A major voting machine maker, Election Systems & Software, revealed in a letter to a US senator that it installed remote-access software on its machines over a period of six years. The revelation raises substantial security concerns, as reported by Motherboard , which obtained the letter.
ES&S admitted in the letter sent to Senator Ron Wyden (D-OR) in April that it had provided the embattled remote connection software called pcAnywhere to “a small number of customers between 2000 and 2006.” In those years, ES&S was one of the top voting machine makers in the United States. The company makes systems used to manage voting booths and to tabulate the final results from those booths. In 2006, at least 60 percent of ballots cast in the US were added up by ES&S systems.
Remote access software like pcAnywhere can be used by system admins to upgrade and modify software remotely. But election management systems are supposed to be air gapped, without any connection to the internet or to other systems. Those connections could be abused by hackers and potentially lead to tampering with election results. Given the remote access, a bad actor could have exploited pcAnywhere’s security vulnerabilities and sent malware through the system.
In fact, pcAnywhere’s security vulnerabilities have been well-documented in the past. In 2006, hackers stole the source code for pcAnywhere and then stayed quiet until 2012, when a hacker published part of the code online. Symantec, which distributed pcAnywhere, knew vaguely of the theft back in 2006 but only spoke up about it after the code leaked, along with the warning that users should disable or uninstall the software. At the same time, security researchers studied pcAnywhere’s code and found a vulnerability that could let a hacker take control of a whole system and bypass the need to enter a password.
The open vulnerability seems more concerning now that recent US indictments against Russian hackers have demonstrated that they were focused on election system software makers in the US.
ES&S told Senator Wyden that by December 2007, it stopped installing pcAnywhere on its systems after new federal voting system standards were released. The new standards limited election systems to containing solely voting and tabulation software, eliminating any other superfluous software. It also defended its use of pcAnywhere, calling it “an accepted practice by numerous technology companies.”
Currently, after receiving the letter, Wyden told Motherboard he is waiting to hear ES&S’s answer on whether it had taken proper security measures to ensure the use of pcAnywhere was secure. ES&S responded in a statement to The Verge :
“Between 2000 and 2006, ES&S provided pcAnywhere remote connection software to a small number of customers for technical support purposes on county workstations, but this software was not designed to and did not come in contact with any voting machines. To be clear, in accordance with EAC guidelines implemented in 2007, ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today.”