Despite claims by voting machine makers and election officials that election systems are immune to hackers because they’re not connected to the internet, the Election Systems & Software voting systems in 10 states, some of them swing states, were found to be just that – connected, a team of security researchers found.
Systems from the U.S.’s top voting machine vendor, some hooked to the internet for a year or more, can be found in counties in swing states Florida, Michigan and Wisconsin as well as in other states, according to a report from Motherboard.
“We ... discovered that at least some jurisdictions were not aware that their systems were online,” the report cited one of the 10 security researchers, Kevin Skoglund, as saying.
But ES&S Vice President of Software Development and Engineering Gary Weber dismissed concerns. “There’s nothing connected to the firewall that is exposed to the internet,” Weber told Motherboard, noting that the company’s election-management system “is not pingable or addressable from the public internet” so users and bad actors can’t see them.
Skoglund apparently took issue with that claim, saying that if hackers discover the firewall, they can find the connected systems.
“It is not air-gapped. The EMS is connected to the internet but is behind a firewall,” he is quoted as saying, explaining the firewall “is the only thing that segments the EMS from the internet.”
Tim Mackey, principal security strategist CyRC at Synopsis, warned that since “misconfiguration of systems is common in environments ranging from home users to large enterprises” and IT resources at the state and local levels are notoriously tight, “it’s not overly surprising to find misconfiguration in electronic voting systems.”
But “what is worrisome are assertions made by officials regarding how those voting systems operate in their respective districts and what that means for the overall level of IT governance applied to them,” said Mackey. “A report indicating voting systems are connected to state elections networks over any form of unsecured public network should cause a full review in any state using electronic voting machines from any vendor.”
Motivated actors could “just as easily intercept network traffic from a wireline modem as via a WiFi access point and connections made over the public internet reduces the complexity of remote attacks,” he said, urging election officials to take action.
“In light of this report, election officials should launch a review of all computing, network and storage systems used in the electoral process. As part of that review, a detailed audit of current configuration vs. expected configuration should be performed,” said Mackey. “The configuration data should include not only traditional configuration options, but also the patch state for all software regardless of source, and an analysis for all firmware and applications to ensure they don’t embed vulnerable components or have “phone home” mechanisms which could transmit data to third parties.”