Election system security was compromised by the installation of remote access software on systems over the span...
of six years, a vendor admitted in a letter to a senator.
Election Systems & Software (ES&S), a voting machine manufacturer based in Omaha, Neb., admitted it installed the flawed PCAnywhere remote access software on its election management system (EMS) workstations for a "small number of customers between 2000 and 2006," according to a letter sent to Sen. Ron Wyden (D-Ore.) that was obtained by Motherboard.
The PCAnywhere source code was stolen from Symantec servers in 2006, leaving the software vulnerable, and further issues in 2012 caused Symantec to suggest users uninstall the program before officially putting PCAnywere to its end of life in 2014.
ES&S had previously denied knowledge of the use of remote access software on its election management systems, but told Wyden about the vulnerable software that could have put voting machine security at risk. ES&S wrote that it stopped installing the PCAnywhere software in December 2007 due to new policies enacted by the Election Assistance Commission regarding voting machine security.
Gene Shablygin, CEO and founder of WWPass, an identity and access management company based in Manchester, N.H., said the actions by ES&S were "pretty consistent with the overall state of computer security" for the time.
"Today, these technologies and general approaches are totally unacceptable, and must be completely reworked. The last decade especially, was the period of explosive growth of hacking technologies, and the defensive side of many systems was left in the dust. So, most of the systems that are still in use -- and voting systems are no exception -- have multiple vulnerabilities, some of which are zero-day, or not yet discovered," Shablygin wrote via email. "You can't stop progress, and sooner or later, remote voting will become a matter of everyday life."
Lane Thames, senior security researcher at Tripwire, agreed that the failures of ES&S with election system security shouldn't be surprising, "especially during the 2000 to 2007 timeframe when cybersecurity was hardly ever on the roadmap for companies producing computing systems."
"Another concerning point is the underlying arguments that imply the devices built from 2000 to 2007 are still in use. As with many critical infrastructure systems, costs can prohibit frequent hardware refresh cycles," Thames wrote via email. "As such, many voting machines are likely to contain older operating systems and other software with many vulnerabilities due to these systems not being able to be updated with operating system patches and such. This is a challenging problem we face with all of our critical infrastructure, with very few good solutions at this time."
ES&S did not respond to requests for comment and it is unclear if the affected election systems were ever fixed or if they are still in use.
Fixing voting machine security
Voting machine security was already proved to be in a troubling state after hackers at Defcon 2016 were able to crack all systems tested within just a few days.
Jonathan SanderCTO, Stealthbits Technologies
Sean Newman, director of product management at Corero Network Security, said the news about PCAnywhere will make "little difference" in the likelihood of finding other election system security issues.
"They run software and, if they have any kind of internet connectivity, even for managing the voting system/process itself, then there's a reasonable chance that vulnerabilities exist, which could provide unauthorized users with the ability to have an impact on the normal operation of the system," Newman wrote via email. "The focus should be for vendors, like ES&S, to ensure they use secure coding practices to develop the software for such systems and avoid any need to expose such systems to the public Internet."
Jonathan Sander, CTO at Stealthbits Technologies, noted that government "pressures to do everything cheaply and with world class, state actor proof security are in tension" when it comes to election system security and outside audits are needed.
"Every system charged with securing our government's processes -- a.k.a. protecting our collective benefit -- should be open to large security audits. To sell anything to the federal government you need to go through tons of certifications. But that's not enough," Sander wrote via email. "Bug bounties to get the hacker community to find vulnerabilities, open review at a source level for all solutions to be used in government, and mandatory standards for any remote access features should be table stakes for putting in systems like this."
Thames notes that a major issue is that "although the U.S. electoral infrastructure is part of the nation's critical infrastructure, it is still largely up to local and state agencies to ultimately enforce security of the systems."
"Herein lies another challenging problem. Local and state agencies likely have little to no expertise or budget for securing their voting systems. Every time I go to the voting polls, I see mostly volunteers with a few dedicated staff. Most volunteers at the polls will not have experience with cyber and/or physical security issues related to voting machines," Thames wrote. "Moreover, the nation already has a significant deficit for staffing our cyber security departments, in both government and industry. Funding will likely need to be increased, somehow, for local and state government agencies in order to provide adequate security for our voting systems."