WHISTLEBLOWER: NEW MEXICO ELECTION SYSTEM ENCRYPTION KEYS WIDE OPEN TO HACKERS

September 21, 2024

l

Danny Snyder

AaBb

Recently the DeKalb County Republican Party sued Georgia’s Secretary of State for his failure to provide a secure election system. The serious security breach cited in the lawsuit exists in New Mexico’s election system as well according to whistleblower information provided exclusively to the Estancia News.

The lawsuit states:

“The Dominion system mandated by the State uses master cryptographic encryption keys to secure…election systems. The purpose of using encryption in election systems is to prevent unauthorized access to those systems and to prevent malicious alteration of election results. These encryption keys must be kept secret from unauthorized access to comply with express requirements mandated by…law, the [Election Assistance Commission] and the terms of the…Contract. The Dominion system…not only stores the encryption keys on its election systems in a non-compliant unprotected state, it leaves them in plain text within the election database on county systems. In this condition anyone with access to the voting system or the transmission of elections results can alter election results without likely detection.”

In plain language, Dominion promises their clients that they will follow certain security protocols to comply with state and federal law to protect the election system. This protocol is defined by the Federal Information Processing Standards (FIPS) and mandates encryption of certain files and practices for how the cryptographic keys are stored and protected.

But Dominion has woefully failed to follow even the most basic security practices. Shockingly, Dominion stores the encryption keys in plain text within the same database that they are supposed to be protecting. This means that anyone with access to any part of the election system can get the encryption keys, decrypt the data, alter it, re-encrypt it and there would be no record of the change in the system.

New Mexico uses the same election system as Georgia, and it is confirmed that the encryption keys are stored in plain text on the election databases on New Mexico county election computers.

Below is a redacted screenshot from the 2020 election database obtained from Lea County Clerk, Keith Manes, as part of a public documents request:

Encryption Keys to New Mexico Elections Stored in Plain Text on Dominion Database

The encryption keys are redacted in the screenshot for publication but were used by a cyber security expert working with our whistleblower to easily decrypt the election database for New Mexico’s election system:

Passwords for New Mexico’s Election System Decrypted using Keys Stored in Plain Text

Shockingly, the passwords for supervisors and technicians were all the same and so basic that virtually any novice could guess what it is. The super administrator password, which allows full access to the entire election system, was essentially the same, with only two additional digits to guess.

Based on conversations with two New Mexico county clerks, we have good reason to believe that the same insecure passwords are used in every county and on every election machine throughout the state of New Mexico.

No doubt our dismissive Secretary of State Maggie Toulouse Oliver will argue that the fact that their election system is wide open to manipulation is not a big deal because they claim the election system is never connected to the internet so bad actors can’t get access to the database.

There are several reasons she would be wrong: First, the central county election computers all come with enhanced remote accessibility features that have no business being in a computer that is never supposed to connect to the internet. Why are those features there if they are never connected?

Further, Maggie Toulouse Oliver has testified before the U.S. Senate that she has provided access to all election jurisdictions in the state to a private organization called the Center for Internet Security (CIS). She has done this by installing internet-connected devices called “Albert Sensors” behind county firewalls that give CIS full access to everything on the county networks. If CIS has remote access to every county’s election system, it necessarily means that the election system is online and accessible to bad actors.

Lastly, New Mexico’s official election results aren’t even processed on the supposedly “offline” Dominion election system. Rather they are illegally transferred over to an uncertified, cloud-based, internet connected software called SERVIS. This transfer is done using USB devices provided by third parties, leaving open multiple other opportunities for both Dominion and SERVIS software to be hacked and manipulated.

New Mexico State Statute Section 1-9-7.4(B) states:

“a voting system that does not comply with all requirements in the Election Code and the most recent voluntary voting system guidelines adopted and implemented by the United States Election Assistance Commission shall be decertified for use in this state.”

The Estancia News has reached out to Maggie Toulouse Oliver’s office to put her on notice of this gross violation of the law, meaning she now has a duty to investigate and decertify the system.

The Estancia News also reached out to Lea County Clerk Keith Manes, and Attorney General Raul Torrez for comment on this massive security breach. We have yet to hear back from any of these public servants.

Below are excerpts from the Georgia lawsuit over this security breach, the facts of which apply directly to New Mexico:

Written by Danny Snyder