Motherboard Magazine reported that Election Systems and Software (ES&S) has admitted that the company installed remote-access software on voting machines prior to the 2016 election. The software was sold “to a small number of customers” between 2000 and 2006. The company didn’t define “a small number” and didn’t explain why only some systems had this feature.
The software was installed in election-management systems rather than the actual voting terminals. The management software is what counties use to program the terminals in the voting booths.
The software, pcAnywhere, allows users to remotely control another computer. This creates a port of entry for hackers to access the system. In 2006, hackers stole the source code for pcAnywhere, which makes it easy for them to discover security vulnerabilities. Symantec, the software’s manufacturer didn’t admit the theft until 2012, at which point it advised users to disable the software.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them.
The story states that election officials who bought the systems were not likely to have been aware of the security risks. It also states that users of these systems generally did not update them very often.
As we all know, the 2016 election was determined by razor thin Trump victories in Pennsylvania, Michigan, and Wisconsin.
In May 2006 in Allegheny County, Pennsylvania, ES&S technicians used the pcAnywhere software installed on that county's election-management system for hours trying to reconcile vote discrepancies in a local election, according to a report filed at the time. And in a contract with Michigan, which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and modems for this purpose.
A Michigan official did not respond to a request for comment.
According to the recent indictments against Russian hackers, they targeted makers of election management systems. As the largest such manufacturer, it’s reasonable to assume that ES&S was a prime target.
ES&S defended their practice of using this software by stating that it’s standard practice in the industry. Other vendors were contacted by Motherboard for comment, but they failed to respond.
Of course, there’s no proof that hackers actually accessed and compromised election systems and affected vote tallies. But there’s been a great deal of suspicion that such a thing did occur, and this report makes it that much more likely. With this report, Trump’s legitimacy as president has just taken another hit.