Well, assume they have SSL/TLS redirect in place where they can actually “open” the packet to read the data therein. They have the information to create a byte-by-byte reconstruction of any instructions passed back and forth.
Yes, while the actual digestion and execution of that data is at the program layer (beyond layer 4), there’s still a lot of information to parse in those packets.
For instance, if they have the source and destination information, I’d like to know it. If IPs in China or Germany or Russia were passing instructions to voting machines in the US, that’s enough of a red flag to invalidate everything the machine touched, IMO, even if they don’t have the SSL/TLS packet information, and the source and destination are not protected in encryption. That information is present in layer 3.
Voting machines should have ZERO access to the Internet. If there’s ever been a case for airgapping, this is it. You want to make a USB port accessible for firmware updates? Fine, but that port should be locked down to only allow data reads. No data FROM the device should be writable to that attached device. I’ve done enough audits in my career to tell you that regardless of industry, USB lockdown is standard.
Voting machines need to be ditched. Period.