Security researchers from the Chaos Computer Club (CCC) have discovered that the software used to capture, aggregate, and tabulate the votes in many German elections had multiple vulnerabilities, exposing it to trivial potential attacks.
The proprietary software, called PC-Wahl, has been used to record, analyze, and present election data in national, state, and municipal elections for decades. The CCC hackers argued that the security holes are severe enough that they could jeopardize the trust in the final results of the upcoming parliamentary election (unless the security flaws are patched by then).
PC-Wahl Security Vulnerabilities
The CCC researchers were surprised to find that many security best practices were not followed for a piece of software that is so important for the integrity of the election results in Germany.
"Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations," said Linus Neumann, a speaker for the CCC that was involved in the study.
The list of vulnerabilities includes:
- Updating the software over HTTP and not using signatures to ensure the authenticity of the updates
- The update server was installed on shared hosting plan, which made it vulnerable to local privilege escalation attacks.
- The FTP access credentials were located in a public file called test.zip that anyone could have found.
- Voting results were transmitted over non-secure FTP transmissions that only rotated credentials once every few years. Alternatively, they could be transmitted over a non-secure XML protocol (that also happens to be a government standard)
- The votes were encrypted with a hardcoded symmetric key, which made it easy to decrypt them.
The researchers also argued that an attack could be launched so easily against the system that the attackers wouldn’t even have to be state-sponsored. The broken update mechanism would allow for an easy one-click compromise by any random attacker. The even worse news is that the CCC researchers may not be the only ones who already knew about these vulnerabilities.
"A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one," Neumann said.
Increasing Public Trust In German Elections
As many as 60 million Germans could vote on September 24 in the parliamentary election. The votes themselves are done on paper, but that may not help much when vulnerable software such as PC-Wahl can allow attackers to change the totals in transit before the votes are counted and announced.
To ensure that what was transmitted was accurate, the votes would have to be recounted by hand, which could be expensive and time-consuming. Plus, for that to process to start, enough people would first have to distrust the initial election results. Having a large portion of the voters distrust the election results wouldn’t be an ideal situation for a developed democracy such as Germany. It would be far preferred and less expensive to fix the security holes that the CCC researchers uncovered before they cause too much damage to the integrity of German elections.
Neumann argued that the German government, which prides itself on "Industry 4.0" and "Crypto made in Germany" should also prioritize the use and promotion of election software that has publicly readable source code. This would make it easier for security researchers to analyze the software being used in elections and allow them to quickly identify yet-to-be uncovered security flaws. Neumann added that the government should strive to avoid becoming dependent to suppliers of proprietary software that continue to use programming and security concepts from the past millennium.
The CCC researchers believe that their goal to raise awareness about the vulnerabilities in the election software has been accomplished and that the government should now at least try to take the necessary precautions to avoid a brute manipulation of next election’s results. However, long-term changes will be needed to make the election process more robust in the future.