In 75 years the U.S. government will issue the real report about the Russian hacking that put Donald Trump in the White House-- and Facebook was just a small part of it. Voting machines weren't. No, they were a big part of it, almost all of it-- in key precincts in Wisconsin, Pennsylvania and Michigan, perhaps Florida, Ohio and Iowa as well. So let's re-assemble in 2091 and go through the nuts and bolts of the stolen election no government could ever release today without completely undermining our democracy-- a Putin goal-- and which a new Ipsos poll shows just half Americans (51%) believe is based on fair elections. They sense something is rotten in the state of Denmark Waukesha, but they don't know what it is.I was telling this to a friend yesterday and he insisted that voting machines can't be hacked. He's a smart guy, a school teacher who pays attention and follows the news closely. So how come he didn't know? Do you know? Voting machines are very hackable. People-- including really smart people-- don't understand that so-called voting machines "not connected to the internet" can certainly be hacked-- and have been, over and over again.It's been written about many times but never enough times, because people seem impervious to it. This week, Kim Zetter explained it for Motherboard readers. "Remote-access software and modems on election equipment," wrote Letter, "'is the worst decision for security short of leaving ballot boxes on a Moscow street corner.'" Election Systems and Software, the nation's top voting machine maker admitted in a letter to Senator Ron Wyden (D-OR) that "the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them." Previously ES&S had vigorously denied they had done that. This was the old line-- as told to the NY Times in February: "None of the employees… including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software."
ES&S did not respond on Monday to questions from Motherboard, and it’s not clear why the company changed its response between February and April. Lawmakers, however, have subpoena powers that can compel a company to hand over documents or provide sworn testimony on a matter lawmakers are investigating, and a statement made to lawmakers that is later proven false can have greater consequence for a company than one made to reporters.Election-management systems are not the voting terminals that voters use to cast their ballots, but are just as critical: they sit in county election offices and contain software that in some counties is used to program all the voting machines used in the county; the systems also tabulate final results aggregated from voting machines.
If I were a GRU officer with an unlimited budget and an order to make sure Donald Trump wins the election, election-management systems, are exactly what I would hack into-- especially in key flippable counties in states like... oh, let's say Wisconsin, Pennsylvania and Michigan, perhaps Florida, Ohio and Iowa.
Software like pcAnywhere is used by system administrators to access and control systems from a remote location to conduct maintenance or upgrade or alter software. But election-management systems and voting machines are supposed to be air-gapped for security reasons—that is, disconnected from the internet and from any other systems that are connected to the internet. ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.In May 2006 in Allegheny County, Pennsylvania, ES&S technicians used the pcAnywhere software installed on that county's election-management system for hours trying to reconcile vote discrepancies in a local election, according to a report filed at the time. And in a contract with Michigan, which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and modems for this purpose."In some cases, the Technical Support representative accesses the customer’s system through PCAnywhere—off-the-shelf software which allows immediate access to the customer’s data and network system from a remote location—to gain insight into the issue and offer precise solutions," ES&S wrote in a June 2007 addendum to the contract. "ES&S technicians can use PCAnywhere to view a client computer, assess the exact situation that caused a software issue and to view data files."Motherboard asked a Michigan spokesman if any officials in his state ever installed the pcAnywhere software that ES&S recommended they install, but got no response.The presence of such software makes a system more vulnerable to attack from hackers, especially if the remote-access software itself contains security vulnerabilities. If an attacker can gain remote access to an election-management system through the modem and take control of it using the pcAnywhere software installed on it, he can introduce malicious code that gets passed to voting machines to disrupt an election or alter results.Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier. Source code is invaluable to hackers because it allows them to examine the code to find security flaws they can exploit. When Symantec admitted to the theft in 2012, it took the unprecedented step of warning users to disable or uninstall the software until it could make sure that any security flaws in the software had been patched.Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.It’s not clear if election officials who had pcAnywhere installed on their systems, ever patched this and other security flaws that were in the software.“[I]t's very unlikely that jurisdictions that had to use this software … updated it very often,” says Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, “meaning it's likely that a non-trivial number of them were exposed to some of the flaws found both in terms of configuration ... but also flaws that were found when the source code to that software was stolen in 2006.”ES&S said in its letter to Wyden that the modems it installed on its election-management systems for use with pcAnywhere were configured only to dial out, not receive calls, so that only election officials could initiate connections with ES&S. But when Wyden's office asked in a letter to ES&S in March what settings were used to secure the communications, whether the system used hard-coded or default passwords and whether ES&S or anyone else had conducted a security audit around the use of pcAnywhere to ensure that the communication was done in a secure manner, the company did not provide responses to any of these questions.Even if ES&S and its customers configured their remote connections to ES&S in a secure manner, the recent US indictments against Russian state hackers who tried to interfere in the 2016 presidential elections, show that they targeted companies in the US that make software for the administration of elections. An attacker would only have had to hack ES&S and then use its network to slip into a county's election-management system when the two systems made a remote connection.In its letter to Wyden, ES&S defended its installation of pcAnywhere, saying that during the time it installed the software on customer machines prior to 2006, this was "considered an accepted practice by numerous technology companies, including other voting system manufacturers."Motherboard contacted two of the top vendors-- Hart InterCivic and Dominion—to verify this, but neither responded. However, Douglas Jones, professor of computer science at the University of Iowa and a longtime expert on voting machines confirmed that other companies did routinely install remote-access software during this period.“Certainly, [Diebold Election Systems] did the same, and I'd assume the others did too,” he told Motherboard. “In the case of [Diebold], many of their contracts with customers included the requirement of a remote-login port allowing [the company] to have remote access to the customer system in order to allow customer support.”He notes that election officials who purchased the systems likely were not aware of the potential risks they were taking in allowing this and didn’t understand the threat landscape to make intelligent decisions about installing such software.All of this raises questions about how many counties across the US had remote-access software installed-- in addition to ES&S customers-- and whether intruders had ever leveraged it to subvert elections.Although Wyden's office asked ES&S to identify which of its customers were sold systems with pcAnywhere installed, the company did not respond. ES&S would only say that it had confirmed with customers who had the software installed that they "no longer have this application installed."The company didn't respond to questions from Motherboard asking when these customers removed the software-- whether ES&S had instructed them to do so back in 2007 when the company says it stopped installing the software on new systems it sold or whether it had only recently told customers to remove it following concerns raised in the 2016 presidential elections that Russian hackers were targeting election networks in the US. As late as 2011 pcAnywhere was still being used on at least one ES&S customer's election-management system in Venango County, Pennsylvania.ES&S wrote in its letter to Wyden that it would be willing to meet privately in his office to discuss election security. But when the company was asked to attend a hearing on election security last week before the Senate Committee on Rules and Administration, ES&S declined to send anyone to answer Senate questions.
Like I said... meet you in 75 years when they open the files. Drinks are on me.