The top maker of voting machines in the U.S. admitted earlier this year to having installed remote-access software on election-management systems during a six-year time period, leaving those systems vulnerable to cyberattacks, according to Motherboard.
In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.
The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.
What are election-management systems?
Election-management systems are not the voting terminals that voters use to cast their ballots, but are just as critical: they sit in county election offices and contain software that in some counties is used to program all the voting machines used in the county; the systems also tabulate final results aggregated from voting machines.
Software like pcAnywhere is used by system administrators to access and control systems from a remote location to conduct maintenance or upgrade or alter software. But election-management systems and voting machines are supposed to be air-gapped for security reasons—that is, disconnected from the internet and from any other systems that are connected to the internet. ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.
ES&S said the modems used on machines loaded with pcAnywhere could only dial out and not receive calls, meaning elections officials had to initiate connection with the company.
But when asked several follow up questions by Wyden — such as “what settings were used to secure the communications, whether the system used hard-coded or default passwords and whether ES&S or anyone else had conducted a security audit around the use of pcAnywhere to ensure that the communication was done in a secure manner” — the company offered no response.
Potentially exacerbating the situation, during the time ES&S used pcAnywhere, the software’s source code was stolen, opening the door for hackers to exploit potential vulnerabilities.
In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.
Motherboard notes it is unclear how many elections officials making use of election-management systems with the software installed were aware of the vulnerability or implemented the patches.
ES&S is likely in good company: other makers of election-management systems used remote access as well.
Motherboard contacted two of the top vendors—Hart InterCivic and Dominion—to verify this, but neither responded. However, Douglas Jones, professor of computer science at the University of Iowa and a longtime expert on voting machines confirmed that other companies did routinely install remote-access software during this period.
“Certainly, [Diebold Election Systems] did the same, and I'd assume the others did too,” he told Motherboard. “In the case of [Diebold], many of their contracts with customers included the requirement of a remote-login port allowing [the company] to have remote access to the customer system in order to allow customer support.”
Despite the controversy surrounding Russian election meddling in 2016, Sen. Wyden is still awaiting response from ES&S.
Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
“ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cyber security questions, you have to ask what it is hiding.”