dChan
Anonymous ID: 67a813 Nov. 12, 2020, 10:35 a.m. No.11611361   🗄️.is 🔗kun   >>1418 >>1430 >>1558 >>1821

Internet-Connected Election Systems Found in 10 U.S. States

 

August 22, 2019

 

There has been much talk in the media about interference in United States presidential elections, but most of it has centered around the use of media and disinformation to influence votes. There is a widespread assumption that the voting machines themselves are safe from hacking; though many are electronic, these election systems are not supposed to be connected to the internet.

 

A new report from Vice’s Motherboard indicates that these systems are not nearly as secure as anyone thought they were, including election officials. Researchers told Motherboard that a particular type of election system that is only supposed to connect to the internet for several minutes to transfer votes has been found to sometimes stay connected for months, and in some cases these machines were constantly connected and were exposed for at least a year.

 

Which election systems are vulnerable?

 

The election systems found to be vulnerable are made by a specific manufacturer: Election Systems & Software (ESS). ESS is the largest voting systems company in the country, with at least 260,000 machines in place in 21 states including in some swing states. Security researchers found backend systems that were connected to the internet when they were not supposed to be, distributed across a number of states including the key “battleground” centers of Florida, Michigan and Wisconsin.

 

Researchers found 35 systems in 10 states have been confirmed at this point to have been connected to the internet when they were not supposed to be. 19 were still online when the Vice article went to press.

 

This isn’t the first time ESS has made the news for a voting system vulnerability. In early 2018, it was discovered that the company had installed remote access software on election management systems for troubleshooting purposes yet had denied to the media they had ever done so.

 

How vulnerable are these election systems?

 

As with most electronic election systems, votes are stored on a local memory card that is meant to be removed by poll workers after the polls close and brought to the county election office for counting. Some counties opt to transmit these votes electronically to get their results in faster, however.

 

To transmit the votes, these systems are supposed to only briefly connect to the internet two times – once before the polls open to verify that the connection is working, and then again after the polls close to transmit the votes. In both cases, these election systems should be connected to the internet for no more than a few minutes to perform these functions.

 

Some of the 35 systems identified by the researchers had been connected to the internet for months, and others appeared to simply be online all the time. These systems are protected by a firewall, but that firewall is only meant to be guarding transmission for a few minutes at a time. With enough time to work on it, hackers could very well breach the firewall and alter election results.

 

The fact that the backend systems remain connected to the internet is critical. This allows hackers full access to the tabulation of votes from the memory cards installed in the machines and the reporting of the final results. With a lower level of access, hackers might only be able to change the unofficial count to sow unrest in the population. With full access to the backend system, hackers could change the official count or distribute malware to voting systems.

 

The potential for this sort of vulnerability has been known for some time, but ESS has assured election officials that their backend systems are “air gapped” from the internet. The findings of the security researchers contradict that statement. The system appears to rely entirely on the firewall to keep hackers out of the backend while online. If the firewall is breached, the hackers have access.

 

ESS insists that its election systems are not vulnerable, responding to Motherboard with a public statement. There are currently no reports or evidence of hacking of any of these election systems, but the fact that the vulnerability exists in the top voting machine company is worrying enough.

Who discovered the vulnerability?

 

The internet-connected systems were discovered by security researcher Kevin Skoglund, an independent web developer and election integrity advocate, along with a group of election security professionals.

 

https://www.cpomagazine.com/cyber-security/internet-connected-election-systems-found-in-10-u-s-states/

Anonymous ID: 67a813 Nov. 12, 2020, 10:40 a.m. No.11611418   🗄️.is 🔗kun

>>11611361

 

Closing the security hole

 

Can this vulnerability be addressed before the polls open in 2020? Can Americans feel confident in the integrity of their elections? Usman Rahim, Digital Security and Operations Manager for The Media Trust, had this to say:

 

“Our digital elections system doesn’t have a single point of failure—it has many – largely because the system appears to have been designed without prioritizing security and privacy. What’s most disturbing is that even as vendors claim the system isn’t connected to the internet, they provide documents that show otherwise. In addition, there’s the potential for configuration problems—an all too frequent error–USB drives infected with malware, brute force attacks to get around passwords, firewalls with unpatched software, outdated server software, no oversight of how well vendors install the system, configuration for transmitting election results not certified by Election Assistance Commission (EAC) although one wonders what good that would do if they don’t have cybersecurity experts to alert them when something’s afoot. Another significant problem is that state and local governments suffer from chronic budget cuts that prevent it from putting more stringent security measures in place and thoroughly vetting machines before putting them to use and in so doing, exposing these systems—not to mention voters–to sustained attacks from bad actors and nation-state adversaries.”

 

These ESS systems do not have to be connected to the internet; it is up to each individual county to decide if they want to use that feature. Ideally, transmissions of vote totals would be done directly with a modem connection rather than over the internet – a feature that some election security experts had been claiming was in place when it was not.

Anonymous ID: 67a813 Nov. 12, 2020, 10:45 a.m. No.11611483   🗄️.is 🔗kun   >>1639

Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials

 

August 8, 2019

 

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked.

 

But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties—all states that are perennial battlegrounds in presidential elections.

 

Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard.

 

The researchers and Motherboard have been able to verify that at least some of the systems in Wisconsin, Rhode Island, and Florida are in fact election systems. The rest are still unconfirmed, but the fact that some of them appeared to quickly drop offline after the researchers reported them suggests their findings are on the mark.

 

“We … discovered that at least some jurisdictions were not aware that their systems were online,” said Kevin Skoglund, an independent security consultant who conducted the research with nine others, all of them long-time security professionals and academics with expertise in election security. Skoglund is also part of an advisory group, not associated with the research, that is working with the National Institute of Standards and Technology to develop new cybersecurity standards for voting machines. “In some cases, [the vendor was] in charge [of installing the systems] and there was no oversight. Election officials were publicly saying that their systems were never connected to the internet because they didn't know differently."

 

The systems the researchers found are made by Election Systems & Software, the top voting machine company in the country. They are used to receive encrypted vote totals transmitted via modem from ES&S voting machines on election night, in order to get rapid results that media use to call races, even though the results aren’t final.

 

Generally, votes are stored on memory cards inside the voting machines at polling places. After an election, poll workers remove these and drive them to county election offices. But some counties want to get their results faster, so they use wireless modems, either embedded in the voting machines or externally connected to them, to transmit the votes electronically. The system that receives these votes, called an SFTP server, is connected to the internet behind a Cisco firewall.

 

For security reasons, the SFTP server and firewall are only supposed to be connected to the internet for a couple of minutes before an election to test the transmission, and then for long enough after an election to transmit the votes. But the researchers found some of the systems connected to the internet for months at a time, and year-round for others, making them vulnerable to hackers.

 

Hacking the firewall and SFTP server would allow an attacker to potentially intercept the results as they’re transmitted and send fake results to the FTP server, depending on how securely the ES&S system authenticates the data. Although the election results that are transmitted via modem are unofficial—official votes are taken directly from the voting machine memory cards when they arrive at county offices—a significant discrepancy between the unofficial tallies and the official ones would create mistrust in the election results and confusion about which ones were accurate.

 

But Motherboard has learned that connected to the firewalls are even more critical backend systems—the election-reporting module that tabulates the unofficial votes as well as the official ones, and the election-management system that is used in some counties to program voting machines before elections. The researchers said that gaining access through the firewall to these systems could potentially allow a hacker to alter official election results or subvert the election-management system to distribute malware to voting machines through the USB flash drives that pass between this system and the voting machines.

 

https://www.vice.com/en/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials

Anonymous ID: 67a813 Nov. 12, 2020, 11:19 a.m. No.11611971   🗄️.is 🔗kun

why is Arizona still counting ballots???

 

Here's what Katie Hobbs said prior to the election:

 

Is there anything new or different that the state has to put in place to ensure the security of what’s expected to be an increased volume of mail-in ballots?

 

Hobbs: Fortunately, Arizona is in a really great position around mail-in ballots, because 80 percent of our voters already utilize that as their method of voting. We have the infrastructure. We have had no-excuse absentee voting for decades in our state. So, the infrastructure is there, and there’s not a lot that we have to do in terms of ramping up our counties. We’re already prepared to handle additional mail-in ballots.

 

Q&A: How Arizona’s Katie Hobbs Is Tackling 2020 Election Security

 

Could you characterize how your relationship is with places like the Cybersecurity and Infrastructure Security Agency at DHS? What work do you do together?

 

Hobbs: I think one of the things I was focused on when I got here was really just making sure that we had those lines of communication open and we kept the election security officer on board who was with the previous administration, and he had a lot of those relationships already established. And I have security clearance, so I’m at the table when they’re doing security briefings, and those are normally held with DHS, FBI and the state authorities as well. We have the Arizona Counter Terrorism Information Center.

 

All of the coordinating agencies are there at the table when we’re doing those security briefings. I mentioned the security calls we do with the counties and I believe CISA is on those calls. And then we’re also doing, leading up to the election, bi-weekly calls with all of our federal partners, just to keep abreast of the landscape and what we’re working on and potential problems that we’re anticipating.

 

https://statetechmagazine.com/article/2020/09/qa-how-arizonas-katie-hobbs-tackling-2020-election-security