Top Voting Machine Vendor
Admits It Installed Remote-Access Software on Systems Sold to States, by Kim
Zetter, 7/17/18.
Remote-access
software and modems on election equipment 'is the worst decision for security
short of leaving ballot boxes on a Moscow street corner.
The nation's top voting
machine maker has admitted in a letter to a federal lawmaker that the company
installed remote-access software on election-management systems it sold over a
period of six years, raising questions about the security of those systems and
the integrity of elections that were conducted with them.
In
a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by
Motherboard, Election Systems and Software acknowledged that it had
"provided pcAnywhere remote connection software … to a small number of
customers between 2000 and 2006," which was installed on the
election-management system ES&S sold them. The
statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February.
At
that time, a spokesperson said ES&S had never installed pcAnywhere on any
election system it sold. "None of the employees, including long-tenured
employees, has any knowledge that our voting systems have ever been sold with
remote-access software," the spokesperson said.
ES&S
did not respond on Monday to questions from Motherboard, and it’s not clear why
the company changed its response between February and April. Lawmakers,
however, have subpoena powers that can compel a company to hand over documents
or provide sworn testimony on a matter lawmakers are investigating, and a
statement made to lawmakers that is later proven false can have greater
consequence for a company than one made to reporters.
ES&S
is the top voting machine maker in the country, a position it held in the years
2000-2006 when it was installing pcAnywhere on its systems. The company's
machines were used statewide in a number of states, and at least 60 percent of
ballots cast in the US in 2006 were tabulated on ES&S election-management
systems. It’s not clear why ES&S would have only installed the software on
the systems of “a small number of customers” and not all customers, unless
other customers objected or had state laws preventing this.
The
company told Wyden it stopped installing pcAnywhere on systems in December
2007, after the Election Assistance Commission, which oversees the federal
testing and certification of election systems used in the US, released new
voting system standards. Those standards required that any election system
submitted for federal testing and certification thereafter could contain only
software essential for voting and tabulation. Although the standards only went
into effect in 2007, they were created in 2005 in a very public process during
which the security of voting machines was being discussed frequently in
newspapers and on Capitol Hill.
Election-management
systems are not the voting terminals that voters use to cast their ballots, but
are just as critical: they sit in county election offices and contain software
that in some counties is used to program all the voting machines used in the
county; the systems also tabulate final results aggregated from voting
machines.
Software
like pcAnywhere is used by system administrators to access and control systems
from a remote location to conduct maintenance or upgrade or alter software. But
election-management systems and voting machines are supposed to be air-gapped
for security reasons—that is, disconnected from the internet and from any other
systems that are connected to the internet. ES&S customers who had
pcAnywhere installed also had modems on their election-management systems so
ES&S technicians could dial into the systems and use the software to troubleshoot,
thereby creating a potential port of entry for hackers as well.
In
May 2006 in Allegheny County, Pennsylvania, ES&S technicians used the
pcAnywhere software installed on that county's election-management system for
hours trying to reconcile vote discrepancies in a local election, according
to a report filed at
the time. And in a contract with Michigan,
which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and modems
for this purpose.
"In
some cases, the Technical Support representative accesses the customer’s system
through PCAnywhere—off-the-shelf software which allows immediate access to the
customer’s data and network system from a remote location—to gain insight into
the issue and offer precise solutions," ES&S wrote in a June 2007
addendum to the contract. "ES&S technicians can use PCAnywhere to view
a client computer, assess the exact situation that caused a software issue and
to view data files."
Motherboard
asked a Michigan spokesman if any officials in his state ever installed the
pcAnywhere software that ES&S recommended they install, but got no
response.
The
presence of such software makes a system more vulnerable to attack from
hackers, especially if the remote-access software itself contains security
vulnerabilities. If an attacker can gain remote access to an
election-management system through the modem and take control of it using the
pcAnywhere software installed on it, he can introduce malicious code that gets
passed to voting machines to disrupt an election or alter results.
Wyden
told Motherboard that installing remote-access software and modems on election
equipment “is the worst decision for security short of leaving ballot boxes on
a Moscow street corner.”
In
2006, the same period when ES&S says it was still installing pcAnywhere on
election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this
until years later in 2012 when a hacker posted some of the source code online,
forcing Symantec, the distributor of pcAnywhere, to admit that it had been
stolen years earlier. Source code is invaluable to hackers because it allows
them to examine the code to find security flaws they can exploit.
When
Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any
security flaws in the software had been patched.
Around
this same time, security researchers discovered a
critical vulnerability in
pcAnywhere that would allow an attacker to seize control of a system that had
the software installed on it, without needing to authenticate themselves to the
system with a password. And other researchers with the security firm Rapid7
scanned the internet for any computers that were online and had pcAnywhere
installed on them and found nearly 150,000 were configured in a way that would
allow direct access to them.
It’s
not clear if election officials who had pcAnywhere installed on their systems,
ever patched this and other security flaws that were in the software.
“It's
very unlikely that jurisdictions that had to use this software … updated it
very often,” says Joseph Lorenzo Hall, chief technologist for the Center for Democracy
and Technology, “meaning it's likely that a non-trivial number of them were
exposed to some of the flaws found both in terms of configuration ... but also
flaws that were found when the source code to that software was stolen in
2006.”
ES&S
said in its letter to Wyden that the modems it installed on its
election-management systems for use with pcAnywhere were configured only to
dial out, not receive calls, so that only election officials could initiate
connections with ES&S. But when Wyden's office asked in a letter to
ES&S in March what settings were used to secure the communications, whether
the system used hard-coded or default passwords and whether ES&S or anyone
else had conducted a security audit around the use of pcAnywhere to ensure that
the communication was done in a secure manner, the company did not provide
responses to any of these questions.
Even
if ES&S and its customers configured their remote connections to ES&S
in a secure manner, the recent US indictments against Russian state hackers who tried to interfere in the 2016
presidential elections, show that they targeted companies in the US that make
software for the administration of elections. An attacker would only have had
to hack ES&S and then use its network to slip into a county's
election-management system when the two systems made a remote connection.
In
its letter to Wyden, ES&S defended its installation of pcAnywhere, saying
that during the time it installed the software on customer machines prior to
2006, this was "considered an accepted practice by numerous technology companies,
including other voting system manufacturers."
Motherboard
contacted two of the top vendors—Hart InterCivic and Dominion—to verify this,
but neither responded. However, Douglas Jones, professor of computer science at
the University of Iowa and a longtime expert on voting machines confirmed that
other companies did routinely install remote-access software during this
period.
“Certainly,
[Diebold Election Systems] did the same, and I'd assume the others did too,” he
told Motherboard. “In the case of [Diebold], many of their contracts with
customers included the requirement of a remote-login port allowing [the
company] to have remote access to the customer system in order to allow
customer support.”
He
notes that election officials who purchased the systems likely were not aware
of the potential risks they were taking in allowing this and didn’t understand
the threat landscape to make intelligent decisions about installing such
software.
All
of this raises questions about how many counties across the US had
remote-access software installed—in addition to ES&S customers—and whether
intruders had ever leveraged it to subvert elections.
Although
Wyden's office asked ES&S to identify which of its customers were sold
systems with pcAnywhere installed, the company did not respond. ES&S would
only say that it had confirmed with customers who had the software installed
that they "no longer have this application installed."
The
company didn't respond to questions from Motherboard asking when these
customers removed the software—whether ES&S had instructed them to do so
back in 2007 when the company says it stopped installing the software on new
systems it sold or whether it had only recently told customers to remove it
following concerns raised in the 2016 presidential elections that Russian
hackers were targeting election networks in the US. As late as 2011 pcAnywhere
was still being used on at least one ES&S customer's election-management
system in Venango County, Pennsylvania.
ES&S
wrote in its letter to Wyden that it would be willing to meet privately in his
office to discuss election security. But when the company was asked to attend a
hearing on election security last week before the Senate Committee on Rules and
Administration, ES&S declined to send anyone to answer Senate questions.
Wyden
says he’s still waiting for ES&S to respond to the outstanding questions he
sent the company in March.
“ES&S
needs to stop stonewalling and provide a full, honest accounting of equipment
that could be vulnerable to remote attacks,” he told Motherboard. “When a
corporation that makes half of America’s voting machines refuses to answer the
most basic cyber security questions, you have to ask what it is hiding.”
Correction: This story previously stated that
Senator Ron Wyden is a member of the Senate Committee on Rules and
Administration. He is not a member of the committee, but was asked to
participate in a hearing it held last week on election security. Motherboard
regrets the error.
Norb Leahy, Dunwoody
GA Tea Party Leader
No comments:
Post a Comment