On Thursday last week hackers from the Germany-based Chaos Computer Club warned that software being used to tabulate and transmit vote totals in Germany’s upcoming parliamentary elections contains major vulnerabilities that could threaten the integrity of the outcome and undermine voter confidence. In an organisational blog post and technical report it said that the software, PC-Wahl version 10, is susceptible to various external attacks, including those that could secretly modify vote totals before they are reported to electoral officials. To further back up its assertions, the group also published proof-of-concept attack tools on GitHub, including source code. In its release, the CCC said its findings amount to a “total loss” for PC-Wahl, as the software allegedly does not even adhere even basic principles of IT security. SC Media contacted PC-Wahl’s via email for a response, and also reached out to the offices of Dieter Sarreither, Germany’s Federal Returning Officer, who is responsible for overseeing federal elections (known in local terms as Bundestagswahl), including September 24’s parliamentary elections.
“The amount of vulnerabilities and their severity exceeded our worst expectations,” said Linus Neumann, a speaker for the CCC, in the blog post. “A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one,” Neumann continues.” The technical report, written in German, elaborates on these scenarios.
Among the key vulnerabilities, the CCC warns, are a broken software update mechanism that “allows for one-click compromise,” and insufficient security measures on the update server that could allow attackers to take it over and distribute malicious updates to users.
“It is simply not the right millennium to quietly ignore IT-security problems in voting,” said Neumann in the blog post. “Effective protective measures have been available for decades, there is no conceivable reason not to use them.”