A US senator is holding the nation’s biggest voting machine maker to account following a recent article that reported it has sold equipment that was pre-installed with remote-access software and has advised government customers to install the software on machines that didn’t already have it pre-installed.
Use of remote-access software in e-voting systems was reported last month by The New York Times Magazine in an article headlined “The Myth of the Hacker-Proof Voting Machine.” The article challenged the oft-repeated assurance that voting machines are generally secured against malicious tampering because they’re not connected to the Internet.
Exhibit A in the case built by freelance reporter Kim Zetter was an election-management computer used in 2016 by Pennsylvania’s Venango County. After voting machines the county bought from Election Systems & Software were suspected of “flipping” votes―meaning screens showed a different vote than the one selected by the voter―officials asked a computer scientist to examine the systems. The scientist ultimately concluded the flipping was the result of a simple calibration error, but during the analysis he found something much more alarming―remote-access software that allowed anyone with the correct password to remotely control the system.
Zetter unearthed a 2006 contract with the state of Michigan and a report from Pennsylvania’s Allegheny County that same year that both showed ES&S employees using a remote-access application called pcAnywhere to remotely administer equipment it sold.
ES&S officials told the NYT Magazine that none of its employees had any knowledge of company machines being sold with remote-access software. The article, however, leaves little doubt that in at least some cases ES&S employees arranged for the equipment to come pre-installed with the software or for it to be installed after purchase. The practice has serious consequences for the security of the equipment, since anyone who can obtain login credentials or exploit vulnerabilities in the software can gain control over systems and potentially alter voting tallies.
On Tuesday, US Senator Ron Wyden (D-Ore.) sent ES&S Chief Executive Tom Burt a letter that in essence asked two questions:
- Has ES&S sold any products on which remote-access software was pre-installed?
- Have ES&S officials or technical support personnel ever recommended that customers install remote-access software on voting machines or other election systems?
“The American public has been repeatedly assured that voting machines are not connected to the Internet and, thus, cannot be remotely compromised by hackers,” Wyden wrote. “However, according to a recent article in The New York Times Magazine, election systems sold by your company frequently include pre-installed remote-access software, which exposed elections systems to remote attack and compromise.”
ES&S officials didn’t respond to messages seeking comment for this post.