“The worst decision for security short of leaving ballot boxes on a Moscow street corner.”
Courtesy of Motherboard:
The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.
In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them.
The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said.
The presence of such software makes a system more vulnerable to attack from hackers, especially if the remote-access software itself contains security vulnerabilities. If an attacker can gain remote access to an election-management system through the modem and take control of it using the pcAnywhere software installed on it, he can introduce malicious code that gets passed to voting machines to disrupt an election or alter results.
Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
As it turns out the source code for this remote access software was stolen in 2006, and the public was only told about it in 2012.
Many machines are still using the software, though they are supposed to be updated with patches that prevent hackers from accessing them.
Even if ES&S and its customers configured their remote connections to ES&S in a secure manner, the recent US indictments against Russian state hackers who tried to interfere in the 2016 presidential elections, show that they targeted companies in the US that make software for the administration of elections. An attacker would only have had to hack ES&S and then use its network to slip into a county’s election-management system when the two systems made a remote connection.
Well, that’s just fucking great.