Hackers find flaws in German election vote-counting software

Hacking the German election | 07.09.2017

A trio of hackers has warned that Germany's vote-counting software is extremely vulnerable to multiple attacks three weeks before the federal election. But fears of Russian intervention appear to be exaggerated.

Germans got one more reason to be paranoid about potential Russian intervention in the upcoming electionon Thursday, when a report was published that exposed massive security gaps in the software used to tally the vote counts across the country's 299 voting districts.

IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed the software PC-Wahl created by vote iT, a German company that claims the organizational software is used in "all the large German states for local district elections, state elections, Bundestag elections, European elections, and referendums."

The alarming analysis finding a variety of weaknesses was independently corroborated by the hacker organization Chaos Computer Club, which also discovered more flaws.

Creating chaos

The trio of analysts came to the conclusion that while the final election results could not be changed – since they are checked by hand – the on-the-night preliminary results that politicians first react to and are used in the media could easily be altered, potentially creating massive uncertainty in the country.

German security forces have warned against Russian hackers affecting the election

"Let's say we give the AfD [right-wing Alternative for Germany] 20 percent, and all their supporters are celebrating, and then two days later all the people who helped with the election stand up and say, 'Wait a moment, this is not the result that I counted,'" speculated Neumann. "The officials would have to declare the official result as invalid, and there would have to be another election. We'd probably have people with pitchforks in the streets. Think of the damage that would be done to general trust in democracy."

Germany's elections are fairly transparent and analog – voters are only allowed to vote with pen on paper, not with digital voting machines, all counting takes place by hand in the 70,000 or so voting locations, and counting is open to the public.

But when local voting districts pass on their results to the state election administrator, each state has its own rules about how those results are transmitted – either by phone, fax or with computers. They are eventually passed on to federal election administrator Dieter Sarreither.

Spare time hacking

Neumann underlined how easy it had been for him and his friends to hack the software, and added that hackers would only need to begin infecting the relevant computers a few days before the election. According to a report in Die Zeit newspaper, some of the software code was so old that one of the analysts found passwords to parts of it on the internet.

"We did this in our spare time," he said. "Everybody's worried about state sponsors and professional hackers – if we can do this in a couple of evenings of sitting around in our apartments, you can imagine how easily this could be accomplished by a state actor."

The company vote iT did not respond to a DW request for comment, but told Der Spiegel that there were "no security-relevant weaknesses in the software." Nevertheless, Neumann pointed out that his team had informed the company of its findings — and had noticed that it had since begun to fix them.

Analysts wonder what Putin would have to gain by hacking the German election

"When they now say they are not aware of any vulnerabilities, that is a very questionable statement," he said.

But what's the point?

For his part, federal election administrator Sarreither said a Russian attack on the German voting system remained "very unlikely." That view is backed up by a report in the Süddeutsche Zeitung from late August, which cited internal government analyses saying that a string of public warnings and the ensuing media interest in the issue had "scared the Russians off."

Mark Galeotti, head of the Prague-based Center for European Security, had a similar take – suggesting that Russia had learned a lesson from the leaks that failed to derail Emmanuel Macron's presidential election victory in France in the spring.

"I am perfectly willing to believe the Russians have that capability, but it's harder to see why they might have the intent," Galeotti told DW. "There is little to be gained and much to be lost by such an adventure. There would be no lasting impact on the outcome, and no obviously Putin-friendly candidate they might hope to elect. Moscow would likely only further harden German attitudes by such a move."

Ben Knight