In a note to a federal lawmaker, one of the country’s biggest voting machine makers admitted to a potential major security hole in its devices. The company installed remote connection software on election-management systems for several years in the early 2000s.
Election Systems and Software said that it “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” according to Motherboard. The company previously denied doing so when contacted by reporter Kim Zetter and New York Times fact checkers for an investigation published in February.
pcAnywhere allows remote system administrators to maintain and upgrade machines. However, such software poses a security risk: It means these devices are connected to the internet, which leaves them vulnerable to hacking by third-parties, like any IoT connected device. (The Election Integrity Act of 2016 further banned voting machines from connecting to the internet.)
“If an attacker can gain remote access to an election-management system through the modem and take control of it using the pcAnywhere software installed on it, he can introduce malicious code that gets passed to voting machines to disrupt an election or alter results,” Zetter writes for Motherboard.
Election Systems and Software’s products were used for at least 60 percent of U.S. ballots cast in 2006, according to Motherboard. These systems aren’t the ones that voters directly input their votes on, but county election offices use them to program voter machines and calculate results from those machines. Thus, they form a critical part of the modern electoral process.
The company reportedly stopped installing the pcAnywhere software on its election-management machines in December 2007. At that time, a new set of standards for voting systems went into effect which required Election Systems and Software’s machines to be federally tested and certified to contain only election-released programming.
Before this time, Election Systems and Software was not alone: Other election-management device makers also shipped their products with remote-login capabilities.
It’s unclear why Election Systems and Software decided to about-face on its use of remote connection software, but it’s now evident that it was a terrible security decision that could have opened up American elections to exploitation by hackers.
Sen. Ron Wyden (D-Ore.), who spearheaded this inquiry, is still waiting on the company to answer questions he asked back in March. Election Systems and Software was also asked to send a representative to an election security-related meeting last week with the Senate Committee on Rules and Administration. The company did not send anyone to the Senate hearing.
H/T the Daily Beast