- The Washington Times - Tuesday, July 17, 2018

The nation’s largest voting equipment vendor said that remote-access software came preinstalled on some of its election-management systems, effectively creating potential points of entry for attackers to exploit, Motherboard reported Tuesday.

Election Systems and Software (ES&S) “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” the company wrote in a letter sent in April to Sen. Ron Wyden, Oregon Democrat, according to a copy obtained by Motherboard.

Responding to question sent by Mr. Wyden in March, ES&S said that certain products were shipped with both pcAnywhere software and internet modems installed so that technicians could remotely access systems to troubleshoot.

Selling elections system designed to be being remotely accessed over the internet “is the worst decision for security short of leaving ballot boxes on a Moscow street corner,” Mr. Wyden told Motherboard.

Election-management systems and voting machines are meant to be “air-gapped,” or isolated from the internet, to prevent malicious actors from gaining access externally.



ES&S told Mr. Wyden that it stopped shipping its products with pcAnywhere preinstalled in late 2007 after new federal standards were implemented prohibiting election systems from containing nonessential software, the report said.

The systems containing the remote-access software were not voting terminals used to cast ballots, but they were the machines used by officials to tabulate final results.

Election systems containing the remote-software were configured in a manner designed to prevent unauthorized access only allowing outgoing connections, ES&S told Mr. Wyden. Motherboard noted that the company’s source code was stolen in 2006 and later leaked online, however, meaning hackers could have examined how the systems work and potentially found security vulnerabilities to exploit.

Mr. Wyden said that he asked ES&S for additional information about the security of its systems but has yet to receive a response, Motherboard reported.

“ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” Mr. Wyden told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cybersecurity questions, you have to ask what it is hiding.”

The company’s admission contradicts a statement given in February when an EC&C spokesman told The New York Times: “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.”

“ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today,” the company said in a statement to The Washington Times. “ES&S is proud to be an American company employing the most advanced security to defend democracy through the voting process. ES&S has been successful in its vigilance against threats, always placing security as its foremost priority.”

Election-management systems made by ES&S tabulated at least 60 percent of the ballots cast in the U.S. during 2006, Motherboard reported.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

 

Click to Read More and View Comments

Click to Hide