A US senator is holding the nation's biggest voting machine maker to account following a recent article that reported it has sold equipment that was pre-installed with remote-access software and has advised government customers to install the software on machines that didn't already have it pre-installed.

Use of remote-access software in e-voting systems was reported last month by The New York Times Magazine in an article headlined "The Myth of the Hacker-Proof Voting Machine." The article challenged the oft-repeated assurance that voting machines are generally secured against malicious tampering because they're not connected to the Internet.

Exhibit A in the case built by freelance reporter Kim Zetter was an election-management computer used in 2011 by Pennsylvania's Venango County. After voting machines the county bought from Election Systems & Software were suspected of "flipping" votes―meaning screens showed a different vote than the one selected by the voter―officials asked a computer scientist to examine the systems. The scientist ultimately concluded the flipping was the result of a simple calibration error, but during the analysis he found something much more alarming―remote-access software that allowed anyone with the correct password to remotely control the system.

Zetter unearthed a 2006 contract with the state of Michigan and a report from Pennsylvania's Allegheny County that same year that both showed ES&S employees using a remote-access application called pcAnywhere to remotely administer equipment it sold.

Serious consequences

ES&S officials told the NYT Magazine that none of its employees had any knowledge of company machines being sold with remote-access software. The article, however, leaves little doubt that in at least some cases ES&S employees arranged for the equipment to come pre-installed with the software or for it to be installed after purchase. The practice has serious consequences for the security of the equipment, since anyone who can obtain login credentials or exploit vulnerabilities in the software can gain control over systems and potentially alter voting tallies.

On Tuesday, US Senator Ron Wyden (D-Ore.) sent ES&S Chief Executive Tom Burt a letter that in essence asked two questions:

Has ES&S sold any products on which remote-access software was pre-installed?

Have ES&S officials or technical support personnel ever recommended that customers install remote-access software on voting machines or other election systems?

"The American public has been repeatedly assured that voting machines are not connected to the Internet and, thus, cannot be remotely compromised by hackers," Wyden wrote. "However, according to a recent article in The New York Times Magazine, election systems sold by your company frequently include pre-installed remote-access software, which exposed elections systems to remote attack and compromise."

In an e-mail sent about 19 hours after this post went live, ES&S officials wrote:

Election Systems and Software certifies our voting systems to the Voluntary Voting System Standards (VVSG) adopted by the Election Assistance Commission (EAC). The EAC VVSG does not allow for voting systems to be tested or approved with any form of remote access software. In fact, an election management system that is approved and tested to the EAC standard is required to be hardened. The term hardened in this case means that the server is locked down from any use other than that which has been approved under the standard and that it cannot contain any software application, including remote access software, which is not part of the certified end to end configuration. ES&S always adheres to these guidelines and, as such, does not sell or distribute products with remote access software installed.

Post updated to add ES&S statement in the last paragraph and to correct the year in paragraph 3.