US Vote-Counting Computers Had Flaw, Allowed Hackers Access

Written by

In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011. 

Election-management systems are not voting terminals - they are in county election offices and contain software that in some counties is used to program all the voting machines used in the county. The systems also tabulate final results from voting machines. 

In a report by Motherboard, in a letter sent to Senator Ron Wyden D-Oregon, which came to light on July 17 2018, the company admitted that it had "provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006." The article goes onto say that originally in February 2018, ES&S had denied installing the software on any of its election systems it sold and said: "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software." The company's machines were used in a number of states and at least 60% of ballots cast in the US in 2006 were counted on the systems.  

This news comes alongside the continuing investigations into suspected Russian meddling in the 2016 US presidential elections. On July 14 2018 deputy attorney general, Rod Rosenstein, announced that 12 individuals had been changed as part of the investigation. 

During 2006, hackers stole the source code for the pcAnywhere software, which wasn't made public knowledge until 2012 when a hacker posted some of the code online. This forced Symantec, the distributor of the software, to admit it had been stolen. Security researchers also found a vulnerability in the software that would allow an attacker to seize control of a system, without the need to authenticate with a password. Researchers at Rapid7 also conducted research and found that 150,000 online computers were configured to allow direct access to hackers.  

Alarmingly, pcAnywhere was still being used in 2011 by Venango County, Pennsylvania, and it has not been clear whether the security flaws were patched or if there could have been more vulnerabilities. According to Motherboard, ES&S wrote in its letter to Wyden that it would be willing to meet privately in his office to discuss election security, but when the company was asked to attend a hearing on election security last week before the Senate Committee on Rules and Administration, ES&S declined to send anyone to answer Senate questions.

Wyden said he’s still waiting for ES&S to respond to the outstanding questions he sent the company in March. “ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cybersecurity questions, you have to ask what it is hiding.”

What’s hot on Infosecurity Magazine?