The top U.S. voting machine vendor admitted earlier this year to having installed remote-access software containing a key security flaw on election-management systems during a six-year time period, leaving those systems vulnerable to cyberattacks, Motherboard reported.
In a letter sent to Senator Ron Wyden (D-OR) in April and recently obtained by Motherboard, Election Systems and Software (ES&S) acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them. It provided the software to allow its technicians to help election administrators troubleshoot problems with the systems, according to Motherboard‘s report. In those years, ES&S was one of the top voting machine makers in the United States.
Motherboard noted that this contradicted what ES&S had previously told the reporter and fact checkers in response to questions about their voting machines for a New York Times story back in February, claiming that “none of the employees … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.” It also offered this hypothesis as to why the company’s answer evolved between February and April:
ES&S did not respond on Monday to questions from Motherboard, and it’s not clear why the company changed its response between February and April. Lawmakers, however, have subpoena powers that can compel a company to hand over documents or provide sworn testimony on a matter lawmakers are investigating, and a statement made to lawmakers that is later proven false can have greater consequence for a company than one made to reporters.
But pcAnywhere was later discovered to be seriously flawed. The source code for the program was stolen by hackers in 2006 and was posted online in 2012, a move that could have allowed malicious actors to find and exploit vulnerabilities.
section id=”l-main-content” class=”is-scrolled sticky-padding” data-content=””>
section class=”row “>
section id=”l-content” class=”col-12 col-md-12″ data-track-page-area=”Post” data-post-content=””>
section class=”post-content typography full-width-post” data-track-content=”” data-post-type=”post”>
About the same time that the source code was posted online, white-hat security researchers announced they’d discovered a critical vulnerability in pcAnywhere. The vulnerability would have allowed a hacker to take control of a computer running the software without having to enter a password. The flaw was so severe that Symantec, the creator of pcAnywhere, initially advised customers to disable or delete the software until it could patch it.
Installing remote-access software was “considered an accepted practice” at the time ES&S sold the election systems, the company said in a statement to Business Insider. The company specifically configured pcAnywhere so that it could only be used to make outbound connections to ES&S and wouldn’t allow inbound connections, ES&S claimed in its letter to Wyden.
However, the company declined to answer a question from Wyden’s office about the settings it used to secure communications to the election systems over pcAnywhere, Motherboard reported.
It’s unclear when ES&S’s customers completely phased out the use of pcAnywhere. ES&S stopped selling systems with pcAnywhere in 2007 after the Election Assistance Commission, a federal agency tasked with creating standards for voting systems, released a set of guidelines that prohibited the practice, the company said. It did not install pcAnywhere on any of its actual voting machines, and the software “did not come in” contact with those devices, ES&S said in its statement to Business Insider.
“ES&S discontinued providing pcAnywhere over a decade ago, and no ES&S customer is using it today,” the company said in the statement.
But it’s unclear when the software was removed from all the systems that had it installed. As late as 2011, pcAnywhere was still being used on an ES&S election-management system in Venango County, Pennsylvania, Motherboard reported.
It’s also unclear whether anyone ever exploited the vulnerability on the election systems.