July 26, 2018

Public Citizen Calls on Largest Voting Machine Vendor to Stop Selling Machines That Connect to the Internet, Increase Costs to Taxpayers

Modems Make Machines Vulnerable to Hacking and Fail to Meet Federal Standards

WASHINGTON, D.C. – Election Systems and Software (ES&S) must stop selling vote counting machines with modems because they make such machines vulnerable to hacking, Public Citizen said today in a letter (PDF) to the Nebraska-based company. In addition, Public Citizen called on the company to remove remote access software from machines it already has sold.

“ES&S has made American democracy even more vulnerable to a growing and unprecedented threat of hacking by entities both foreign and domestic,” said Aquene Freechild, Democracy Is For People Campaign co-director. “Instead of apologizing and addressing concerns from the intelligence community, Congress, election officials and concerned citizens, ES&S is selling voting machines with modems to connect them to the internet.”

On its website, the company advertises modems as a key feature of its popular DS200 ballot scanners. But in fact, the modems are an optional add-on and with them the machines do not meet U.S. Election Assistance guidelines. In addition to being a security risk, the modems aren’t cheap, costing $249 a piece according to an ES&S contract with Michigan counties (PDF) from 2017. Some counties buy hundreds of these machines at a time, and these charges are paid for by tax-payers. 

ES&S is the largest voting system vendor in the U.S. market and provides voting systems for 43.8 percent of U.S. voters, according to a 2017 report (PDF) by the Wharton School of Business.

A second concern is that some ES&S machines contain software that enables technicians to access the machines remotely. According to a Motherboard article, ES&S admitted in a letter to U.S. Sen. Ron Wyden (D-Ore.) that it installed the remote access software pcAnywhere in machines sold between 2000 and 2007, although the company said it has not done so since 2008.

Allowing remote access also makes the machines vulnerable to hacking in general, as the pcAnywhere software contains flaws that could allow unauthorized actors to take control of the machines. The source code for pcAnywhere was stolen by hackers in 2006 and posted online in 2012, leading the software developer to call on users to uninstall pcAnywhere while a patch was developed.  Such hacks illustrate the danger of creating remote access “back doors” in voting systems. For that reason, Public Citizen is calling on ES&S to remove the software from every voting system still in use. If removing the software is not possible, the company should compensate election officials who may need to purchase new machines without this security vulnerability.

Public Citizen sent the letter to elections officials in all 50 states, calling on them to ensure their voting machines do not have modems or remote access software installed, especially after foreign actors took a documented interest in U.S. voting machines during the 2016 elections.

Why Modems Pose a Security Risk
Modems provide a connection to the internet and cell networks that make voting machines more vulnerable to hacking. A common talking point in defense of current voting systems is that they are “air-gapped,” which means that the machines are not connected to the internet, cell networks or other machines, and thus less vulnerable to cyberattacks from those sources.

Rhode Island officials using the DS200s with modems claim the modems are active only for a minute at the end of the evening when reporting the vote totals, and that the reported totals are unofficial. The problem is that very little time is needed to breach the modem, and malware, once installed, could impact vote totals in future elections. Further, it is reasonable to assume that, at least in some cases, the modems are activated during pre-election testing or poll worker training. As with other types of hacks, intelligently designed malware can be difficult to detect.

The New York Times Magazine reported on the problem of modems in voting machines in February, describing how a hacker could access vote tabulating machines via a device called a Stingray or by hacking the phone routing network. A hacker could fool the modems into communicating with the hacker as if they were an authorized network, allowing the hacker to install malware that could change current or future election results.

Even so-called “air-gapped” voting machines are vulnerable to hacking. Such machines still must be programmed before each election. Bugs and hacks can be introduced to the machines through the vendor and by maintenance staff through the programming process. As a result, a breach of the vendor electronically or by staff could result in malware being installed on air-gapped voting machines. Checking the machine vote count by doing a rigorous post-election audit is the best way to detect any problems with the count and to recover from an attack.

Voting Machines With Modems Lack Federal Certification
Many states rely on U.S. Election Assistance Commission (EAC) guidelines when they certify systems for local use. ES&S doesn’t hide that its DS200 scanner includes a modem. On one page of its website, the company lists the  “modem” as the first asset of the scanner for reporting election results from the polling location.

But election officials may not be aware that the DS200 is not federally certified if it includes a modem or other connectivity equipment.  Another page on the ES&S website claims that the D200 with the modem feature is “fully compliant with the usability, accessibility, and security enhancements found in the [U.S. Election Assistance Commission Guidelines known as] 2005 Voluntary Voting Systems Guidelines.” But bidding documents issued by the company illustrate that the internet connectivity components are not EAC certified. Federal certification is not required by all states and EAC guidelines serve as an important quality floor for election officials and vendors, helping to determine what minimum features should be required in new voting systems.

Insecure Technology at High Prices
In addition to posing a security threat, the modems add significant cost to the voting systems. ES&S quoted Michigan (PDF) a price of $249 per modem in 2017, and a single county needed 391—for a total cost of $97,359 for only that county. Public officials should beware of spending taxpayer dollars on this insecure technology.

Some states, like New York and California, modified their contracts to block modems from being installed in their DS200 scanners. But other states, including Minnesota, Wisconsin, Rhode Island and Michigan, have at least some counties with modems in place. According to news reports, the second largest voting machine company, Dominion Voting Systems, has also sold ballot scanners with wireless connectivity. In 2015, Maryland contracted to buy DS200s; although the contract originally included modems, the state revised their contract to exclude them, saving taxpayers $1.3 million (PDF).

The public may be shocked that election officials allow modems in voting machines given prominent hacking attacks in recent elections. McClatchy reported that ES&S maintains an “advisory board” of election officials, some of whom reportedly accepted trips to Las Vegas, lodging and meals from the corporation.

A Troubled History
ES&S has run into trouble for connecting voting machines to the internet and installing remote access software in them. Earlier this year, U.S. Sen. Ron Wyden (D-Or.) sent a letter (PDF) to ES&S inquiring about the firm’s security practices.

ES&S initially did not answer Wyden’s detailed questions about security. In response to a question from the New York Times in spring 2018, the company denied any knowledge that its voting systems were ever sold with remote-access software, although in 2006 and 2011 remote access software was discovered in ES&S vote tabulating systems. In its initial response (PDF) to Wyden, ES&S implied that all its voting systems follow federal security guidelines, even though modems or remote access software make these systems noncompliant. But on July 17, 2018, a journalist obtained another response from ES&S to Wyden, in which it admitted that the company did in fact knowingly install remote access software in its machines between 2000 and 2007. It’s unclear if the company plans to remove or disable pcAnywhere software in machines already in use.

Last March, Sens. Amy Klobuchar (D-Minn.) and Jeanne Shaheen (D-N.H.) sent a letter to the country’s three largest voting system vendors – ES&S, Dominion Voting Systems and Hart Intercivic – asking whether the corporations have to share the source code for their voting systems with the Russian government for regulatory review. Some software companies have been asked to share their source code with Russian authorities in order to be able to access to the Russian market. 

One of the biggest concerns is that the vendors or maintenance staff who typically have access to the machines could be compromised. A Florida-based election system contractor was hacked before the 2016 election.

Reuse of passwords is also a likely concern for voting machine vendors and election administrators. Hacks of large sites like LinkedIn have swept up passwords used by dozens of ES&S employees, which could be used to access work machines.

Other vendors have used easily guessable passwords such as ‘abcde’ and ‘admin,’ or posted the firewall configurations and password of their voting system online.

The Election Security Crisis
There is consensus within Congress, the U.S. intelligence community and the election security community that U.S. elections remain vulnerable to hacks and computer error. Yet too little has changed in many states and counties. Some states and counties are doing everything they can with the funding available but need more money. Other states and counties have changed little since before the 2016 election.

The hacks of Yahoo, LinkedIn, and Experian – which sometimes when undetected for years – illustrate that corporate entities with enormous security budgets remain vulnerable. Local governments running elections have far fewer resources available to protect voter data and voting systems.

Recovery Remains Critical
The election security advocacy community has been focused on critical tools for recovery in case of a hack – paper ballots, audits to check the paper against the machine count and recovery systems, should the voter rolls be hacked. Recovery systems are critical because no system is perfectly secure.  Although audits of paper ballots would expose any mismatch between machine tallies and the votes on paper, allowing election administrators to find both computer errors and hacks, only a handful of states conduct rigorous post-election audits.

Local election officials run America’s elections in most states, receiving help from state election officials and sometimes the federal government at their discretion. Members of Congress, the intelligence and election security community are raising concerns that stronger preventative measures to protect voting systems need to be taken ahead of the 2018 general election.

The last thing we need to be doing is make voting systems less secure by purchasing new voting systems that have hackable modems in them.

###