Does pcAnywhere put election management systems at risk?

Election Systems & Software LLC recently admitted that the remote access program pcAnywhere was installed on some election management systems sold by the voting machine manufacturer. What is pcAnywhere and what is the risk of having it on election management systems?

PcAnywhere, a remote access utility published by Symantec until 2014, enabled authenticated users to connect remotely to a personal computer. Symantec ultimately decided to stop selling the program due to security issues after a pcAnywhere code leak occurred in 2006 but was not reported until 2012. Symantec attempted several fixes to secure the code, and even urged users to remove the software for security reasons before announcing the end of life for the product in 2014.

PcAnywhere returned to the news after Election Systems & Software (ES&S) admitted, in a letter to Sen. Ron Wyden (D-Ore.), that the insecure remote access software was installed on election management system workstations of a "small number of customers between 2000 and 2006."

The presence of the insecure remote access software on systems used for election management raises concerns that malicious threat actors -- possibly nation-state actors -- could gain access to election systems in order to attack the election process. It also highlighted the importance of having mechanisms to update old software in embedded systems like election infrastructure systems. Over time, the challenge to maintain these systems can grow as the OSes used in the embedded systems become more outdated.

The primary risk of having pcAnywhere on election management systems is that attackers can use very old exploits of the remote access program to gain access to the systems used to manage elections, potentially enabling attackers to maliciously change legitimate vote tallies. Simple denial-of-service attacks could also be used to disrupt or subvert elections.

Hackers can readily exploit systems that use pcAnywhere and other outdated or obsolete software, such as Windows 2000, as security fixes and patches are no longer available. PcAnywhere doesn't check the expiration dates of SSL certificates, which can grant hackers access to the systems and enable them to alter firewall configurations.

While ES&S no longer sells election systems that run pcAnywhere, technicians can able repair older, more vulnerable machines; however, they cannot provide security fixes for PCAnywhere.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)