Kim Zetter for NYT Magazine:
But for as long as experts have warned about security problems, voting machine makers and election officials have denied that the machines can be remotely hacked. The reason, they say, is that the systems are not connected to the internet — an assurance the public has largely accepted. This defense was never more loudly expressed than in 2016, when the government disclosed that Russian hackers were probing American voter-registration systems and had breached at least one of them. Concerned that hacking fears could make the public less likely to vote, the United States Election Assistance Commission and state election officials rushed to assert that there was no need to worry about the votes because voting machines themselves were isolated from the internet.
The reality, as the incident in Venango County makes clear, is far more complicated.
Venango removed the remote-access software and isolated its system after Eckhardt and colleagues pointed out the security risk. But it’s likely that the software is still installed on other election systems around the country. ES&S has in the past sometimes sold its election-management system with remote-access software preinstalled, according to one official; and where it wasn’t preloaded, the company advised officials to install it so ES&S technicians could remotely access the systems via modem, as Venango County’s contractor did, to troubleshoot and provide maintenance.