US voting systems (in Oregon) potentially could be hacked (11 years ago) by anybody (in tech support)
ES&S admits a handful of systems were shipped with PCAnywhere tool
Updated A US voting machine manufacturer has admitted some of its systems sold in the early 2000s had a remote access tool installed.
In a letter (PDF) sent to Senator Ron Wyden (D-OR) in April, and revealed today, voting systems vender ES&S said that, from 2000-2006, a handful of machines it sold to local governments in Wyden's home state included a specially-configured copy of PCAnywhere, a remote access tool used for tech support.
The software was not in the voting machines themselves, but rather in the election management system (EMS) terminals used to manage the voting machines to do things like configuring scanning equipment or formatting ballots. Those systems, said ES&S, were configured to only allow the customer to initiate link up with its support staff as a last resort for troubleshooting.
The use of the PCAnywhere machines was stopped in 2007, when the US Election Assistance Commission (EAC) adopted guidelines that require all election management terminals be air-gapped.
"It is also critical to understand that this remote connection support model was never used, nor was it ever possible to be used, on any voting devices (tabulators and/or ballot marking devices), as voting devices do not contain the required operating system or remote connection software necessary to enable a remote connection," the vendor tells Wyden.
"To be clear, ES&S never installed remote connection software on any vote tabulation device it has ever delivered to a customer, nor has it ever been possible to do so- either before or after the creation of the EAC."
US voting machine certification agency probes potential hackREAD MORE
However, as cybersecurity journalist and author Kim Zetter, who was first to get hold of the letter from ES&S, noted today, PCAnywhere is not exactly bulletproof when it comes to security. In 2012 hackers revealed they had stolen the source code for PCAnywhere back in 2006, prompting Symantec to advise customers to disable some older versions of the software.
The report also calls ES&S' credibility into question, noting that in a New York Times piece earlier this year, ES&S is quoted as saying nobody at the company had "any knowledge that our voting systems have ever been sold with remote-access software."
ES&S did not return a request for comment on the matter. ®
Updated to add
ES&S has sent us the following statement:
ES&S has never installed remote connection software on any vote tabulation device it has ever delivered to a customer—nor has it ever been possible to do so. Between 2000 and 2006, ES&S provided pcAnywhere remote connection software to a small number of customers for technical support purposes on county workstations, but this software was not designed to and did not come in contact with any voting machines.
Sponsored: Becoming a Pragmatic Security Leader