For years, US electoral officers and vendors have insisted that essential election techniques are by no means related to the Web and subsequently can’t be hacked.
However a gaggle of electoral safety specialists have discovered what they consider to be Almost three dozen back-office techniques in ten states have been related to the Internet final yr, including some in crucial states. These embrace methods in 9 Wisconsin counties, four counties in Michigan and 7 counties in Florida – all states which might be perennial battles in the presidential election.
Some methods have been on-line for a yr and probably longer. Some of them disappeared from the Web after investigators reported final yr about an info trade group for election officers. However a minimum of 19 methods, including one in Miami-Dade County, Florida, have been nonetheless related to the Web this week, investigators advised the motherboard.
Scientists and the motherboard have been capable of confirm that at the very least some of the Wisconsin, Rhode Island, and Florida techniques are actually electoral techniques. The remaining have not but been confirmed, however the incontrovertible fact that a few of them seemed to fall offline shortly after investigators reported their findings factors to a sign.
"We … found that at least some jurisdictions didn't know their systems were online," stated Kevin Skoglund, an unbiased safety marketing consultant who did the analysis with 9 others. They have been all long-time security professionals and teachers Skoglund can also be part of a non-research advisory group working with the Nationwide Institute of Requirements and Know-how to develop new requirements for cyber security for audio computer systems. ”In some instances, [the vendor was] was accountable [of installing the systems] and was not supervised. publicly, that their techniques have been never related to the Web as a result of they didn’t know in any other case. "
The systems found by the researchers are manufactured by Election Systems & Software, the best voting machine company in the country. is used to receive encrypted votes that are sent via modem from ES&S voting machines on election night to provide fast results that the media uses to call competitions, even if the results are not final.
In general, sounds are stored on memory cards. inside voting machines at polling stations. After the elections, the poll workers remove them and take them to the provincial election offices. However, some provinces want faster conversions, so they use wireless modems, either embedded in voting machines or connected externally The system that receives these votes, called an SFTP server, is connected to the Internet behind a Cisco firewall. Thereafter, the SFTP server and firewall are supposed to be connected to the Internet only a few minutes before the election to test the broadcast and long enough after the election to transfer the votes. But researchers found some systems that were connected to the Internet for months at a time, and others throughout the year when they were vulnerable to hackers.
Hacking firewall and SFTP server would allow an attacker to grab the results when they are sent and send false results to the FTP server depending on how securely the data is authenticated by the ES&S system. Although modem election results are unofficial – official votes are taken directly from the voting machines on arrival at the county offices – a significant difference between informal and official meetings would cause distrust in the election results and confusion as to what was accurate.
"These are all protected methods that work very nicely if [configured] work properly. It's simply that we don't have the faith to do them proper."
But the motherboard has learned that it is connected firewalls are even more critical back end systems – an election reporting module that tabulated both informal and official votes, and an election management system used in some provinces to program voting machines before elections. According to researchers, access to these systems through a firewall may allow the hacker to alter official election results or disrupt the election management system to distribute malware to voting machines via USB sticks passing between this system and the voting machines.
Online, researchers only see firewalls configured in front of these systems, and can't see anything behind them – federal law makes it illegal for them to try outside the firewall. But ES&S documents published online in various countries show that these critical backend systems are connected to the firewall, and ES&S also confirmed to the motherboard that this is the right architecture for those provinces that want to convey results electronically.
ES&S has long been calling for election management systems to be airborne – that is, not connected to the Internet or any other system connected to the Internet – and the company is insisting that the chart it provides is not "19659002]" for a firewall exposed "There’s nothing related to the Web," ES&S Vice President of Software Development and Design Gary Weber told the motherboard. "[election-management system] just isn’t pingable or addressable from the public Web." -image3 “class =” col-12-xs “src =” https://video-images.vice.com/_uncategorized/1565282528251-image3.png “/>
An ES&S diagram depicting a Cisco ASA firewall sitting on the Internet in front of an FTP server that receives votes cast from voting machines (the FTP server is labeled Data Comm RMS, the Performance Management System), and also shows the background election management system (EMS), j please be used in some jurisdictions to program voting equipment before each election, and a reporting system (EMS client) that collects votes from an FTP server and tabulates results. Eleven states use ES & S's DS200 optical scanners to transmit results on election night (the number of provinces varies by state). Image: ES&S
. But Skoglund said this "misrepresents the details". Anyone who finds a firewall on the community may even find an election administration system related to it.
 “It's not in the air hole. EMS is connected to the Internet but behind a firewall, ”Skoglund stated. "The firewall configuration [that determines what can go in and out of the firewall]… is the only thing that distinguishes EMS from the Internet."
And misconfigured firewalls are one of the most common ways hackers can access supposedly protected systems. The recent massive hacking of sensitive Capital One customer information is a good example of a potential breach of a poorly configured firewall.
"In the event that they did every part right [with the ES&S systems] as they are saying they do, there's no hazard," Robert Graham, Errata Security's CEO, told the motherboard. These are all safe techniques that work properly if [configured] works properly. We do not believe that they are done correctly. And the fact that [election officials are] saying that they are not on the Internet and still on the Internet shows us that we have every reason to trust them. "
Even the correct configurations do not shield a firewall if the firewall software itself has safety vulnerabilities that permit intruders to bypass any authentication checks, whitelist guidelines, and other safety parameters set in the firewall configuration file.
"If this system is not repaired and it has a critical vulnerability … you may be able to break down any security system you have set up," Skoglund advised the motherboard.
"Except that voting form systems should not be connected to the Internet, they should not be anywhere near the Internet. " Whereas no one suggests that any of these methods be manipulated or hacked, the findings spotlight how little local and federal electoral officers understand how these crucial electoral methods are really secure in the purple, and the extent to which they take pleasure in what the distributors say to them.
Senator Ron Wyden (D-Oregon) stated the findings have been "once again a damning indictment of attacking electoral dealers who care more about the outcome than protecting democracy." Additionally it is an accusation, "the idea that important cybersecurity decisions should be left entirely to provincial election offices, many of which do not employ a single cyber security expert. "
" In addition to not connecting the voting system to the Internet, they should not be near the Internet, "he added.
ES & S Firewalls are configured to permit solely authenticated methods to attach and transmit knowledge by means of a firewall to an SFTP server; additionally they block Web connections from methods behind the firewall. Authenticated techniques embrace modem voting machines in polling stations or pc broadcast places. In line with ES&S, even these authenticated techniques, which are set up with passwords that communicate with the SFTP server, can solely talk with that server and cannot bypass this essential backend. Voting machine passwords for speaking with the SFTP server are created in the election management system and transmitted to the voting machines by way of USB flash drive when the techniques are programmed prior to every election, and the passwords are also saved on the SFTP server to confirm the machines.
Two back-end techniques – a voice-based reporting system and an election administration system – are situated on a LAN that is related to a Cisco firewall via a change. The change does not provide further safety; it solely acts as a visitors police to direct incoming info to the proper system. To gather the encrypted votes that the voting machines have saved on the SFTP server, the backend reporting system reaches the firewall from the server each jiffy. If new information arrive, the reporting system grabs them, decodes them, reads the inner sounds, and then spreads them.
At the least, that's how the ES&S motherboard chart setup works. But a special chart despatched by the company final yr to Travis County, Texas, as part of the contract proposal, obtainable online, exhibits a reporting system and an election administration system that is related directly to the SFTP server by way of a change, all related to a firewall. This is able to mean that the backend reporting system might bypass the firewall to realize direct access to the SFTP server, a much less secure configuration. Weber from ES&S informed the motherboard that the Travis chart was incorrect.
An ES&S chart despatched by a company last yr to Travis County, Texas, as a part of a contract proposal, exhibits a reporting system and an election management system immediately related to an SFTP server by way of a change, all of which are related by a firewall.
ES&S configuration backend methods are protected only if the firewall guidelines outlined by ES&S to regulate visitors are correctly configured, until the firewalls have open software program vulnerabilities that permit an intruder to bypass these protections to put in malware. SFTP server and important backend methods, and if firewalls are always maintained and monitored for dishonest connections. Sadly, there are several causes to be concerned about fi security.
ES&S installs and configures firewalls for "the majority of customers," the firm informed the motherboard. The counties then take over or do the maintenance for an outdoor get together, which in some instances might even be ES&S.
Final yr, Cisco firewalls in Wisconsin didn’t obtain a patch to realize a essential vulnerability six months after the vulnerability. was released and the patch released, the motherboard has discovered. Patch delays are usually not uncommon in states where electoral techniques are required for both state and federal certification. A patch applied to a licensed system will often must be reviewed for certification requirements earlier than it can be applied. Nevertheless, six months is a very long time, which signifies that the techniques have been weak to attack for an extended time period earlier than the mid-2018 elections.
Another maintenance challenge pertains to sluggish software program updates. Skoglund group of researchers found that seven found at ES & S system SFTP server is used outdated Cerberus FTP Server 6.0 software, a software maker ended its help in January 2017. Which means the manufacturer has the final two and a half years in the manufacturing of software just isn’t updated it, and persevering with won’t restore if vulnerabilities are detected in the software. The current model is 10.zero, and though it has been out there since November 2018, none of the ES&S SFTP servers discovered by researchers online will use it.
Not all ES&S backend election methods are related to the Web as a result of not every county decides to offer election outcomes. Greater than 33,000 ES&S DS200 optical scanners with modems are used in more than 11,000 states and the District of Columbia. However ES&S advised the motherboard that it doesn't know how many of its clients are presently delivering outcomes.
What the basic public doesn’t find out about ES&S election methods is that the configuration of the whole firm for sending election results – from modem to SFTP server. —Not issued by the Electoral Fee (EAC), which oversees federal testing and certification of voting gear. ES & S voting machines have been tested and authorized, but the transmission configuration just isn’t. Laboratories check them to ensure they emit sounds, and that's it. In the advertising literature, ES&S underlines the licensed elements of its electoral system in blue and marks them as "EAC certified configurations". The unconfirmed part is highlighted in white and marked "Extended Configuration".
Weber informed the motherboard that as an alternative of federal certifications, his firm has targeted on working with state officials who permit the modem to be shipped to check and certify the configuration in their very own state. certification packages. In accordance with him, this includes a security evaluation of the configuration. When asked which states have been conducting these safety assessments, he mentioned Wisconsin, Florida and Minnesota. However a Wisconsin certification tester who spoke for anonymity advised the motherboard that it did not embrace a security analysis of the modem's shipments and configuration.
Searching Election Systems
Researchers began looking for related techniques in July. Repeated feedback by state and local election officials and federal officers with the Election Help Commission when assessing in 2018 that voting machines and back-office techniques are by no means related to the Internet.
Although these officials admit that many voting machines use modems. to transmit election outcomes by way of mobile networks and leased strains, they’ve long insisted that modem broadcasts do not embrace the Web. Nevertheless, a New York Occasions story I wrote last yr showed that modem transmissions go through the Internet, and even the ES&S doc that the company offered to Rhode Island in 2015 calls modem voice transmission an "Internet" transmission. Dominion Voting Systems, a document on modem broadcast voting machines produced by the greatest voting machine firm in the other nation, handles TCP-IP and SSL, each protocols used in Internet visitors.
ES & S Doc submitted to Rhode Island, dated 2015, which clearly indicates sound by means of the firm's DS200 optical scanning units, which go over the Web.
"Configurations display TCP-IP configuration and 'SSL optional,' which makes it clear that at least vendors know that their systems are connected to the Internet, even though their election customers do not understand or continue to insist that the systems are not connected to the Internet."
Figuring out the polls are being transferred over the Web, the researchers determined if they might discover Internet-connected backend techniques that obtain the transmitted votes, they discovered a way to seek out related ES&S techniques after certainly one of their group stumbled upon Rhode Island. ES & S firewall IP tackle in a publicly out there document.
After analyzing other documents on the ES&S techniques revealed online and discovering technical specs displaying that the methods use Cisco ASA 5500 collection firewalls, Cerbe rus FTP software program and Cisco AnyConnect VPN voting for voice transmission, they used a specialized search engine referred to as Censys to seek out related techniques that matched this configuration mixture. Censys searches the Web each week for related units and lists their related info, including their IP addresses, in a database. Their search led to 35 interconnected methods in the past yr, although Skoglund notes that there may very well be extra ES&S techniques on the Web that are not visible on Censys scans, as directors can configure related units to stop automated scans. Nevertheless, this does not imply that somebody nonetheless can't discover the methods on-line.
When investigating possession of IP addresses for related techniques, no less than four of them have been registered with the Michigan and Florida state governments. This helped investigators consider that that they had found county election methods. Nevertheless, different IP addresses have been harder to trace as a result of they have been registered with the main ISPs and never with the ISPs utilizing them.
Researchers found one or two techniques on-line in Illinois, Indiana, Minnesota, Nebraska, Rhode Island, Tennessee, and Iowa. They anticipate Nebraska to be a demo or check system for ES&S, headquartered in Omaha. Additionally they discovered two techniques in Canada, the place ES&S has area workplaces and clients, which can be demo or check methods.
Though only one system was discovered online on Rhode Island, this was notably problematic, the researchers observe. Rhode Island, in contrast to different states, conducts elections in a central workplace with the State Election Fee somewhat than conducting elections in each county or jurisdiction. The election reporting system discovered by the researchers on the net was thus the state-wide reporting system.
Certainly one of the densest states in on-line election techniques was Florida, where researchers found quite a lot of related methods that they consider belong to the counties of Bradford, Charlotte, Flagler, Wakulla, Miami-Dade and Pasco, and one different county can’t determine the IP handle.
Florida is understood for its boxing election. Trump gained the state by just 1.2 proportion points in 2016, and in 2018, the state had Senate and governor races that have been too near call for election night time. Particularly, the county of Miami-Dade, with 1.four million registered voters, is one in every of the most used provinces in the federal election – it used ES&S machines with embedded modems in the 2016 election.
None of which means electoral methods in Miami-Dade or another county in Florida have been manipulated in the 2016 election. However the findings highlight the stakes of essential online electoral methods.
All election techniques related to the Web produce potential elections. However the nine methods in Wisconsin and 4 in Michigan discovered by researchers have raised particular pink flags as a result of they have been two of the three states where Green Get together presidential candidate Jill Stein needed to recalculate 2016 presidential votes. All three states, including Pennsylvania, produced results that have been inconsistent with electoral polls and previous state voting patterns. Although there was no particular evidence that electoral methods have been manipulated, the recount might have helped persuade the public that this was not the case. Nevertheless, the courtroom suspended the Michigan report after it began, and the Pennsylvania courtroom refused to think about Stein's case for a re-report in that state.
"What you describe is bad behavior, compounded by carelessness and total disregard for security." as an alternative of manually comparing them to digital integers. reveals variations. If the scanner software program had problems producing incorrect results throughout the first scan, they’ll repeat the similar faulty outcomes during the re-scan.
Researchers repeated their searches of the Censys database periodically to see when techniques misplaced visibility or new ones appeared on the community. This allowed them to see the methods switched on for a very long time, opposite to the election officers' claim that the results transfer methods remain switched on only minutes after the elections. Some techniques solely appear on-line during election occasions, but remain on-line for a few month earlier than disappearing, not for a few minutes.
"Rhode Island is one that lights up and goes out," Skoglund stated. . “They don't stay around the year. But others do. "
The motherboard asked Graham, CEO of Errata Security, who created an Internet scanning tool called Masscan, to independently review the methods researchers used to find the systems, and he confirmed that the method was robust in the search. parameters that researchers provided. However, like investigators, he couldn't investigate further without breaking the law, so he only saw firewalls and not what was behind them. An independent election security expert named Harri Hursti, who negotiates with constituencies to help run the annual voting machine hacking village at the Def Con Security Conference, also confirmed the motherboard methodology without being told how to find the systems. In fact, Hursti told the motherboard that many other election systems were online, that researchers' specific Search Parameters were ignored.
Researchers did not opt for ES&S election systems for hunting. They also tried to find connected systems for two of the best voting machine vendors in the country – Dominion Voting Systems and Hart InterCivic. But Skoglund said the configuration footprints of these systems are not as distinctive as the footprint of ES&S, which has resulted in the team discovering thousands of systems that are clearly not election infrastructure.
Although investigators have not been able to convince election officials in every state that all firewalls they have detected are connected to ES&S, they were able to reassure them that their list was reliable. And all the systems that the researchers found have a configuration footprint, as far as they can tell, it's unique to ES&S. In addition, the IP addresses of unconfirmed systems firewalls appear to be in all countries that also use ES&S voting devices, according to a cross-examination of the Verche Voting Network Tool, a non-profit organization that monitors the use of voting machines around the country. It is difficult to pinpoint IP addresses to a precise geographical location, but researchers were able to determine the addresses they found in a particular city or region in all but four systems.
ES&S did not dispute that investigators firewalls were found in ES&S systems; the company said that it had no way to go one way or another. The motherboard provided the company with the IP addresses that the researchers found in the firewalls, but the company said in an email that it did not store the clients' IP addresses and therefore could not indicate whether the systems belong to its clients.
Since researchers began searching for systems only last year, it is not known how long they have been online, but it is likely that some have been connected to the Internet for years, always returning when a county started using modems to convey election results.
For over a decade, ES&S has been selling modem-based systems for delivering results. Wisconsin approved the use of current modem-capable ES&S DS200 voting machines in September 2015, but its previous-generation ES&S optical scanning machines also used modems to send results. It is not clear whether they used the same firewall and background configuration.
Photo: Scott McIntyre / Bloomberg via Getty Images
. Although electoral security experts are opposed to electronically casting votes if a county goes The devices set up to receive results should not be connected to the Internet when the system is not in use. It has no purpose other than receiving results.
"While [reporting systems] are safe, ES&S recommends that they be connected to the Internet only when they are tested or used to minimize potential threats," a statement. will be sent to the motherboard from ES&S and the Wisconsin Election Committee says.
But Hursti told the motherboard that it made little difference in how long the election systems were connected; all connections open them up to possible attacks.
“A skilled, motivated attacker does not matter whether [the system is connected] is two minutes or a whole year. But for a less skilled stupid, less motivated attacker, because they have been there for a year, it lowers the bar, ”he advised the motherboard. “It really buries the bar underground to perform attacks with less skill. [And] you have a much longer time when hacking can take place and evidence of attacks [hidden]. What you are describing is bad behavior, compounded by carelessness and total neglect of safety. "
A more skilled and motivated hacker – like a Russian-backed nation-state hacker – can compromise your firewall or SFTP server and grow malware. which is delivered to every audio device connected to the server, Skoglund and Hursti said. This is similar to what security professionals refer to as the "drinking hole" attack, named for predatory animals lying awaiting the catch of the drinking holes to arrive for a drink.
Ja jos hakkerit voisivat levittää haittaohjelmia äänestyskoneisiin SFTP-palvelimelta, haittaohjelmat voivat mahdollisesti konfiguroida näiden koneiden modeemin saadakseen ne soittamaan järjestelmään, jonka hyökkääjät omistavat, estäen samalla näiden puhelujen osoittamasta näkymistä. järjestelmän lokiin. Tämä antaisi hyökkääjille aikaa alistaa koneet seuraavia vaaleja varten.
Tulokset ilmoitettu ja vahvistettu
Tutkijat ilmoittivat palomuurin IP-osoitteet elokuussa 2018 kansalliselle vaalien infrastruktuuritietojen jakamis- ja analysointikeskukselle (EI-ISAC) – 24 tunnin vartiokeskukselle, jota rahoitti kotimaan turvallisuusministeriö ja ylläpitää Internet Security Center, joka on voittoa tavoittelematon organisaatio, joka on perustettu kehittämään ja edistämään kyberturvallisuuden parhaita käytäntöjä. EI-ISAC toimittaa vaalivirkamiehille tietoja turvallisuusuhista ja varoituksia, ja kertoi tutkijoille, että ne välittäisivät tiedot minne se tarvitsi, mutta tutkijat eivät koskaan saaneet seurantaa EI-ISAC: lta.
Ryhmän tiedottaja ei kertoisi emolevylle, jos tietoa levitettäisiin kyseisiin maakuntiin, mutta tutkijat näkivät joidenkin läänijärjestelmien katoamasta Internetistä. Kotimaan turvallisuusministeriö, joka on tehnyt yhteistyötä valtioiden ja maakuntien kanssa vuodesta 2016 lähtien vaalien infrastruktuurien turvaamiseksi, kieltäytyi myös puhumasta emolevyn kanssa tutkijoiden havainnoista.
Se tosiasia, että puolet järjestelmistä oli vielä verkossa viime viikolla, korostaa kuitenkin, että liittovaltion hallituksen ja tiedonvaihtoryhmien uudet pyrkimykset varoittaa vaalivirkailijoita tunnetuista uhista ja haavoittuvuuksista eivät toimi, jos viesti ei pääse ihmisille, jotka voivat tosiasiallisesti ottaa järjestelmät offline-tilaan, tai jos paikallisvaalien virkamiehet Älä vain toimi saamiensa tietojen perusteella. Last year the researchers gave four IP addresses to the EI-ISAC that the researchers confirmed were connected to election infrastructure in Michigan and Florida.
“The two in Florida were taken offline in the following week or two,” Skoglund stated. But the methods in two Michigan counties, Kalamazoo and Roscommon, have been still on-line this week. A third Michigan system can also be online, although the researchers are unable to pinpoint the county in which the IP handle is situated.
Equally, they reported half a dozen IP addresses to Tony Bridges, election security lead at the Wisconsin Election Commission, for related methods in Outagamie, Dodge, Milwaukee, St. Croix, Columbia, and Waukesha counties. However regardless of preliminary friendly communication, Skoglund stated they never acquired a response.
Bridges informed Motherboard he did act on the info he acquired, advising all of the counties to disconnect their methods when not in use for elections. He was stunned to study final week from Motherboard that there were nonetheless techniques on-line. He contacted the counties again, and Skoglund’s group might see that each one off them dropped off except Milwaukee County’s system and another county that they had not reported to Bridges last yr, Eau Claire County.
The director of elections in Milwaukee County advised Skoglund this week that their system was online for a special election subsequent week. Skoglund informed Motherboard that when he informed her the system had truly been online since September 2018, she stated she solely discovered final week that the methods should not be related to the internet between elections.
Skoglund has also witnessed another problems as techniques dropped offline after his group’s disclosure to a county; some IT staff are merely turning off the SFTP server or switching it to standby mode so visitors can’t come into it. However so long as the firewall is on-line, the backend techniques are nonetheless related to the internet and may be found. And if the AnyConnect VPN continues to be enabled, this also supplies a potential pathway into these backend techniques.
Skoglund stated he’s concerned that nobody is monitoring all of those techniques as soon as they’re online, and that counties are trusting the configuration directions ES&S provides them, or trusting ES&S to configure the techniques securely for them, and are then ignoring the techniques as soon as they’re set up.
“When a corporation sets up a firewall and a VPN … there is someone who is applying patches and monitoring logs … and really actively ensuring the security of the device to make sure it doesn’t become a vulnerability,” Skoglund stated. “That’s a real question with election infrastructure. Who manages this hardware after it’s deployed? And what oversight is there?”