The top voting machine maker admitted in a letter to Sen. Ron Wyden that it installed remote access software on election equipment it shipped starting in 2000.
- Some of the computers used for tabulating votes and programming voting machines that were sold between 2000 and 2006 included a serious vulnerability.
- The computers, offered by the nation's top voting machine maker, shipped with software that could have allowed malicious actors to remotely access and manipulate them.
- Elections Systems & Software, which sold the systems, said it stopped selling machines with the software in 2007 and its customers are no longer using it.
- It's unclear if the flaw was ever exploited, but the software was reportedly still in use on at least one of the systems as late as 2011.
Computers used to tabulate votes and program voting machines in the United States contained a key security vulnerability that could have been used to affect election results.
Some of the election management systems sold by Elections Systems & Software, the top voting machine manufacturer in the country, contained remote-access software, the company admitted in a letter sent to Sen. Ron Wyden, D-Oregon, that came to light Tuesday. Those systems that had the software, which were sold between 2000 and 2006, also had modems that allowed them to connect to the internet.
As its name implies, remote-access software allows people to log in and use computers from afar via the internet. It's inherently vulnerable, because it serves as a kind of direct tunnel to particular computers on the network. Worse, the particular remote-access software ES&S installed — Symantec's pcAnywhere — was later shown to have significant security flaws that could allow malicious actors to compromise computers running it.
"Installing remote-access software and modems on election equipment is the worst decision for security short of leaving ballot boxes on a Moscow street corner," Wyden said in a statement.
Motherboard broke the news about the letter, which ES&S sent to Wyden in April, on Tuesday. Business Insider also obtained a copy of the correspondence.
It's unclear whether anyone ever exploited the vulnerability on the election systems.
In the letter, ES&S said it installed pcAnywhere on the election systems of "a small number of customers" during the six-year time period. It provided the software to allow its technicians to help election administrators troubleshoot problems with the systems, according to Motherboard's report.
pcAnywhere was later found to have serious flaws
But pcAnywhere was later discovered to be seriously flawed. The source code for the program was stolen by hackers in 2006 and was posted online in 2012, a move that could have allowed malicious actors to find and exploit vulnerabilities.
About the same time that the source code was posted online, white-hat security researchers announced they'd discovered a critical vulnerability in pcAnywhere. The vulnerability would have allowed a hacker to take control of a computer running the software without having to enter a password. The flaw was so severe that Symantec initially advised customers to disable or delete the software until it could patch it.
Symantec, which created pcAnywhere, did not respond to a request for comment from Business Insider.
Installing remote-access software was "considered an accepted practice" at the time ES&S sold the election systems, the company said in a statement to Business Insider. The company configured pcAnywhere so that it could only be used to make outbound connections to ES&S and wouldn't allow inbound connections, ES&S said in its letter to Wyden.
However, the company declined to answer a question from Wyden's office about the settings it used to secure communications to the election systems over pcAnywhere, Motherboard reported.
It's unclear when ES&S's customers completely stopped using pcAnywhere
ES&S stopped selling systems with pcAnywhere in 2007 after the Election Assistance Commission, a federal agency tasked with creating standards for voting systems, released a set of guidelines that prohibited the practice, the company said. It did not install pcAnywhere on any of its actual voting machines, and the software "did not come in" contact with those devices, ES&S said in its statement to Business Insider.
"ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today," the company said in the statement.
But it's unclear when the software was removed from all the systems that had it installed. As late as 2011, pcAnywhere was still being used on an ES&S election-management system in Venango County, Pennsylvania, Motherboard reported.
ES&S did not respond to questions from Business Insider about the use of pcAnywhere on that system or about when pcAnywhere was uninstalled from all its customers' systems.
At least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems, Motherboard reported.