Vulnerabilities and remote access software found on US election management systems

In July 2018, Election Systems and Software (ES&S), long the top US manufacturer of voter machines, admitted in a letter to Senator Ron Wyden (D-OR) that it had installed pcAnywhere remote access software and modems on a number of the election management systems it had sold between 2000 and 2006. The admission was in direct contradiction to the company's response for a New York Times article earlier in the year on US voting machines' vulnerability to hacking. ES&S says it stopped installing the software in 2007, after the Election Assistance Commission, which oversees testing and certification of election systems used in the US, barred vendors from installing any software not necessary for voting and tabulation. Symantec, which publishes pcAnywhere, revealed in 2012 after a hacker posted it online, that the source code for part of the remote access program was stolen in 2006. Also in 2012, security researchers found a vulnerability in pcAnywhere that allowed an attacker to exploit the software to seize control of a system where it was installed without needing to authenticate themselves. Whether the software on the election management systems, which are used to program the voting machines and tabulate aggregated results, had been updated or patched is unknown, but it's likely that many were not.

Writer: Kim Zetter
Publication: Motherboard, New York Times
Publication date: 2018-07-17; 2018-02-21