Vulnerabilities discovered in German electoral system
The Chaos Computer Club (CCC), a group of German hackers, is warning that there are major flaws in software that will be essential to the vote count in Germany’s September 24 legislative elections.
The CCC said on Tuesday that hackers could destabilise theGerman general election if the choice of 61.5 million Germans who will cast their ballots on September 24, to either re-elect ChancellorAngela Merkel or replace her, is not respected.
The CCC published a report online giving details as to how the election could be hijacked. While electronic voting is illegal in Germany, results are transmitted to the electoral commission electronically. It is there that the vulnerabilities lie. The software used in much of the country to send the votes to the Federal Election Commission is not secure, the CCC said. And the weakness is so obvious that it was discovered easily by a 29-year-old computer scientist.
PC-Wahl in the crosshairs
The program used to send results, PC-Wahl, doesn’t adhere to “the basic principles of computer security, and the number of vulnerabilities discovered far surpass our worst fears,” said Linus Neumann, spokesman for Berlin-based CCC. The weakness comes from the lack of an electronic signature on the data that is sent that proves that it is genuine. Without that, hackers could intercept the results and modify them.
And the passwords for accessing the PC-Wahl interface are not hard to find. For starters, the same ID is valid for multiple municipalities. “It is like a hotel where all the doors are closed, but where the same key opens them all,” Neumann said.
The PC-Wahl software can also be easily modified. The program updates automatically on a regular basis, but the updates aren’t well-protected from hackers. A cybercriminal could fairly easily swap an official update with a version that would allow him or her to control the software.
The defects were discovered at the beginning of the summer and the manufacturer of PC-Wahl was quickly alerted. Several modifications later, the Chaos Computer Club is still not satisfied with the results. The improvements made “do not stand up to even superficial security tests”, the report notes.
In an interview with the weekly Die Zeit, the manufacturer of PC-Wahl defended itself by stating that “even in cases of piracy, the final result of the vote will be legitimate because there is always the paper trail for verification.” The CCC and the computer scientist who made the original discovery acknowledge that if there is the slightest doubt, the electoral commission will be able to verify the results against the paper ballots.
But the CCC contends that the flaws that still exist in the software might cast suspicion on the election results, which “weakens the democratic process,” Neumann said. Some authorities have taken note. In Hesse, the head of the electoral commission asked local election officials to compare the results that will be published online on the evening of the election with those they sent in. And national authorities are now working with the makers of PC-Wahl to make sure the software is as secure as possible come election day.