.”
“Did you need any nonpublic information to make the technician card?”
“Remarkably, no,” he responded.
It gets worse. Much worse.
Part 2 of this series to follow.
During the testimony of Dr. Halderman, attorney David Oles was not permitted to ask any questions of Dr. Halderman. Oles represents co-plaintiff Ricardo Davis of VoterGA.org. Yesterday, The Gateway Pundit reported that Oles was able to get proffers submitted to the court regarding Dr. Halderman and Dr. Philip Stark’s testimonies.
The trial this explosive testimony and live demonstration originated from is currently underway in the Northern District of Georgia in Judge Amy Totenberg’s court.