See the section on the article under "The technical security concerns":
Many cybersecurity experts and election integrity activists generally dislike the type of voting system that Los Angeles County has chosen because the machines — not the voter — actually mark the ballot. That could allow software bugs or a hacker to mark the ballot differently than what the voter intends. A recent study of a mock election using these kinds of devices found that only about 40 percent of voters double-checked their machine-marked ballots, and the voters missed more than 93 percent of the errors the machines introduced.
Furthermore, many ballot-marking devices embed the voter’s selections in either a barcode or QR code that’s printed on the ballot. In Los Angeles County, the QR code is what the county’s tallying system will read to calculate the results, not the human-readable portion the voter can verify.
Some types of ballot-marking devices, including the one used in Los Angeles County, introduce yet another risk: When the voter inserts the ballot back into the device to send it to the attached ballot box, the ballot passes again under the machine’s printer head. If the system is hacked, the printer could alter the voter’s choices or make the ballot unreadable — with no further chance for the voter to review it, Princeton University computer science professor Andrew Appel told POLITICO in an email.
Stark said the county could have avoided this risk by having voters deposit their ballots into a standalone ballot box, “but the secretary of state decided not to address that.”
The county says such a hack wouldn’t be possible because the printer head is raised when the ballot comes back through the machine. But a hacker could cause the machine to re-lower the printer head, Appel said.
In addition to those inherent issues, California’s own experts found security problems with the VSAP that could allow someone to compromise the system and potentially subvert an election. That could occur if an attacker gains physical access to a back-end system, known as the ballot marking device manager, that is used to program the voting machines before an election or to the tallying workstations that produce results.
The latter workstations and other back-end systems have a USB port that could allow someone to boot the machines with a USB stick in a manner that would bypass their password protection and security software, according to the state’s security analysis. Once on these and other systems, the testers found there was little internal security as well.
The systems' hard drives were unencrypted, according to the security report, which could allow an intruder to view and alter configuration and data files. Cryptographic keys also were unencrypted, according to the report. The report wasn’t specific about how all of these keys are used other than to say they “protect the integrity of elections.”
According to the state’s voting system standards, voting machines are supposed to have safeguards that limit both physical access to the systems and digital access to critical parts of their software and files. But the testers found a number of expected safeguards missing in the VSAP machines, including a failure to carefully control the “root password” that provides the highest level of access and privileges on the machines.
The report also noted that Smartmatic and the county had not shown that the system’s encryption algorithms meet a specific government-set standard that the state requires. Smartmatic told POLITICO that the algorithms meet the standard, but that the company simply has yet to show they do so on the exact version of the operating system that is used on the county’s machines. It plans to do this after the primary. The state has given the county until the end of June to do this and address other changes it requested.
To meet the state’s conditional certification for use in Tuesday’s primary, the county put physical locks on the USB ports on county workstations to prevent someone from inserting a rogue USB stick into them. The county plans to reconfigure the systems after the primary to disable the USB ports or otherwise prevent anyone from booting from them. The county also said it replaced cryptographic keys that allow access to critical parts of the system with new keys that it planned to share only with select elections staff — but not Smartmatic employees — and also fixed the root password issue.
Government report which lists the vulnerabilities of the SMARTMATIC voting system: https://votingsystems.cdn.sos.ca.gov/vendors/LAC/vsap2-sec-tel.pdf
I think with this data anybody can decode the format on the card readers and change it. https://github.com/brainv/SAES/blob/b080da7296f736a5ecc9221946233dcb99a243d6/saes/src/Voting/VotingDevice/card-data-wrapper.cc