Election Systems & Software, the top voting machine company in the U.S. insists that its election systems are never connected to the internet. But researchers found 35 of the systems have been connected to the internet for months and possibly years
Kim Zetter for Vice Motherboard:
“We… discovered that at least some jurisdictions were not aware that their systems were online,” said Kevin Skoglund, an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security. Skoglund is also part of an advisory group, not associated with the research, that is working with the National Institute of Standards and Technology to develop new cybersecurity standards for voting machines. “In some cases, [the vendor was] in charge [of installing the systems] and there was no oversight. Election officials were publicly saying that their systems were never connected to the internet because they didn’t know differently.”
Hacking the firewall and SFTP server would allow an attacker to potentially intercept the results as they’re transmitted and send fake results to the FTP server, depending on how securely the ES&S system authenticates the data. Although the election results that are transmitted via modem are unofficial—official votes are taken directly from the voting machine memory cards when they arrive at county offices — a significant discrepancy between the unofficial tallies and the official ones would create mistrust in the election results and confusion about which ones were accurate.
But Motherboard has learned that connected to the firewalls are even more critical backend systems — the election-reporting module that tabulates the unofficial votes as well as the official ones, and the election-management system that is used in some counties to program voting machines before elections. The researchers said that gaining access through the firewall to these systems could potentially allow a hacker to alter official election results or subvert the election-management system to distribute malware to voting machines through the USB flash drives that pass between this system and the voting machines.
MacDailyNews Take: Ay yi yi. Let’s get this “system” secured as best as possible before the next elections! None of these machines should be connected to the Internet, ever, to ensure the integrity of election results. As Zetter notes, “misconfigured firewalls are one of the most common ways hackers penetrate supposedly protected systems. The recent massive hack of sensitive Capital One customer data is a prime example of a breach enabled by a poorly configured firewall.”
OMG do folks really not get how important this is. PAPER BALLOTS. Not the ones with the little “punch holes” (hanging chad anyone). Shockingly Oklahoma has often been held up as a great example of how to do elections. We have polling stations that CHECK YOUR ID and make sure you live HERE. We have a paper ballot that basically looks like a “Scantron” like many of used in College or for the SAT. You color in the “bubbles” on the paper ballot feed them into a machine. The machine is NOT connected to any network. The numbers from the machine at the end of the day are taken to the regional election HQ where the results from each machine are uploaded to the master database on a secure network. IF however anyone doubts the results the original ballots by precinct are kept for two years you can always go check all or most likely a subset of the original numbers. Results are usually known by 10:00PM on Election Day. No need to automate this further. System works.
I would add to that: Live video online for any citizen to watch the counting, plus two reporters from different news companies that watch and call in the numbers they see totaled.
That would be enough checks to make it very difficult to change numbers.
“Shockingly Oklahoma”. not a shock, Oklahoma in in the common sense part of the country. Let the flames begin.
I live in Oklahoma and don’t consider it a common sense state. We are continually at the bottom of the list of such trivial things like Education and Health Care. Our University Systems are going through financial disasters: they are cutting staff with no care to the damage done, but the football programs are doing well.
It is hard for me to believe that a State that does so poorly in so many areas can do that well managing elections. Maybe it’s because the GOP almost always wins so there is no need to fiddle with the voting process. Putin’s efforts will be focused on states like Florida where he can make a big difference.
No way. Paper can be contaminated. Voters should use rocks.
Seriously, the problem isn’t digital counting systems. The problem is that the companies who keep selling these glorified ATM machines are hooked up to the internet, and in the interest of appeasing lazy voters, governments keep offering more and more mail voting schemes. That is an inefficient mess. Give all Americans a weeklong voting holiday from July 1-7 every year, full of celebrations and patriotism and public debate all week. Make all voting digital and in person using any polling place on a closed federal voting system. Keep it off the internet. Make it with fully transparent and monitored human interactions, issue receipts to voters. That eliminates huge costs of mailing anything, allows in-person voter identification, and after all is said and done, all votes can be audited with a consistent process — no chads. Anyone could look up the audit – not the original offline count – to see when each person voted.
Or should the USA continue to demonstrate its partisan corrupted technologically pathetic 18th century electoral system?
So, to ‘Moscow’ Mitch and ‘Murderous’ Mitch, we can now add Mendacious’ Mitch…the one man blockade of electoral security improvements and Russian election- interference investigations.
Why is this not of concern?
#kakistocracy
Well, Moscow Mitch claims wanting to secure the election is partisan.
But, anyway, what really amazes me is how one asshole can wield such power in a supposedly democratic system.
Mitch McConnell has to get onboard, or nothing will happen. While the individual states can act, I assume there are more cyber-security experts at the federal level. War is being levied against our most fundamental democratic institution. We don’t expect the states to deal with missile defence or other foreign aggression. Why would we expect the states to be on their own dealing with these new modern threats?
“We are from the federal government and we are here to help you”. uhh……when many government agencies are operating decade old Windows apps? The school system where I work just made the switch off Windows 7, not their fault, many of the federal programs that they are mandated to work with use software that is that old, so they could not at least go up to Windows 10, not that I like it but so many education programs are tied to some form of Windows. We can use Mac and iOS as BYOD, and I do, get excellent support from IT, but there are many education programs and sites that have the federally mandated software.
Alt right doesn’t like anything about anything the government does for them. Then they fly Chinese-made “support our troops” bumper stickers on the back of their imported trucks and hold up “keep government out of my Medicare” signs at their brainwashing rallies and demand that the government “lock up” their political adversaries. Sad but true.