J. Alex Halderman (@jhalderm) / X

J. Alex Halderman

635 posts

J. Alex Halderman

@jhalderm

Bredt Family Professor of Computer Science and Engineering, @UMich: Security and privacy, election security, and Internet freedom. Co-founded @LetsEncrypt

Ann Arbor, MI

Joined December 2009

Pinned
J. Alex Halderman
@jhalderm
Jun 14, 2023
Today, the Federal District Court for the Northern District of Georgia unsealed a 96-page report that I wrote w/ Prof. @_aaspring_ from @AuburnU. It describes serious vulnerabilities we found in Georgia's Dominion ImageCast X ballot marking devices. storage.courtlistener.com/recap/gov.usco…
335K
J. Alex Halderman
@jhalderm
Apr 5, 2018
I teamed up with @nytimes to demonstrate how U.S. voting machines can be remotely hacked to steal votes. Yes, this is a real machine still used in almost 20 states! States and Congress need to act on #ElectionSecurity before it's too late. nyti.ms/2Elr2Kz via @nytvideo.
Video: Opinion | I Hacked an Election. So Can the Russians.
From nytimes.com
J. Alex Halderman
@jhalderm
Aug 11, 2018
This is why we need voter-verified paper ballots and manual post-election audits of the paper. That's the only practical, low-cost defense that can detect and correct attacks like we showed.
J. Alex Halderman
@jhalderm
Aug 11, 2018
Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don't need physical access--we showed how malicious code can spreads from the election office when officials program the ballot design.
J. Alex Halderman
@jhalderm
Aug 11, 2018
Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don't need physical access--we showed how malicious code can spreads from the election office when officials program the ballot design.
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
Astonishingly, Georgia Secretary of State Brad Raffensperger, who has been aware of our findings for two years, just announced that the state will not get around to installing Dominion’s security patches until after the 2024 Presidential election. 🤦 sos.ga.gov/news/georgia-s…
44K
J. Alex Halderman
@jhalderm
Nov 7, 2020
1/ There's been lots of speculation about why Antrim County, MI initially reported incorrect results on Wed. The results have since been corrected, but people are naturally wondering what happened. Here's the likely technical explanation and my assessment.
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
Our findings are a reminder that elections face ongoing risks that call for vigilance from policymakers, technologists, and the public. Officials like Raffensperger should uphold voter confidence by improving security, not denying or ignoring real problems. Voters deserve better.
17K
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
That's worse than doing nothing. By broadcasting that Georgia is not going to patch, Raffensperger has given would-be adversaries a whole 18 months to develop and execute attacks that exploit the known-vulnerable machines.
19K
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
I encourage you to read the whole report, and I've also written a blog post that provides important context for understanding the findings and their implications for election security and public policy: freedom-to-tinker.com/2023/06/14/sec…
26K
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
That was wishful thinking when it was written, and it's ridiculous today, because we've learned that Georgia's Dominion software *has already been stolen and distributed* by unauthorized parties, who had repeated access to the voting equipment.
Video shows 'unauthorized access' to Ga. election equipment
From apnews.com
28K
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
Despite our responsible disclosure efforts, the flaws remain unpatched in GA. Among the most critical issues is an arbitrary-code-execution vulnerability that can spread malware from a county's central election management system to all BMDs in the jurisdiction—and run it as root.
28K
J. Alex Halderman
@jhalderm
Jun 14, 2023
Replying to @jhalderm
This makes it possible to attack BMDs at scale, over a wide area, without needing physical access to them. Our report explains how attackers could exploit the flaws to change votes or affect election outcomes, e.g., by changing ballot QR codes, which are what scanners count.
21K
J. Alex Halderman
@jhalderm
Jun 16, 2023
Replying to @jhalderm
Update: 20+ leading experts in cybersecurity and elections just wrote to @MITREcorp CEO Jason Providakes urging him to retract MITRE's dangerously mistaken report. dropbox.com/s/kujr9uqchwcf… Signers include @ronrivest @schneierblog @matthew_d_green @ejsebes @robertgraham @philipbstark
Letter to MITRE.pdf
From dropbox.com
59K
J. Alex Halderman
@jhalderm
Aug 15, 2019
The court's ruling recognizes that Georgia's voting machines are so insecure, they're unconstitutional. That's a huge win for election security that will reverberate across other states that have equally vulnerable systems.
Frank Bajak
@fbajak
Aug 15, 2019
A big win for voting integrity advocates: Federal judge orders Georgia to scrap unreliable, hack-prone voting machines after 2019 apnews.com/abd2949881514e…