Following the 2016 presidential election, states like Pennsylvania indicated that they would be working to upgrade their voting machines to allay security concerns. A new report from the Associate Press reveals that while counties across the United States have purchased new equipment, many of machines are running outdated software that could still be vulnerable to hackers.

At the heart of the issue is the operating system that the machines run on — Windows 7. Microsoft released the operating system between 2009 and 2014, and it’s since been overtaken by Windows 10. The company has scaled back its support for the OS, and will officially end support for it next January.

Multiple states will be affected by the end of support for Windows 7

In an analysis of voting machines across all 50 states, the AP says that it “found multiple battleground states affected by the end of Windows 7 support, including Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona and North Carolina.” Some states, like Georgia and Michigan, are considering new systems that use Windows 7.

Furthermore, the AP says that two of the three major election equipment vendors — Election Systems and Software LLC, and Hart InterCivic Inc — supply machines running outdated software: Hart InterCivic’s operating system will reach the end of its mainstream support on October 13th, 2020 (apparently Windows 10 Enterprise 2015 LTSBWindows 10 IoT Enterprise 2015 LTSB), while Election Systems and Software says that it will be offering a new system running on Windows 10. However, it’s unclear if that will be cleared for use and distributed to counties before the 2020 election in November. The AP says that a third vendor, Dominion Voting Systems Inc., is unaffected by the issue, but points out that it does have systems that it “acquired from no-longer-existing companies that may run on even older operating systems.”

As states begin to prepare for the 2020 elections and place orders for new systems, state officials in Pennsylvania, Michigan, and Arizona have indicated that they have spoken with vendors about the software on the machines.

Election systems are notoriously insecure

Election vendors also have had notable problems with security — Election Systems and Software disclosed that it installed potentially-vulnerable remote access software on its machines, while Russians breached the computer systems of another vendor, VR Systems, and were able to break into the voting databases of two Florida counties prior to the 2016 election. To be clear, individual machines are notoriously vulnerable to hackers, but the decentralized nature of the US’s election infrastructure means that it’s hard to change votes en-masse. But, with a close election, foreign agents could potentially mess with election results, or at the very least, undermine confidence in the final results.

Microsoft tells the AP that it will issue free security updates for Windows 7 through 2023. But, while the company can continue to release patches for its systems, system owners will need to actually install them. In 2017, the WannaCry cyberattack crippled thousands of computers in over 100 countries that were running versions of Windows XP and Windows 7 that didn’t have security patches installed. Windows ended up issuing a special patch for Windows XP users, and has since released additional patches to fix new vulnerabilities. But even more than two years later, Microsoft says that more than a million computers are still vulnerable to security exploits.