Election Hacking: Voting-Machine Supplier Admits It Used Hackable Software Despite Past Denials

One of the country’s largest voting machine makers has admitted in a letter to a U.S. senator that some of its past election-management systems had remote-access software preinstalled, despite past denials that any of its systems were equipped with such software.

Election Systems and Software (ES&S) told Democratic Senator Ron Wyden of Oregon in an April letter that has now been released, first reported by Vice News and later obtained by Newsweek, that the company provided election equipment with remote connection software to an unspecified number of states from 2000 to 2006.

“Prior to the inception of the [Election Assistance Commission] testing and certification program and the subsequent requirement for hardening and at customer's request, ES&S provided pcAnywhere remote connection software on the [Election-Management System] workstation to a small number of customers between 2000 and 2006,” wrote Tom Burt, ES&S president.

The election-management system is used to count official election results and sometimes to program voting machines. It is not used to cast actual ballots.

Wyden told Vice the decision to sell any voting system with remote-access software, leaving equipment possibly vulnerable to hacking, was “the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

He called on Congress Tuesday to pass a bill that would require paper ballots and audits.

PcAnywhere was the name of the remote-access software made by Symantec, which allowed tech support users to access the equipment remotely from another computer. In 2012, Symantec told all of its customers to disable or to uninstall the software after admitting it had been hacked in 2006, at the same time that ES&S was selling election-management systems with pcAnywhere preinstalled.

In a statement to Newsweek, ES&S said it did not install pcAnywhere software on any device that counted votes, like voting machines. The reason for the remote-access software was for "technical support purposes on county workstations, but this software was not designed to and did not come in contact with any voting machines." 

ES&S would not say how many systems were sold with the software from 2000 to 2006 but stressed the company stopped using it in 2007, after it was prohibited by the Election Assistance Commission.  

In Burt’s letter to Wyden, ES&S said that remote connection software was, at the time, “considered an accepted practice by numerous technology companies, including other voting system manufacturers." 

Voting Machines Voters cast their ballots at voting machines at Shadow Ridge High School on Election Day in Las Vegas, on November 8, 2016. One of the country’s largest voting machine makers has admitted that some of its past election-management systems had remote-access software preinstalled. (Photo by Ethan Miller/Getty Images)

ES&S denied any of its systems were sold with remote-access software after a computer science professor at Carnegie Mellon University discovered in 2011 that the technology was pre-installed on an election-management system that was sold to a Pennsylvania county.

In February, ES&S gave a statement to The New York Times: “None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.”

The company has had several blunders in the past, including exposing the personal information of more than 1.8 million Illinois residents in 2017 and in 2011, when machines were “flipping” votes, meaning a voter would select one candidate but a different one would be selected by the machine, which ES&S blamed on a “calibration error.”

In February, a U.S. official tasked with protecting American elections from hackers said Russians targeted 21 states and successfully penetrated voter registration rolls in several of them prior the 2016 presidential election.