Election Systems and Software (ES&S) has admitted that it sold election management systems which included remote-access software to multiple US states over six years. The company said in a letter to Sen. Ron Wyden it had included off-the-shelf pcAnywhere software on some machines, which it sold "to a small number of customers between 2000 and 2006," Motherboard reports.
That admission raises a lot of questions over how seriously ES&S took its security, and it contradicts statements it previously made to reporters that it had no knowledge of selling machines with remote-access capabilities. Lying to lawmakers can carry severe consequences down the line if that deception is discovered, so ES&S was forced to make the confession.
In 2006, at least 60 percent of US ballots were logged using ES&S election management systems. Those machines count all of a county's ballots and in some cases are used to program all voting machines in a county.
Those machines with pcAnywhere installed on them also had modems which gave ES&S technicians access to the systems -- as well as possibly opening the door to infiltrators. ES&S claimed in its letter that the modems were set up to only make outgoing calls, so it was up to election officials to grant the company's technicians remote access. However, it's unclear exactly how those connections between the company and the systems were secured. In one case in 2006, technicians spent hours remotely accessing an election management system to resolve a voting discrepancy issue in an election.
Hackers stole the pcAnywhere source code in 2006, letting them scrutinize the code for vulnerabilities and potentially act on those. Creator Symantec didn't disclose the theft until 2012, when it urged those who were using the software to disable or uninstall it until the company could patch any security flaws. Around the same time, it emerged there was a vulnerability in pcAnywhere that let hackers access a system without password authentication. A security firm found that 150,000 computers with pcAnywhere installed were set up in a way that allowed direct access. It's unclear whether any election officials installed patches for the vulnerabilities.
ES&S says it stopped installing pcAnywhere in December 2007, when new voting system standards came into play, ensuring that any future voting systems could only include essential software for voting and counting ballots.
The company told Wyden that including remote-access software was an accepted practice at the time among tech firms, "including other voting system manufacturers." ES&S did not disclose where it had sold the machines including the software, only confirming that customers who had systems with pcAnywhere "no longer have this application installed."
It's not clear exactly when ES&S confirmed with its clients that the software had been removed, or how recently it was active on their machines (it was still in use in at least one case in 2011). Regardless of when pcAnywhere was removed, its mere existence on election management systems was fundamentally a security flaw.
News of the vulnerability is more pertinent than ever, following recent indictments of Russian hackers who allegedly tried to influence the 2016 presidential election; the indictments indicated that they focused on companies that create election software. More than 20 percent of voters cast ballots on machines in that election.
Wyden told Motherboard that he was waiting on answers to other questions he had posed ES&S in March. The company said it would meet with him to discuss election security in private, but it declined to send a representative to a Senate Committee on Rules and Administration hearing on the issue last week.