Software publisher may have opened a moat for hackers in 2016

A software company for the Florida election, targeted by the Russians in 2016, inadvertently opened up a potential way for hackers to tamper with voters' registers in North Carolina on the eve of the election presidential election, according to a document examined by POLITICO and a person. with the knowledge of the episode.

VR Systems, based in Tallahassee but with customers in eight US states, used software called remote access to connect for hours to a central computer in Durham County, North Carolina, to resolve issues with the management tool of the voters list of the company, said the person. . The software distributes voter lists in "electronic electoral registers", which election officials use to register voters and verify eligibility to vote.

History continues below

The company has not responded to POLITICO's requests for comments on its practices. However, electoral security experts widely condemn remote connections to election-related computer systems, not only because they can open the door to intruders, but also because they can also give attackers access to all network, depending on their configuration.

In the case of Durham County, the computer in question contacted the North Carolina State Election Council to download the list of county electors prior to the elections, which could also potentially open the door to state system.

This would not have allowed intruders to change the count of votes – and no evidence was revealed that anyone would have hacked the election results in North Carolina. However, interference in voter registers or in electoral notebook software may allow an attacker to modify registers to prevent people from voting in crucial constituencies. Investigations are still ongoing to find out if such manipulation could have occurred in North Carolina.

Last year, Election Systems & Software, the leading manufacturer of voting machines, admitted to installing and using remote access software on election management systems sold to counties after the election. to have refused. Electoral management systems are even more critical for elections because they are used first to program voting machines and then to compile the results. The revelation about VR Systems, however, indicates that the practice of remote access to critical election infrastructures is more widespread than previously thought.

"Vulnerabilities in voting machines hold more attention, but the security and availability of poll books are as essential to the integrity of the elections as the voting machines themselves," Matt said. Blaze, professor of law and computer science at Georgetown University. security expert. "If voter registers are compromised, it can selectively deprive voters of the right to vote, create long queues in polling stations and cast doubt on the legitimacy of election results."

The critical security gap – which had not been publicly revealed before – is the last cause of concern for VR Systems, a company victim of a malicious email campaign targeting its own employees. in August 2016 and that would be related to Russia. VR Systems has long claimed that the alleged spearphishing attempt, which had been reported to the FBI at the time, had been unsuccessful and that a forensic investigation commissioned by a large cybersecurity firm had proved that she had never been hacked.

But this investigation was conducted only one year after the spearphishing campaign, suggesting the possibility that intruders could erase their traces of the systems of society during this period. Federal investigators said in a recent report by special advocate Robert Mueller, as well as in other documents, that Russian hackers had successfully compromised a voting technology company – a company that matches the description of VR Systems – and to install malicious software on its network.

Nearly three years after the first public revelation of hacker interference in the 2016 presidential race, the Department of Homeland Security has decided to conduct a forensic analysis of computers used in Durham County in this election, confirmed Wednesday to POLITICO. The DHS movement was reported for the first time by the Washington Post.

Even though VR Systems had not been hacked in 2016, the revelation that it was using remote access software to connect to a critical electoral system, while the concern over piracy Russian alarmed state officials at the State Board of Elections of North Carolina when they learned of the existence of the incident nearly a year later, according to a person familiar with the ################################################################# 39; case. The person asked not to be named because of the sensitivity of the case. A document examined by POLITICO confirms his assertions.

"Where the seller seemed to have an interest in keeping customers safe, he had not thought [the potential risks] to do that, "said the person to POLITICO.This was particularly disturbing, said the person, because the company knew that she had already been targeted by the Russians, but she apparently had not disclosed this information to its customers.

In addition, officials learned that it was a common practice for the company to remotely access customer systems if it was too long to physically send someone to a customer to solve the problems. the source said.

The person said the company has since agreed to stop doing it, at least in North Carolina.

Yet, "there was more resistance [to stop] than you would expect, "said the person. The person said that VR "stressed the need to be able to maintain customer systems and solve problems, and that remote access was part of this process – a feature, not a bug."

VR Systems has customers in California, Florida, Illinois, Indiana, New York State, North Carolina, Virginia, and West Virginia. In 2016, 62 of Florida's 67 counties have used VR Systems, including Miami-Dade, the most populous state. Twenty-three of 100 counties in North Carolina, including some of the largest, have also used VR Systems technology. Florida and North Carolina were decisive for the victory of President Donald Trump in November 2016: Trump won Florida with 1.2 percentage points, or 119,770 votes, and North Carolina, with 3.8 points percentage or 117,529 votes.

The FBI recently revealed that Russian hackers had successfully infiltrated two Florida counties before the 2016 elections, but details of how the hacks took place, or about eventual connection to VR Systems, are still not clear.

POLITICO asked VR Systems if it had ever had remote access to customer systems in North Carolina or other states and was still engaged in this practice. The company did not answer.

Senator Ron Wyden (D-Ore.), A leading VR Systems critic, said the company needed to explain itself.

"Remotely accessing voting systems the day before election day serves our democracy on a silver platter to foreign hackers," Wyden told POLITICO. "No company playing such a crucial role in our elections should adopt such a reckless shortcut with the cybersecurity of its domestic and local customers."

He added, "The fact that we only know two years after the elections and after the destruction of any evidence of hacking is inexcusable." Americans need to know if VR Systems still has remote access to computers of other states, and how many times this has happened. "

The remote access incident occurred in Durham after the county had trouble loading voter data onto USB flash drives used with its electronic records.

Before an election, Durham loads a digital file containing the voters list of each sector on the USB sticks. The sticks, or activators as VR Systems calls them, are inserted into the laptops equipped with the VR Systems e-voting software called EViD. There is one activator for each EViD notebook and often several laptops in one enclosure. When a voting member types the name of an elector into a laptop, the EViD software checks the registration list on the USB key. at verify that the person is eligible to vote.

On Sunday before the elections of 2016 and the next day, it took "several times longer than normal" to load the list of voters on USB sticks, told POLITICO, the person familiar with the episode. Seeking out why it took so long, VR Systems remotely accessed the county computer used to load voter lists, but never stopped, said the person to POLITICO .

The election night problem with USB drives had never been reported before. But later problems with the county's electronic records made headlines.

Electronic voting cards in five constituencies began to have problems almost immediately after the polls opened on polling day. Some crashed, some wrongly told election officials that they had to ask for a photo ID card from voters, while others said wrongly that at least nine voters had already voted while they had not done so yet.

When the state election office was made aware of the problems, he ordered the county to move to paper backups of the voters list. But this created delays and long queues that led some voters to leave without having to vote.

After the election, Durham County hired an external cybersecurity firm to investigate the poll book problem. The Protus3 company concluded that the mistakes made by the election officials were the problem for at least three voters who had been wrongly told that they had already voted. The report speculated on the causes of the other problems, but the state finally determined that the results were inconclusive.

There was also a problem with the scope of the investigation, which did not seem to want to know whether malicious players had hacked the electronic ballot registers or voters' list, according to a copy of the Protus3 report reviewed by POLITICO. Although some parts of the report are obscured, his unredacted summary does not mention any attempt to test the county network for signs of intrusion or malware, or search for malicious programs in the registry. electronic ballot and on the central computer. the poll books and the central computer were imaged and analyzed.

Although the Russian spearphishing operation against VR Systems was not publicly known when Protus3 conducted its investigation, VR Systems had sent an email to all its customers on November 1, 2016 to warn them of the launch of a Illegal email campaign to its customers that was designed to look like an email from the company.

POLITICO interviewed a Protus3 spokesperson on the scope of her investigation, but she did not respond.

The state election council of North Carolina sought an unreduced version of the Protus3 report, but was denied, according to the person familiar with the investigation. The board found that the Protus3 investigation was incomplete but did not insist.

That changed in June 2017 when The Intercept released a confidential NSA document revealing that Russian hackers had sent employees of a technology company voting malicious e-mails in August 2016 for the purpose of hack their email accounts. The document suggests that the attackers may have successfully compromised at least one employee account but did not identify the company by name. Several details, however, made it clear that VR Systems was the company.

The North Carolina Election Committee officials immediately realized that they had to take into account the possibility that Russian intruders could pose the problem of Durham electronic notebooks on election day if they had violated VR Systems, or obtained via the remote connection of the system, A person aware of the incident told POLITICO.

"Until the [NSA] escape … Durham and everyone thought [the problem] was a mistake of the administrator, and there was no compelling need to determine exactly what had happened, "said the person.

The state commission then launched its own investigation and, during interviews with workers in Durham County, was informed about the problem of remote access and the USB problem that caused it.

The person said it was not the first time that state election officials had expressed concerns about VR Systems' security practices. Around March 2016, officials uncovered information from counties that appeared to indicate that VR Systems software was using an insecure method to transmit voter data to counties that it had obtained from the state council. (VR Systems insisted on telling officials that its file transfer system was secure, said the person.)

The fear of Russian interference has not yet manifested time. However, officials were worried about identity theft because the data provided included voters' social security numbers. Thus, between March and the November election, the state launched a new process whereby sensitive information was removed from the voter data versions of EViD ballot records prior to transmission.

Despite all of these concerns and lingering questions about what happened on Election Day with Durham's electronic voting registers, the state has never conducted its own investigation into what's going on. Has passed, even though he has obtained and keeps in his possession images of the survey. books.

Last month, council spokesman Patrick Gannon told POLITICO in an e-mail that state investigators felt that "human errors committed by constituents and election officials in Durham County have probably contributed to the 2016 incident, "but the investigation remains open because the agency" does not have technical expertise to conduct a forensic examination of laptops. "

But today, DHS intervenes. In a statement to POLITICO regarding its investigation in North Carolina, the ministry announced that it would work with the state's electoral council to analyze the laptops used in the Durham County elections in 2016. This support could contribute to a better understanding of the previous problems and help secure the 2020 elections. "

DHS went on to say that it did not currently have "information indicating that there were any prior or ongoing problems regarding electoral systems in the state of North Carolina and that all services are proactively provided at the request of the state ".