Election Systems and Software, a Nebraska-based voting-machine manufacturer, admitted to installing remote-access software on election management systems sold between 2000 and 2006, Motherboard reports.
ES&S was and remains the top voting-machine manufacturer in the United States. In 2006, for example, more than 60 percent of U.S. ballots were counted on the company’s election management systems, which program the voting machines where citizens cast ballots and tabulate results.
In an April letter sent to Senator Ron Wyden (D-Oregon) and obtained by Motherboard, ES&S admitted to installing pcAnywhere, off-the-shelf software that enables remote connection to the machines, on “a small number” of election management systems over the six-year period. While including such software was not unheard of for manufacturers at the time, in 2007, the Election Assistance Commission issued new standards that prohibited the installation of remote-access software in voting systems.
The software was included so that ES&S tech support could access systems to install upgrades or troubleshoot issues, but it also provides a way in for hackers. The pcAnywhere software itself was compromised as far back as 2006, when hackers stole the source code for the software, which can be used to identify and exploit security holes.
It’s still unclear how many U.S. counties used ES&S systems with this software, or if hackers were able to gain access to any election-management systems via this route, but Wyden told Motherboard including the software was “the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
