summaryrefslogtreecommitdiff
path: root/updates/2017/pc-wahl.en.md
blob: 13267d7d82a5f1284588078217ac856330970036 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
title: Software to capture votes in upcoming national election is insecure
date: 2017-09-07 03:11:00 
updated: 2017-09-08 21:59:06 
author: 46halbe
tags: update, pressemitteilung, wahlcomputer, voting
previewimage: /images/LogoPC-wahl.jpg

The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.

<!-- TEASER_END -->

Hackers of the Chaos Computer Club (CCC) have studied a software package
used in many German states to capture, aggregate and tabulate the votes
during elections, to see if this software was secure against external
attack. The analysis showed a number of security problems and multiple
practicable attack scenarios. Some of these scenarios allow for the
changing of vote totals across electoral district and state boundaries.
„PC-Wahl“, the software in question, has been used to record, analyse
and present election data in national, state and municipal elections for
multiple decades.

The result of this analysis is somewhat of a „total loss“ for the
software product. The CCC is publishing its findings in a report of more
than twenty pages. \[0\] The technical details and the software used to
exploit the weaknesses are published in a repository. \[1\]

„Elementary principles of IT-security were not heeded to. The amount of
vulnerabilities and their severity exceeded our worst expectations“,
says Linus Neumann, a speaker for the CCC that was involved in the
study.

A depressing finding of the study is that a state-funded team of hackers
is not even necessary to control the tabulation of the votes. The broken
software update mechanism of „PC-Wahl“ allows for one-click compromise.
Together with the lacking security of the update server, this makes
complete takeover quite feasible. Given the trivial nature of the
attacks, it would be prudent to assume that not only the CCC is aware of
these vulnerabilities.

„A whole chain of serious flaws, from the update server, via the
software itself through to the election results to be exported allows
for us to demonstrate three practical attack scenarios in one“, Neumann
continues.

The software can be used to record the result of the counting in a
polling station and to transmit the result to the municipality. The
local election authorities use the same software to aggregate the
results and transmit them to the state election authorities. In some
states „PC-Wahl“ is also used by the state election authorities.

The documented attacks have the potential to permanently impact public
trust in the democratic process – even in cases where an actual
manipulation would be discovered in hours or days. Whether an actual
manipulation is discovered at all depends on the procedures followed in
the various states – at this moment, and as a result of our findings,
these procedures are being changed. In the state of Hesse it is now
mandatory to verify every transmission using „PC-Wahl“ using some
independent channel.

The attack scenarios shown, and the remarkably bad general state of this
software call into question the security of competing products used for
the same purpose. In the Netherlands, the Dutch version of another
product, IVU.elect, used in Germany, was tested by Sjoerd van der Hoorn
and Sijmen Ruwhof. The results were not pretty. \[2\]

„It is simply not the right millenium to quietly ignore IT-security
problems in voting“, says Linus Neumann. „Effective protective measures
have been available for decades, there is no conceivable reason not to
use them.“

A government that prides itself on „Industry 4.0“ and „Crypto made in
Germany“ should promote and use software in the election process that
has publicly readable source code. \[3\] The election authorities should
not have become dependent on suppliers using programming and security
concepts from the past millenium, but instead should promote
transparency and security of election software by supporting new
developments and advancing the state of the art. The sad state of this
piece of election infrastructure is yet more evidence of problems in
goverment IT. The procedures for tendering software projects need to
change.

The primary goal of the CCC security analysis was to raise any security
problems found with the authorities, reminding them of their
responsibilities. A brute manipulation of election results should be
harder now because of the raised awareness and changed procedures. For
the coming national elections of this year, this exposé should not
prevent anyone from going to the polls to have their vote count (and
watch the tallying in the evening)!

**Links**:

\[0\] Bericht: Analyse einer Wahlsoftware (German)
<https://ccc.de/system/uploads/230/original/PC-Wahl_Bericht_CCC.pdf>

\[1\] Software Repository: PC-Wahl
Tools <https://github.com/devio/Walruss>

\[2\] Sijmen
Ruwhof: <https://sijmen.ruwhof.net/weblog/1166-how-to-hack-the-upcoming-dutch-elections>

\[3\] „Prototype Fund“ for Open Source
Software: <https://prototypefund.de/>

\[4\] Logbuch:Netzpolitik
(German): <https://logbuch-netzpolitik.de/lnp228-interessierte-buerger>