Last week special counsel Robert Mueller indicted 12 Russians for allegedly hacking into computers belonging to the Democratic Party. Concern over the threat of foreign cyberattacks affecting the outcome of US elections is now seemingly on everyone’s radar. But perhaps more worrisome is the lack of a cyber defense against it.
A recent case in point demonstrates the problem, and has left many cyber experts shaking their heads.
One of the nation’s largest voting machine vendors, Election Systems & Software (ES&S), has admitted to installing vulnerable remote-access software on some of its election management systems (EMSs) equipped with modems and sold to states between 2000 to 2006.
In a letter to Sen. Ron Wyden (D-OR), written this past April and recently obtained by Motherboard, ES&S disclosed that it installed pcAnywhere — a third-party remote-access software produced by antivirus and cybersecurity software company Symantec — on some of its EMS workstation machines.
Wyden told Motherboard that remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
ES&S made clear in its letter that the software was never installed on any actual voting devices (“tabulators and/or ballot marking devices”). However, the affected EMS machines were equally sensitive — they were utilized in election offices and could be used to program the individual voting machines themselves, and to calculate the total vote count from the combined tallies of other machines.
You can think of the remote software as the front-door key you might leave under the flower pot (or inside a combination lock box if you’re more security conscious) for the plumber so he can fix your leaky sink. It allows professionals to come in and deal with the maintenance issues you’re having.
You just hope the bad guys don’t look under that flower pot.
Remote-access software is a similar concept. Having trouble configuring that new program you downloaded? Can’t figure out how to change your printer settings? No problem. Just let someone more informed come in remotely and fix the problem for you.
Many of us are already familiar with such technology, and even rely on it daily. Microsoft Windows comes with remote desktop software built in, and you can download and use remote software programs like TeamViewer for free.
“Voting systems should be owned by the public.”
pcAnywhere was the same thing — only it had security problems. Big ones.
For starters, the source code for the program — the secret blueprint that shows exactly how the thing works — was stolen in 2006 after a network breach. Any nefarious hackers who reviewed the code could find weaknesses and vulnerabilities in the program.
Unfortunately, Symantec didn’t publicly reveal this breach until 2012, after hackers had posted the partial source code online. The company then took the extraordinary measure of telling its customers to stop using the software until it provided fixes to patch vulnerabilities.
ES&S stopped pre-installing the pcAnywhere software on its systems in 2007, after the Election Assistance Committee (EAC) updated its rules and regulations.
But the remote software was still being used. In 2006 in Allegheny, PA, ES&S contractors accessed a machine remotely and “spent hours trying to reconcile vote discrepancies in a local district race that took place during a May 16th primary.” And there’s at least one documented case of the software still being used in 2011.
The company’s recent confession to Wyden seems to contradict an earlier statement made to a reporter who published a February article in the New York Times, in which ES&S denied having pre-installed any remote software on its machines whatsoever:
None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.
Maybe they just forgot.
The problem of unauthorized remote access is not new — it’s an ongoing problem in the cybersecurity world. In 2014, it was discovered that many popular router models of Netgear, Linksys, and Cisco had a secret back-door built in that could allow remote access. More recently it was discovered that a baby camera monitor sold on Amazon could be remotely hacked — as in fact happened to a South Carolina woman. And last year the FDA announced the first-ever recall of a medical device — a pacemaker — due to cyber vulnerabilities. Affected patients could receive a firmware update at a local facility.
Whereas many of these secret backdoors were “always-on,” the pcAnywhere program had to first be initiated by a user, mitigating the risk. But it’s still not clear how many of the vulnerable machines ever received software updates to patch the problems with the program. Nor is it clear if ES&S advised its customers to stop using the software after it stopped pre-installing the program in 2007.
According to Motherboard, “60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems.”
Unfortunately, this latest news will not be shocking to WhoWhatWhy readers familiar with our coverage of the inherent risks of electronic voting equipment. At the DEFCON hacking conference last year, participants demonstrated just how easy it was to penetrate many voting machines — especially the DRE touchscreen machines — that were being used in elections across the country.
And nothing about this latest revelation from ES&S shocks Philip Stark, a mathematician and physicist at UC Berkeley. Besides not installing remote-access software and connecting to the internet on sensitive election equipment, Stark has other thoughts on securing elections.
He tells WhoWhatWhy that “Voting systems need to use voter-verifiable paper ballots as the official record of voter intent. Hand-marked ballots should be the default, with assistive technology (for instance, a ballot-marking device) for voters who need it. Paperless machines cannot be secured” (emphasis added).
Part of the problem is that the voting-machine companies are privately owned, and do not make their source code, those hidden blueprints, available for review.
“Voting systems should be owned by the public. The private sector continues to demonstrate that it puts profit before the security and trustworthiness of elections,” Stark said. “Understandably, it sells what there is a market for; however, vendors have repeatedly acted in bad faith to market systems that obviously are not secure, falsely claiming that the systems are trustworthy. Moreover, vendors have in general refused to make their software available for ‘white-hat’ security experts to check for vulnerabilities.”
Wyden is also calling for more accountability for the voting machine companies. And for more paper.
At a Senate Rules and Administration hearing last Wednesday, Wyden faulted the voting machine companies, including ES&S, for roadblocking transparency efforts in the midst of a national crisis over election security.
He called on the Senate to pass his Protecting American Votes and Elections Act, which he says “focuses on two common-sense measures that are backed by the overwhelming number of cybersecurity experts in this country: paper ballots and risk-limiting audits.”
ES&S declined an invitation to attend the hearing.
With midterm elections fast approaching, amid heightened concerns over foreign hackers and the apparent vulnerabilities of privately controlled election systems to cyberattacks, it’s increasingly clear that the US isn’t prepared for truly free and fair elections.
Related front page panorama photo credit: Adapted by WhoWhatWhy from presentation (ChicagoElections / YouTube).