Voting machines used to tally and aggregate votes in multiple German states are vulnerable to a wide array of vulnerabilities that researchers say can be exploited to alter election results without too much effort.

The flaws came to light today when three members of the Chaos Computer Club (CCC) — a club of white hat hackers from Germany — have published a report on the status of PC-Wahl, the software that runs on these devices.

Hackers can send malicious updates, alter votes

Researchers say they identified multiple flaws in how the machines operate. For example, they say an attacker could ship a malicious update to the machines because of a "broken software update mechanism," could recover secret passwords from PC-Wahl 10 configuration (INI) files and alter basic settings, but could also swap votes from one party to another during final and preliminary result submissions.

"Elementary principles of IT-security were not heeded to," said Linus Neumann, one of the CCC members involved in the experiment. "The amount of vulnerabilities and their severity exceeded our worst expectations."

PC-Wahl devices are some of the most popular voting machines deployed across German states, have been used in past German elections, and will be used again during the upcoming parliamentary elections set to be held on September 24.

Some German authorities took action

CCC researchers said they notified authorities of their findings. The German state of Hesse has already taken precautionary measures. Officials ruled that voting results transmitted from Hesse voting sections where PC-Wahl devices are used to tally and send votes must also be verified using an independent channel.

Germany is not the only country found to use insecure voting rigs. In January 2017, Dutch security researcher Sijmen Ruwhof discovered security bugs in voting machines used in the Dutch 2009 elections.

Last month, at the DEF CON security conference, researchers took apart US voting machines in a few minutes.

The CCC researchers released their findings in a 20-page report [German only]. They also released the tools they used to analyze and hack into the voting machines on GitHub.