Open to hackers: Critical US voting systems are hanging on the Internet


IT security expert Kevin Skoglund and his colleagues have made serious allegations against the US company Election Systems & Software (ES & S), which provides much of the voting machine infrastructure in the United States. Relevant systems in at least eleven states are "often connected to the Internet," the consultant explained on Twitter. Critical electoral resources are thus open to hacker attacks over the net and at the same time have a total "uncertain" effect.

Overall, there are serious mistakes "in the administration and control" of the systems, complained Skoglund, In general, ES & S recommends that the devices and their firewalls be disconnected from the Internet when they are not in use. Responsible IT officers in electoral authorities would have this good advice but never receivedso that some electoral systems have been online for months. Responsible of ES & S the programmer accused the lie. if they claimed nowthat the installations are "never" linked to the network. Several dozen DS200 machines from the company used cellular modems much like a smartphone surfing the Web to pass election results.

The principle vulnerable systems would be used in countries such as Wisconsin, Michigan or Florida, writes the online magazine "Motherboard". There is traditionally very close to elections with changing, particularly highly contested majorities. Some of the installations are supposed to According to the report disappeared from the Internet after the researchers gave a warning to a group of election officials. At least 19 of the systems were still connected to the public network last week, one of them in a district belonging to Miami.

Some of the officials in the offices did not even know that their machines could be found online, explained Skoglund. In some cases, the manufacturer and seller of the equipment had been responsible for installing the equipment. After that, there was virtually no "control" over it.

The ES & S systems are machines that receive encrypted summarized results of individual election terminals and pass them via modem on election night to central offices. This is to serve in some states primarily to inform the media about preliminary, not yet official results. The votes are also secured on memory cards and sent by courier to the electoral offices, which create the official result lists on this basis. If the latter deviate on a large scale from the provisional, online transferred numbers, at least confidence in the entire process would be undermined.

The data transferred via modem is sent to a "secure" SFTP server, which is behind a Cisco firewall and keeps in contact with the Internet. For security reasons, the online connections should actually last only a few minutes for a transmission for test purposes and then long enough for the actual transfer. However, according to Skoglund and his team, these requirements were often ignored. There are no indications of an abuse of the "openness" of the systems. Attackers could, however, in principle intercept and falsify the preliminary results.

As voting systems are also used in some countries to link to even more critical backend servers, it is even possible for a hacker to change the official election results or malware to terminals via the most commonly used USB sticks to send locally. Concrete attack surfaces existed again and again, so had last year before the midterm elections to the US Congress for a firewall solution in Wisconsin six months, a critical security update had not been recorded.

According to the group, seven of the SFTP servers in the ES & S systems also used the old software version Cerberus FTP 6.0, for which official support expired in January 2017. The current version, which has been available since November, is 10.0, but the researchers have not yet found it on any of the servers.