White hat hackers from the Chaos Computer Club warn of huge weaknesses in German election software.
German hackers and researchers from the Chaos Computer Club (CCC) have found software used in the country to count and distribute voting results to be trivially easy to hack.
In a press release issued yesterday (7 September), CCC spokesperson Linus Neumann described the group’s analysis of the PC-Wahl software used in elections: “The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake.”
He describes there being “a number of security problems and multiple practicable attack scenarios” within the software, dubbing it “remarkably bad”.
Exceeding the worst expectations
In the damning report, hackers found that the entire system could be compromised in a single click, with the quantity of severe vulnerabilities present exceeding the CCC’s worst expectations.
The software is used to record votes and then transmit the results to a municipality. Local election authorities then use the same software to hand over the information for aggregation by state authorities.
A hypothetical one-click compromise in a situation such as a general election could spell disaster for public trust in the democratic process itself.
‘The sad state of this piece of election infrastructure is yet more evidence of problems in government IT. The procedures for tendering software projects need to change’
– LINUS NEUMANN
Thankfully, as a result of the CCC’s findings, the makers of PC-Wahl are fixing some of the vulnerabilities found by the hackers.
These weaknesses included the transmission of voting data over insecure connections, and the programming of servers with the default login credentials still present.
An over-reliance on archaic systems
The CCC made a more general point about the need for the German government to upgrade its technology: “The election authorities should not have become dependent on suppliers using programming and security concepts from the past millennium, but instead should promote transparency and security of election software by supporting new developments and advancing the state of the art.
“The sad state of this piece of election infrastructure is yet more evidence of problems in government IT. The procedures for tendering software projects need to change.”
For now, at least, a “brute manipulation of election results should be harder”, following the CCC’s major discovery.
Thorsten Schröder of the CCC wrote about the incident in German magazine Der Spiegel, expressing his surprise at the extent of the security gaps the team found, and criticising the government’s use of outdated encryption methods and weak passwords.
The CCC also noted that similar software is in use in other countries, with IVU.elect tested in the Netherlands also showing security vulnerabilities.
As recently as 7 September, Der Spiegel published a report detailing German concerns about Russian interference in the upcoming election, and worries stemming from the massive 2015 cyberattack on Germany’s Bundestag, its parliament buildings.
Regardless of the outcome of the election of 24 September, the incoming government will need to take a serious look at its official procedures and fix any vulnerabilities found.