Voting back door reveals risks of dev/sec/ops fiefdoms

The biggest voting-machine vendor in the US admits some of its machines were remotely controllable. Wait, what?

ES&S’s election-management systems sold between 2000 and 2006 might have secretly contained a copy of pcAnywhere, a buggy remote-control app. This is fine.

So a back door, essentially. In this week’s Security Blogwatch, we hang our chads in shame.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hyperdeterminants 

State of Security Operations 2018

ES&S spills to Senate

What’s the craic? Kim Zetter brings us Top Voting Machine Vendor Admits It Installed Remote-Access Software:

The nation's top voting machine maker has admitted … to a federal lawmaker that the company installed remote-access software on election-management systems. [It is] raising questions about the security of those systems and the integrity of elections that were conducted with them.

Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. [But] in February … a spokesperson said ES&S had never installed pcAnywhere on any election system.

It’s not clear why the company changed its response between February and April. … And a statement made to lawmakers that is later proven false can have greater consequence … than one made to reporters.

The company's machines were used statewide in a number of states. … At least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S … systems.

Election-management systems are not the voting terminals that voters use … but are just as critical: they sit in county election offices and contain software … used to program all the voting machines. … The systems also tabulate final results.

Sen. Ron Wyden (D-OR) [said] that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

So Shaun Nichols looks sheepish—US voting systems (in Oregon) potentially could be hacked (11 years ago) by anybody (in tech support):

A US voting machine manufacturer has admitted some of its systems sold in the early 2000s had a remote access tool installed. … PCAnywhere is not exactly bulletproof when it comes to security. In 2012 hackers revealed they had stolen the source code for PCAnywhere back in 2006.

ES&S has sent us the following statement: “Between 2000 and 2006, ES&S provided pcAnywhere remote connection software to a small number of customers for technical support purposes on county workstations, but this software was not designed to and did not come in contact with any voting machines.”

But why does it matter? Joe Uchill and Shannon Vavra cut to the chase:

Remote access meant those systems, which, among other tasks, have tabulated votes from voting machines, could have hypothetically been manipulated by a hacker.

Still, Michael Waters runs with U.S. voting machines were vulnerable to remote hacking for six years:

There is one rule voting machine makers swear by: do not connect to the internet. But according to [Zetter] … Election Systems and Software, allowed “a small number of customers” — presumably company technicians — to remotely log in to its voting machines from 2000 to 2006, … calling into question the company’s honesty, knowledge, or all of the above.

Voting machines are supposed to be “air-gapped.” … As Princeton's Center for Information Technology Policy has previously noted, all voting machines are potentially hackable because of the way that ballot information is entered into the machines.

For the country’s top voting machine maker to have had such a glaring vulnerability for six years will only fuel more current election-hacking nightmares.

And Sean Lyngaas emits Voting machine vendor says it installed remote software:

The revelation could be a teachable moment as state and local election officials work to shore up their voting infrastructure security for the 2018 midterm elections.

ES&S did not respond to [my] questions on why only a small number of its customers installed the remote access software, and on what security support the company offered its customers during that time. The company said simply that it employs “the most advanced security.”

Time for an overseas viewpoint? Stuart Maddison counters

This is exactly why Australian Governments and its citizens are opposed to electronic voting systems and continue to use paper ballots. Voter fraud in Australia is virtually non-existent but then for Federal elections we have a single truly independent electoral commission where the commissioner is a bipartisan appointed position, not this nonsense of elected officials, with nationally consistent electoral rules and ballot papers.

Electronic voting machines are a solution searching for a problem.

But how did we get here? Ask DavGreg:

In the aftermath of the 2000 Presidential Election, the Congress passed the Help America Vote Act (HAVA) and granted states truckloads of money to up date the equipment used to tabulate election results. As they say, the road to hell is paved with good intentions.

A small number of companies sold overpriced Windows based computers to be used in voting. They required EULAs that forbade security audits.

So you ended up with highly insecure closed Windows based voting systems that were not available for independent security audits. … What is even worse is that some of these creaky old machines … running on ancient versions of Microsoft Windows, are still in use. This simply should not be.

Since the HAVA machines were in place, there has been a high level of inconsistency between exit polling and reported computer tabulation. … All of these machines should be thrown in the trash.

Meanwhile, Brian Krebs recycles the tale:

Largest voting machine manufacturer … still stonewalling lawmakers seeking answers about the security of these systems.

Can't wait for election hacking village at DEFCON.

The moral of the story? This is what happens when you don’t centralize or at least coordinate Dev, Ops, Security, etc.

And finally …

The Cayley Expansion

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Mrs. Gemstone (cc:by-sa)

Topics: Security