The DEF CON report said hackers opened the ballot scanner’s “security screws” by buying a bit set for less than $28 at an electronics store. Then they were able to switch the machine’s memory card with one they had brought, allowing them to run their own operating system on the machine.

A latch on the side of the Dominion ImageCast Precinct optical scanning machine and ballot box can be opened to access a memory card. Photo credit: DEF CON Voting Machine Hacking Village 2019 report

“If you would have a real nation-state actor, a real criminal, the next step would be to take that exploit and weaponize it,” said Harri Hursti, a co-founder of the DEF CON Voting Village. “Once you know where the weakness is, now you can start to think about mitigation strategies.”

For this vulnerability to be exploited in an election, someone would have to physically gain access to the optical scanner without being caught. But Hursti said that could happen anytime before an election if officials aren’t careful about their security practices.

Raffensperger said the DEF CON report is “partisan, misinformed and intellectually dishonest.”

“While the DEF CON staff were offered an opportunity to test the updated Dominion systems in a real-world setting, they unfortunately refused and continued to inspect a dressed-down, defunct system in controlled conditions that do not resemble the established protocols set forth by our Georgia elections professionals,” Raffensperger said in a statement. “As our office continues to strive toward safe, fair and accurate elections, this type of activist propaganda represents the dangerous agenda of liberals to incite fear into Georgia voters.”

The report also said that locks on ballot boxes could be picked, allowing paper ballots to be stolen.

In addition, the scanning machine that was tested ran a version of software that has 20 known medium- to high-level vulnerabilities, according to the report. Raffensperger’s statement didn’t address whether Georgia’s voting system will use the same software.

Jeremy Epstein, an election security expert with the Association for Computing Machinery, said the DEF CON report highlights the need for strong audits of paper ballots, as well as physical security of voting equipment. Georgia election officials are currently developing audit procedures.

Because any computerized system could potentially be hacked, poll workers need to be well-trained to reduce the possibility of interference in elections, he said.

“Election officials should be setting a higher bar than we historically have for our voting machines,” Epstein said. “The good thing about the paper ballots, unlike the touchscreen machines historically used in Georgia, is in the worst case the paper ballots are in a box” that can be used to check the accuracy of results.