Report: Swing State Voting Machines Were Left Open to the Internet

Dozens of election systems intended to be isolated from the Internet have actually been continuously connected for long periods of time, according to a new report published by Vice on Thursday. The findings contradict longstanding claims by election officials and vendors about the security of voting systems.

The voting systems, reportedly produced by Omaha-based Election Systems & Software, have wireless internet capacities. But according to Vice, those are only intended to be active for short periods, either for testing or immediately after an election, when voting machines transmit preliminary vote totals to central tallying systems. Researchers, scouring the internet using parameters based on one known IP address of a fire-walled system in Rhode Island, found about 35 ES&S systems whose connections had been left open, in some cases for months or even years.

In an email to Fortune, ES&S denies its vote tabulators are ever connected to the Internet, and said its election management systems are secured, hardened, and not permitted online. “There is zero evidence any ES&S voting system has ever been compromised,” ES&S tells Fortune. “In some states it is a common practice to modem unofficial election results at the close of the polls to help the media in releasing early projections. This does not involve direct internet connectivity to the voting system.”

ES&S also states that physical ballots and printed results tapes are protected at all times.

According to Vice, the compromised systems were located in 10 states, including Wisconsin, Michigan, and Florida—critical swing states in the 2016 presidential election. Some of the connected systems detected by security experts have been confirmed to be voting systems, while others remain unconfirmed, but went offline after researchers reported them to election authorities.

Vice has not reported that the systems’ vulnerability was exploited to interfere with voting, though it could be possible. A focused attacker would be able to intercept results being transmitted wirelessly and send fake results in their place, the publication says. ES&S points out that these wirelessly-transmitted votes would not be official results, which are hand-delivered on hardware memory cards.

However, the appearance of changing results could itself be a serious threat to American democracy. “You’re starting out with low confidence by the public in the systems,” says Dr. Avi Rubin, a professor focusing on cybersecurity and elections at Johns Hopkins University. “If the results come back and someone loses who appeared to be leading, the loser is going to cry foul, and create even more distrust… Which is exactly the kind of tactics the Russians have deployed.”

Rubin believes the new report shows one of the fundamental problems with electronic voting—that the complex and scattered system makes it hard to maintain consistent security practices. “Vendors may provide instructions such as, don’t turn these transmission systems on,” he says. “But the election workers might do something different.”

It also points to an even more serious vulnerability: Central voting systems are effectively connected to the Internet during the brief window intended for wireless transmission. ES&S officials speaking to Vice emphasized that their systems were located behind Cisco firewalls and did not have visible IP addresses, which has often been represented publicly as not being connected to the internet.

“If you’re connected to a firewall, even if your IP address isn’t visible, you are connected to the internet,” counters Dr. David Jefferson, a cybersecurity expert now retired from Lawrence Livermore National Laboratory. “It’s a sad commentary on the security understanding of those who configure election systems.”

Jefferson also sits on the board of Verified Voting, an election cybersecurity nonprofit that advocates for one seemingly simple solution to electronic vote security. “We are trying to end internet transmission of votes, and correctly air-gap central systems from the internet, permanently,” he says. “Never, from the minute they are set up, should they be connected to the Internet, at all.”