Side Note

U.S. voting machines were vulnerable to remote hacking for six years

There is one rule voting machine makers swear by: do not connect to the internet. But according to a report from Motherboard Tuesday, the largest voting machine maker in the U.S., Election Systems and Software, allowed “a small number of customers” — presumably company technicians — to remotely log in to its voting machines from 2000 to 2006. That reveal comes a few months after the company denied to The New York Times ever allowing remote access, calling into question the company’s honesty, knowledge, or all of the above regarding the vulnerability of its machines.

Voting machines are supposed to be “air-gapped,” or blocked from both the internet and other technologies that may be connected to the internet, because web access creates an easy backdoor for a potential hacker.

Motherboard reported that the remote-access technology used by ES&S, known as pcAnywhere, had a vulnerability that could have allowed a hacker to access the system on which pcAnywhere was installed — say, a voting machine.

As Princeton's Center for Information Technology Policy has previously noted, all voting machines are potentially hackable because of the way that ballot information is entered into the machines. A direct connection to the internet — or to a separate machine that is connected to the internet — is not the only metric of risk. But for the country’s top voting machine maker to have had such a glaring vulnerability for six years will only fuel more current election-hacking nightmares.

ES&S no longer uses pcAnywhere on its systems, but in 2006, when pcAnwyhere was still installed, roughly 60 percent of all U.S. ballots were cast through a ES&S machine. Though investigators have not found evidence of a hack during that period, Pennsylvania residents have complained that ES&S machines “flipped” their votes — when they tried to vote for one candidate, the machine instead selected another.