, 42 tweets, 7 min read
My Authors
Read all threads
'Online & vulnerable': Experts find nearly three dozen U.S. voting systems connected to internet

"A team of election security experts used a “Google for servers” to challenge claims that voting machines do not connect to the internet and found some did."
nbcnews.com/politics/elect…
"But that is an overstatement, according to a team of 10 independent cybersecurity experts who specialize in voting systems and elections. While the voting machines themselves are not designed to be online, the larger voting systems in many states end up there..."
uhhh...
“We found over 35 [voting systems] had been left online and we’re still continuing to find more,” said Kevin Skoglund, a senior technical advisor at the election security advocacy group National Election Defense Coalition.
"We kept hearing from election officials that voting machines were never on the internet. And we knew that wasn't true..."
"And so we set out to try and find the voting machines to see if we could find them on the internet, and especially the back-end systems that voting machines in the precinct were connecting to to report their results.”
Aug. 8, 2019

“We...discovered that at least some jurisdictions were not aware that their systems were online. In some cases, [the vendor was] in charge [of installing the systems] and there was no oversight.
vice.com/en_us/article/…
The systems the researchers found are made by ES&S... They are used to receive encrypted vote totals transmitted via modem from ES&S voting machines on election night, in order to get rapid results that media use to call races, even though the results aren’t final.
"Hacking the firewall and SFTP server would allow an attacker to potentially intercept the results as they’re transmitted and send fake results to the FTP server, depending on how securely the ES&S system authenticates the data."
"...connected to the firewalls are even more critical backend systems—the election-reporting module that tabulates the unofficial votes as well as the official ones, and the election-management system that is used in some counties to program voting machines before elections."
"...gaining access thru the firewall to these systems could potentially allow a hacker to alter official election results or subvert the election-mgmt. system to distribute malware to voting machines through the USB flash drives that pass between the system & voting machines."
"It is not air-gapped. The EMS is connected to the internet but is behind a firewall. The firewall configuration [that determines what can go in & out of the firewall]…is the only thing that segments the EMS from the internet.”
And misconfigured firewalls are one of the most common ways hackers penetrate supposedly protected systems.
I AM.
"While no one is suggesting that any of these systems have been manipulated or hacked, the findings highlight how little local & fed officials understand how these...systems are configured & connected and the extent to which they are beholden to what the vendors tell them."
Of course.
"ES&S installs and configures the firewalls for the “majority” of its customers. Counties then take over the maintenance or contract it out to a third party, which may even be ES&S in some cases."
"...discovered that seven of the SFTP servers on the ES&S systems they found are using outdated Cerberus FTP Server 6.0 software that the software maker stopped supporting in January 2017."
"This means that for last 2.5 yrs, the software has not been updated...The current version is 10.0 & despite the fact that it's been available since Nov. 2018, none of the ES&S SFTP servers the researchers found online are running it."
No one has a clue.
"There are more than 33,000 ES&S DS200 optical scan machines with modems in use across eleven states and the District of Columbia. But ES&S [said] it doesn’t know how many of its customers currently transmit results."
THIS!
"What’s not generally known by the public about ES&S election systems is that the company’s entire configuration for transmitting election results—from the modem to the SFTP server—is not certified by the Election Assistance Commission (EAC)..."
"The configs show TCP-IP configuration & ‘SSL Optional,’ making it clear that at least THE VENDORS KNOW their systems are connecting thru the internet, even if election officials do not realize it or cont. to insist...that the systems are not connected to the internet."
oh, ok.
"...led them to 35 connected systems over the last yr, though Skoglund notes that there may actually be more ES&S systems connected to the internet that are not visible to Censys scans, since administrators can configure their connected devices to block automated scans."
Michigan and Florida
"When examining the ownership records for the IP addresses of the connected systems, at least four of them were registered to county governments in Michigan and Florida."
"...found 1 or 2 systems online in Illinois, Indiana, Minnesota, Nebraska, Rhode Island, Tennessee, & Iowa. The Nebraska system...is probably a demo or test system for ES&S, which has its headquarters in Omaha. They also found 2 systems in Canada, where ES&S has field offices..."
"Rhode Island conducts elections from a centralized office at the state Board of Elections, instead of farming out election admin to each county or jurisdiction. The election reporting system the researchers found online, therefore, was the reporting system for the entire state."
FLORIDA.
"One of the most dense states for online election systems was Florida, where researchers found a number of connected systems that they believe belong to Bradford, Charlotte, Flagler, Wakulla, Miami-Dade & Pasco counties, & one other county they’re unable to identity..."
"The researchers didn’t single out ES&S election systems for their hunt. They also attempted to search for connected systems for the other top two voting machine vendors in the country—Dominion Voting Systems and Hart InterCivic."
"But Skoglund said the configuration footprints for these systems are less distinctive than ES&S’s footprint, resulting in the team finding thousands of systems that were clearly not election infrastructure."
"And all of the systems the researchers found share a configuration footprint that, as far as they can tell, is unique to ES&S systems. Furthermore, the IP addresses for the firewalls of the non-confirmed systems all appear to be in counties that also use ES&S voting machines..."
"ES&S did not dispute that the firewalls the researchers found are ES&S systems; it said it had no way of knowing one way or the other. Motherboard offered to provide the company with the IP addresses...but it said in an email that it doesn’t store customer IP addresses..."
"Because the researchers only began looking for the systems last year, it’s not known how long they’ve been online, but it’s likely that some have been connected to the internet for years, going back to whenever a county first began to use modems to transmit election results."
"The researchers reported the firewall IP addresses in August 2018 to the national Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)—a 24-hour watch center funded by the Department of Homeland Security and operated by the Center for Internet Security."
"A spokesperson for the group would not tell Motherboard if the information was disseminated to the affected counties, but the researchers did see some county systems disappear from the internet."
"The 2 in FL were taken offline in the following week or two. But the systems in 2 Michigan counties, Kalamazoo & Roscommon, were still online this week. A 3rd Michigan system is also online, though the researchers are unable to pinpoint the county where the IP address is..."
"Similarly, they reported half a dozen IP addresses to Tony Bridges, election security lead at the Wisconsin Election Commission, for connected systems in Outagamie, Dodge, Milwaukee, St. Croix, Columbia & Waukesha counties...Skoglund said they never received a response."
The Milwaukee County elections dir. told "Skoglund their system was online for a special election. Skoglund...told her the system had actually been online since Sept. 2018, she said she only learned last wk that the systems should not be connected to the internet btwn elections."
"Skoglund has also witnessed another problems as systems dropped offline after his group’s disclosure to a county; some IT workers are simply turning off the SFTP server or switching it to standby mode so traffic can’t come into it."
"But as long as the firewall is online, the backend systems are still connected to the internet and can be found. And if the AnyConnect VPN is still enabled, this also provides a potential pathway into those backend systems."
"When a corporation sets up a firewall and a VPN…there is someone who is applying patches and monitoring logs…and really actively ensuring the security of the device to make sure it doesn’t become a vulnerability."
"That’s a real question with election infrastructure. Who manages this hardware after it’s deployed? And what oversight is there?”
Good to know.
"Asked which states do security assessments, he cited WI, FL & MN. But someone familiar w/ Wisconsin’s certification testing, who spoke on condition of anonymity, said it doesn’t include a security assessment of the modem transmissions & configuration."
It all just kinda fits together at some point doesn't it?

"The expansion by Amazon Web Services into state & local elections has quietly gathered pace since the 2016 US pres. vote. More than 40 states now use one or more of Amazon’s election offerings."
reut.rs/2R5RwYK
Article from Oct. 15, 2019
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with blmohr

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!