, 15 tweets, 6 min read
Exclusive: For yrs ES&S, top voting machine maker in US, has been saying its vote tabulators and election-management systems are not connected to the internet. That appears not to be true. Researchers say they found what appear to be 35 online. vice.com/en_us/article/…
The systems, spread across 10 states, have been sitting online for months, in some cases yrs. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties—all perennial battleground states in presidential elections.
Some of the systems have been online for a yr and possibly longer. Some disappeared from the internet after the researchers notified an information-sharing group. But at least 19, including one in Florida’s Miami-Dade County they say, were still connected to the internet this wk.
The systems are sitting behind Cisco firewalls, which is how researchers found them. ES&S acknowledged to me that these critical systems are connected to internet-facing firewalls but says this doesn't mean the systems are connected to the internet, because they're not "pingable"
Election officials around the country have long been repeating this assertion--that voting machines and backend election-management systems aren't, and never have been, connected to the internet. Neither is true, say the researchers, who accuse ES&S of misrepresenting the facts.
It's not just that the systems are online -- they using four year old FTP software that hasn't been supported by the software vendor since Jan. 2017. And then there's this 👇
A great and dedicated group of election security experts/researchers worked on this investigation throughout the last year, led by @kskoglund. The group included ten individuals, but all want to remain behind the scenes, so a silent thank you to them.
@kskoglund But a loud shout to the great editorial team at @vice, one of the best I've ever worked with, especially my editor @emanuelmaiberg who stayed up all night in solidarity. @jason_koebler @derektmead @katiedrumm
@kskoglund @VICE @emanuelmaiberg @jason_koebler @derektmead @katiedrumm ES&S tweeted FAQ in response to story I published today. It states that election-management systems are "not permitted" to be connected to internet but it doesn't actually say they aren't. Instead it says they are not "exposed" to the internet, carefully parsing words.
What this means is that the election-management system is connected to the internet, but with the firewall in front of it, it has a veil that prevents anyone from looking it directly in the eye. But it's still there. And you can see it because you can see the veil.
It makes little difference how long election systems are connected to the internet; any connectivity at all opens them to potential attacks. “For a skillful, motivated attacker, it doesn’t matter much if [the system is connected] two minutes or a whole year.
"But for a less skilled fool, less motivated attacker, the fact that they are there for a year, it lowers the bar,” election security expert Harri Hursti told me. “It actually buries the bar under the ground to carry out attacks with less skill.
"[And] you have a way longer time when the hack can be carried out and the evidence of the attacks [hidden]. What you are describing is a bad behavior amplified by sloppiness and complete negligence of security.”
An update for story I published yesterday about critical election stystems connected to the internet: 4 systems in Indiana, Tennessee, Nebraska, and Florida are now offline. However, one in Miami-Dade County, Florida, which has 1.4 million registered voters, is still online.
Update from researchers: as of today they only see 3 election system FTPs still online (down from 35). But there's a problem; counties appear to just be turning off FTP and are not actually disconnecting the firewalls that still have backend EMS/tabulators connected to them.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Kim Zetter

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!