The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.

Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries. „PC-Wahl“, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades.

The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

„Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

A depressing finding of the study is that a state-funded team of hackers is not even necessary to control the tabulation of the votes. The broken software update mechanism of „PC-Wahl“ allows for one-click compromise. Together with the lacking security of the update server, this makes complete takeover quite feasible. Given the trivial nature of the attacks, it would be prudent to assume that not only the CCC is aware of these vulnerabilities.

„A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one“, Neumann continues.

The software can be used to record the result of the counting in a polling station and to transmit the result to the municipality. The local election authorities use the same software to aggregate the results and transmit them to the state election authorities. In some states „PC-Wahl“ is also used by the state election authorities.

The documented attacks have the potential to permanently impact public trust in the democratic process – even in cases where an actual manipulation would be discovered in hours or days. Whether an actual manipulation is discovered at all depends on the procedures followed in the various states – at this moment, and as a result of our findings, these procedures are being changed. In the state of Hesse it is now mandatory to verify every transmission using „PC-Wahl“ using some independent channel.

The attack scenarios shown, and the remarkably bad general state of this software call into question the security of competing products used for the same purpose. In the Netherlands, the Dutch version of another product, IVU.elect, used in Germany, was tested by Sjoerd van der Hoorn and Sijmen Ruwhof. The results were not pretty. [2]

„It is simply not the right millenium to quietly ignore IT-security problems in voting“, says Linus Neumann. „Effective protective measures have been available for decades, there is no conceivable reason not to use them.“

A government that prides itself on „Industry 4.0“ and „Crypto made in Germany“ should promote and use software in the election process that has publicly readable source code. [3] The election authorities should not have become dependent on suppliers using programming and security concepts from the past millenium, but instead should promote transparency and security of election software by supporting new developments and advancing the state of the art. The sad state of this piece of election infrastructure is yet more evidence of problems in goverment IT. The procedures for tendering software projects need to change.

The primary goal of the CCC security analysis was to raise any security problems found with the authorities, reminding them of their responsibilities. A brute manipulation of election results should be harder now because of the raised awareness and changed procedures. For the coming national elections of this year, this exposé should not prevent anyone from going to the polls to have their vote count (and watch the tallying in the evening)!

Links:

[0] Bericht: Analyse einer Wahlsoftware (German) https://ccc.de/system/uploads/230/original/PC-Wahl_Bericht_CCC.pdf

[1] Software Repository: PC-Wahl Tools https://github.com/devio/Walruss

[2] Sijmen Ruwhof: https://sijmen.ruwhof.net/weblog/1166-how-to-hack-the-upcoming-dutch-elections

[3] „Prototype Fund“ for Open Source Software: https://prototypefund.de/

[4] Logbuch:Netzpolitik (German): https://logbuch-netzpolitik.de/lnp228-interessierte-buerger