More than 30 backend election systems over the last year -- including some in key swing states like Florida, Michigan and Wisconsin -- have been left online and were susceptible to hackers. A Motherboard investigation published today revealed that systems made by ES&S, one of the largest makers of voting machines in the country, were connected to the internet for long periods of time, in some instances as long as a year. This information contradicts prior claims by election officials that voting machine systems were no longer connected after Election Day.
It's likely the case that election officials who claimed their systems weren't online didn't know any better. "We ... discovered that at least some jurisdictions were not aware that their systems were online," Kevin Skoglund, an independent security consultant, told Motherboard.
At issue isn't the electronic voting machines themselves, but the SFTP server and firewall that some polling places use to speedily transmit votes. Such systems are only supposed to be connected to the internet during Election Day, and then are promptly disconnected. Researchers told Motherboard that critical backend systems are connected to the firewalls. If a hacker was able to intercept the firewall, they could alter vote totals or infect voting machines with malware.
ES&S disagrees with the conclusion reached by the researchers interviewed for the story. "There's nothing connected to the firewall that is exposed to the internet," Gary Weber, vice president of software development and engineering for ES&S, told Motherboard.
This isn't the first instance of ES&S running into trouble for its handling of election security. Last summer, the vendor admitted to Senator Ron Wyden (D-OR) that some of its election management systems had vulnerable remote-access tools -- despite repeated denials in the past. The North Carolina Board of Elections -- which uses ES&S systems -- recently voted to disqualify the company's machines for not providing an option for hand-marked ballots.