Advertisement

Voting machine vendor says it installed remote software connections in a ‘small number’ of systems

Election Systems & Software has conceded that it installed remote-access software on systems, potentially leaving them vulnerable to hackers.
voting machine
Access via CC BY-SA 4.0

A top manufacturer of voting machines has conceded that it installed remote-access software for a “small number” of election management systems from 2000 to 2006, a practice that experts say leaves the equipment vulnerable to hackers.

The revelation could be a teachable moment as state and local election officials work to shore up their voting infrastructure security for the 2018 midterm elections.

In an April letter to Sen. Ron Wyden, D-Ore., obtained by CyberScoop, Election Systems and Software (ES&S) said it implemented the remote-access software on systems over a six-year period in order to facilitate customer support. Among other voting-related tasks, election management systems are used to program voting machines across a county.

The software in question, pcAnywhere, has proven to be vulnerable to hackers, who stole its source code in 2006.

Advertisement

The Nebraska-based vendor said it never set up a remote connection on voting devices like tabulators or ballot-marking devices. ES&S stopped installing the remote-access software to comply with a 2007 security-testing regime administered by the federal Election Assistance Commission (EAC), the letter said.

Vice’s Motherboard was first to report ES&S’s letter to Wyden.

“We have confirmed that the EMS workstations originally configured with the remote-connection software no longer have this application installed,” ES&S President Tom Burt wrote to Wyden.

The remote access software “was not designed to and did not come in contact with any voting machines,” ES&S said in a statement to CyberScoop. “To be clear, in accordance with EAC guidelines implemented in 2007, ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today.”

ES&S told CyberScoop it installed the remote access software for approximately 3 percent of the 9,000 voting jurisdictions in the country, or about 270 jurisdictions. These installations were carried out at the request of the customers, the company said. Asked what security measures it put in place to prevent a compromise via the software, ES&S said it employed “advanced security and forensic measures to ensure there was no compromise.”

Advertisement

While the remote access software creates an additional attack surface, pcAnywhere is “far more secure than the ‘security through obscurity’ hidden backdoors” that vendors in various industries have put in their equipment, Jake Williams, founder of cybersecurity firm Rendition InfoSec, told CyberScoop.

You can read the full letter below.

UPDATE, 3:06 pm EDT: This story has been updated with a statement from Election Systems and Software (ES&S). 

UPDATE, 07/20/18, 3:25 pm EDT: This story has been updated with a more detailed statement from ES&S. 

[documentcloud url=”http://www.documentcloud.org/documents/4608550-Elections-Systems-amp-Software-Letter-Received-4.html” responsive=true height=500]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts