Admitted that the voting system maker made the election management system remote accessible, the possibility that the voting result was tampered with

by Carl Mikoy

The voting machine maker boasting the top market share in the United States acknowledged that the remote access software was installed in the election management system that the company sold for the past six years. The election management system is mostly separated from the Internet for security reasons, but it is clear that the system was connected to the Internet in order to use the remote access software, and the vulnerability The voting result may have been falsely altered by the attacker who struck it.

Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States - Motherboard
https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states

Election Systems & Software (ES & S), a voting machine manufacturer, said in a letter that "we received a letter sent to US senator Ron Widen," a small number of voting machine manufacturers from 2000 to 2006 We have offered customers "remote access software called" pcAnywhere "."

ES & S authorized to install remote access software in the letter to Mr. Widen, but the company's public relations officer says "We have not installed and sold remote access software on voting system" in February 2018 In an interview with The New York Times I answered. According to this, overseas media Motherboard seems to have sent questions to ES & S, but it seems that no reply has been obtained.

ES & S is a voting machine manufacturer boasting the top market share in the United States, and its position was built between 2000 and 2006 when pcAnywhere was installed in the system. ES & S 's terminal has been adopted in many states, and at least 60% of the votes made in the United States in 2006 was compiled by the ES & S election management system. Motherboard notes that "unless ES & S customers reject it or have state laws that prevent the installation of remote access software, pcAnywhere should have been installed on most of the terminals ES & S sold during the same period," ES & S I'm skeptical about the explanation that "We provided remote access software called" pcAnywhere "to a few customers.

In the letter to Mr. Widen, ES & S in the letter to Mr. Widen, after the election aid committee overseeing federal examination and accreditation of the American electoral system announced the standards of the new voting system, in December 2007, pcAnywhere I have stopped installing it, I wrote. The new standard of the voting system announced by the election aid committee is "It is permitted to install only essential software for voting and totaling elections" and it came into effect in 2007.

Remote access software such as pcAnywhere is originally used by system administrators to access and control the system from a remote place, to maintain and check the system and upgrade software. Normally, the election management system and voting machine should be separated from the Internet and other systems for security reasons, but in the ES & S system, the system was connected to the network by installing pcAnywhere.

Also, the election management system that pcAnywhere was installed is not a terminal for voters posting ballot forms, but is placed in the election office of the group and programs all of the voting machines used in the group The software to be used is installed. Since the election management system collects the data aggregated by the voting machines and aggregates the vote data of the whole group, if the terminal was hacked, it is possible that the voting result has been drastically tampered with.

The presence of software such as pcAnywhere increases the system's vulnerability to hacker attacks, especially if security vulnerabilities exist in the remote access software. If an attacker remotely accesses the election management system via a modem and uses pcAnywhere software installed there, malicious code may be installed in the voting machine, the election may be interrupted or the result may be tampered with There is also.

by Blake Connally

In 2006, it was revealed that hackers stole the source code of pcAnywhere at the same time that ES & S installed pcAnywhere on the election system. It is clear that the source code is useful for finding exploitable security flaws. And when Symantec acknowledged that the source code was stolen in 2012, the unusual situation of " recommending users to invalidate or uninstall software until software security flaws are fixed " Occurred.

In addition, at the same time another security researcher has found a serious vulnerability in pcAnywhere. The vulnerability was to allow an attacker to take control of the system that installed the software without using a password to authenticate himself to the system. A researcher working at a security company Rapid 7 scans the computer that installed pcAnywhere online on the Internet and finds that using a vulnerability it is possible to directly access 150 thousands of terminals without authentication information I will.

It is unknown whether ES & S patched these security flaws. However, ES & S is configured to send modems without e-mail to the modems installed in the election management system in order to use pcAnywhere, so that only election authorities could use it for connection with ES & S is. However, Mr. Widen suspects the possibility that the system used the default password, etc. as the authentication information, and the answer to the question about this is not obtained from ES & S yet.

ES & S has been permitted to install pcAnywhere on the system before 2006, alleging that other voting system makers were acting as well. Douglas Jones, professor of computer science at the University of Iowa, acknowledged that other companies regularly installed remote access software between 2000 and 2006, but Motherboard independently owned Hart When I contacted the voting system makers such as InterCivic and Dominion, they said that they neither had the fact that they installed the remote access software.