On Thursday last week hackers from the Germany-based Chaos Computer Club warned that software being used to tabulate and transmit vote totals in Germany’s upcoming parliamentary elections contains major vulnerabilities that could threaten the integrity of the outcome and undermine voter confidence.
In an organisational blog post and technical report it said that the software, PC-Wahl version 10, is susceptible to various external attacks, including those that could secretly modify vote totals before they are reported to electoral officials. To further back up its assertions, the group also published proof-of-concept attack tools on GitHub, including source code.
In its release, the CCC said its findings amount to a “total loss” for PC-Wahl, as the software allegedly does not even adhere even basic principles of IT security.
SC Media contacted PC-Wahl’s via email for a response, and also reached out to the offices of Dieter Sarreither, Germany’s Federal Returning Officer, who is responsible for overseeing federal elections (known in local terms as Bundestagswahl), including September 24’s parliamentary elections.
“The amount of vulnerabilities and their severity exceeded our worst expectations,” said Linus Neumann, a speaker for the CCC, in the blog post. “A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one,” Neumann continues.” The technical report, written in German, elaborates on these scenarios.
Among the key vulnerabilities, the CCC warns, are a broken software update mechanism that “allows for one-click compromise,” and insufficient security measures on the update server that could allow attackers to take it over and distribute malicious updates to users.
“It is simply not the right millennium to quietly ignore IT-security problems in voting,” said Neumann in the blog post. “Effective protective measures have been available for decades, there is no conceivable reason not to use them.”
In November 2016, German Chancellor Angela Merkel expressed concern that Russia-sponsored hackers could attempt to interfere with her country’s electoral process, much as they are accused of doing during the 2016 US presidential election.
Jim Walter, senior research scientist at Cylance, commented to SC Media UK: “Cylance has been very vocal around issues with the systems that support elections and election processes within the US. We are not alone in that effort, yet the same issues and vulnerabilities have persisted for years, with little change in the foreseeable future. Our hope would be that the increased awareness on systems utilised in other countries/governments (in addition to continuing focus on our own) will help to minimise any potential damage by those seeing to disrupt or negatively-influence any election. The pressure needs to be placed on the governments, manufacturers, and any controlling bodies that dictate security standards…and that pressure needs to be applied always to verified enforcement. Without that sort of drastic approach, there will be little improvement.”
Separately, 78 percent of of security professionals are reported to believe election hacking to be an act of cyber-warfare according to a study of 296 security professionals, surveyed by Venafi at the BlackHat conference in Las Vegas earlier this year.
The security industry also believes that governments aren’t doing enough to prevent it – with almost nine in ten (88 percent) supporting this position and, more than a quarter (27 percent) believe that election results have already been impacted by cyber-criminals.
Intelligence agencies have determined that nation-states have already targeted elections globally, with a report from the US National Security Agency (NSA) saying that Russia launched a cyber attack on VR Systems, an election systems provider, prior to the 2016 US presidential election.
“The definition of an act of war is an action by one country against another which is an immediate threat to peace”, said Jeff Hudson, CEO at Venafi. “An attempt at election hacking could easily be considered an act of cyber-war. The intent is to undermine the foundation of government, which is responsible for protecting the country. Elections are being targeted by cyber-attacks, and the potential repercussions of election hacking cannot be understated. Malicious actors have the ability to alter voting databases, delay vote counts and subvert trust in the election process.”
Venafi reports how many countries’ voting machines have vulnerabilities that can be easily exploited, noting that attendees at DEF CON 2017 managed to find and take advantage of vulnerabilities in five different voting machine types within 24 hours.