Re: My new article - Georgia hasn't, and can't, certify crucial vote software update
The below quote contains links to the specific vulnerability documentation.
In 2021, computer scientist and election security expert J. Alex Halderman delivered a sworn report about 5.5-A vulns to the federal court in the case _Curling v. Raffensperger_. The federal judge unsealed the report last month. Halderman's own summary of it last month can be found here: https://freedom-to-tinker.com/2023/06/14/security-analysis-of-the-dominion-i... His full unsealed report can be found here: https://storage.courtlistener.com/recap/gov.uscourts.gand.240678/gov.uscourt...
In 2022, Homeland Security's CISA component had access to the then-sealed Halderman Report and confirmed the 5.5-A vulns, issued their own advisory here: https://www.cisa.gov/news-events/ics-advisories/icsa-22-154-01
Notable excerpt from PDF:
8.3 Accessing a Root Shell via the Built-In Terminal App
Issue: The ICX has a built-in Terminal Emulator app that is configured so that the user can easily obtain a command-line shell with supervisory privileges.
After escaping kiosk mode, an attacker can easily launch any app installed on the ICX. The machine contains 20 pre-installed apps, most of which appear unnecessary for its use as a BMD. Most notably, there is a Terminal Emulator that provides access to a Linux shell, a powerful text-based user interface.
Moreover, the ICX is configured such that the Terminal Emulator user can easily obtain supervisory (“root”) access privileges by simply selecting “Allow” at an on-screen prompt, shown in Figure 11. With root privileges, terminal commands can completely bypass the Android operating system’s access control restrictions and make arbitrary changes to the device’s data and software.
The Terminal Emulator made analysis of the device much more efficient, since I was able to easily access, control, and modify any part of the data or software. It also makes it easy for an attacker to install programs or run automated commands for malicious purposes.
participants (1)
-
Undescribed Horrific Abuse, One Victim & Survivor of Many