In February 2018, Election Systems and Software told the press that it had never installed remote-access software in any of the e-voting systems it has sold in the various US states or to local governments. In April, the company told Senator Ron Wyden’s office (D-OR), that it had sold pcAnywhere remote connection software “to a small number of customers between 2000 and 2006.” The good news about this disclosure is that the systems in question have all been retired and are no longer in use across the United States. But the fact that this happened in the first place, combined with ongoing warnings about the generally poor state of e-voting security, speaks to the depth and breadth of the issues facing the United States’ e-voting system as the 2018 midterm election approaches. The fact that ES&S lied about its own previous behavior to the public until pressured by Senator Wyden’s office says little good about the civic responsibility these companies feel towards ensuring that voting is handled safely. It’s important — just not as important as minimizing any hint of corporate liability.
In this case, ES&S installed pcAnywhere software on election management systems, not voting terminals. While EMS hardware doesn’t actually collect votes, they’re typically used to program voting terminals and to tabulate results aggregated from those terminals. In short, compromising an ESM could be even more effective than individual terminals, depending on the nature of the breach and the capabilities of the software. But with that said, there’s some important differences between how Vice characterizes the situation and what ES&S says in its letter to Wyden. Vice writes: “ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.” ES&S, however, maintains that “The use of the tool could only occur through approval by the customer, who had to initiate the remote connection.”
This isn’t a trivial distinction, and ES&S notes that none of the ESMs that it sold in this configuration are still operating today. But it’s also not the end of the problem — not by a long shot. The United States’ voting system is heavily atomized and administered at the local level, which means it’s mostly run by the Republican party, since the GOP controls far more counties in the United States than the Democratic party does. This atomization makes it extremely difficult to change votes as part of a massive coordinated campaign, and is one reason why allegations of vast swaths of illegal votes being cast have never withstood investigation — any attempt to alter election results within even a single state effectively requires compromising multiple counties across broad geographical areas, to say nothing of the difficulty of coordinating such an attack nationwide.
Full Article: Voting Machine Vendor Admits Installing Remote-Access Software on State Systems – ExtremeTech.