
Software to capture votes in upcoming German national election is insecure - heinrich5991
https://ccc.de/en/updates/2017/pc-wahl
======
lima
Here's the report: [https://ccc.de/system/uploads/230/original/PC-
Wahl_Bericht_C...](https://ccc.de/system/uploads/230/original/PC-
Wahl_Bericht_CCC.pdf)

It's truly disastrous. Some of the findings:

\- The automated software updates have no signature and are downloaded
insecurely over HTTP

\- The webserver the updates are downloaded from is hosted using a shared
hosting package at 1&1, on a host with >5000 other customers (implying an easy
takeover using local privilege escalation)

\- The reason they know this? They found multiple PHP scripts vulnerable to
arbitrary read and write vulnerabilities, so they got full RCE on the server.

\- FTP access credentials for the website were contained in a public ZIP file
(named test.zip)

\- Vote results are transmitted using either insecure FTP whose credentials
weren't rotated for years or an equally insecure XML protocol. No signatures
in sight.

\- Said insecure XML protocol is a _government standard_

They also took a look at one of the local government's infrastructure:

\- test/test were valid VPN credentials

\- FTP credentials were publicly downloadable with R/W access to vote results

\- Vote result encryption was reversible thanks to a hardcoded symmetric key

The report goes on to detail even more trivial security issues, including
home-grown "encryption" algorithms worse than what you'd find in a beginner
CTF challenge.

None of the steps taken in response addressed the fundamental, obvious
security policy issues. Even their band-aid fixes were broken. For example,
they started signing their binaries, but forgot to check the signature.

Given the lack of any security awareness whatsoever, even if they properly
sign their binaries, their build server is probably easy to compromise.

RCE demo: [https://vimeo.com/232581770](https://vimeo.com/232581770)

Have a look at the site in question:
[https://www.wahlinfo.de/](https://www.wahlinfo.de/)

The local government they worked with responded by enforcing verification and
transmission of the results using an independent channel.

~~~
CM30
Forget the problems electronic voting has if it's implemented well, this sort
of stuff is the real reason to be worried about systems like this. Because
there's a tendency for governments and councils to outsource the work to
whatever contractors are the cheapest or to hire developers who don't know a
thing about security.

A secure evoting system is hard enough to implement, and even a well done
version is worse than a paper ballot. But it's the kind of system described
here that'd be the likely result of electronic voting being implemented in
countries like the US. A hacked together, insecure piece of junk that's wide
open to being compromised by bad actors at every level.

~~~
majewsky
> there's a tendency for governments and councils to outsource the work to
> whatever contractors are the cheapest

Not just a tendency. When choosing a contractor, government offices in Germany
are _required_ to choose the lowest bidder who fulfils (or rather, claims to
fulfil) the requirements stated in the call for bids.

~~~
Angostura
To be fair, that is more a rationale for having rally good people speccing
your system and producing detailed requirements.

~~~
laumars
The level of detail your talking about to prevent the kind of mistakes they
made is so specific that you might as well just develop the thing in house
since you clearly already have the experience.

Maybe what we need is a rules that any critical government infrastructure
should be independently pen tested before it's bought. This should hopefully
put off the inexperienced from taking on such projects and offer a way out for
governments should the contract go sour.

~~~
carlmr
I agree, this is often an issue. In my company a lot of people only make
specs, and the "development" for a lot of components is outsourced. But these
specs are basically developed already, so in the end, we're only making the
expensive developers write a spec that's so detailed that it's more work to
write the detailed spec, than if you programmed it directly from a non-
detailed spec.

------
ygra
Of note in general regarding elections in Germany is that there's
constitutional right to be able to follow the process of elections including
the vote count. That's also the reason behind electronic voting machines being
banned because, while counting votes by hand is cumbersome, it's a process
that everyone can follow and understand. You can actually watch the counting
process if you want to.

And as the article states, at least one state apparently don't trust this
software enough that they mandate verification that the correct results have
been transmitted and obtained via an independent channel.

The only benefit all this has is that a preliminary result of an election can
be obtained a few hours earlier. Whether that's worth having an election that
can be manipulated without anyone noticing is anyone's guess, but I believe
the BVerfG may have a say in that, as it did for voting machines.

~~~
SkyMarshal
Out of curiosity, to what extent are German political parties involved in the
voting process? In the US, it's usually state governments that run it and they
can be susceptible to whichever political party controls the government then.
Sounds like Germany may handle this issue better?

~~~
_Codemonkeyism
Citizens are asked to manage the voting process and counting.

I've helped in this role for a long time, but considered my duty done as it
sometimes was a lot of work deep into the nights especially if several
elections and referendums where conducted at the same time.

Everyone can attend the voting process and counting process.

Schools etc. for places to vote, voting booths, paper etc. is supplied by the
administration as is the selection of citizens who manage the voting and
counting process. The Federal Returning Officer is responsible for organizing
elections (for federal elections, similar posts exists for state elections and
I assume local ones).

[https://en.wikipedia.org/wiki/Federal_Returning_Officer](https://en.wikipedia.org/wiki/Federal_Returning_Officer)

~~~
majewsky
> Everyone can attend the voting process and counting process.

As a sidenote, this is not just a theoretical right. People are exercising it.

I volunteered as an election assistant in one of the previous elections in
Germany. We were a team of five assigned to a constituency of about 1000
voters, and when we counted the votes, three citizens were present to observe
the counting. As I submitted the results (via phone) to the next-higher level,
I also noted the numbers down for myself and checked, later in the evening,
that the numbers on the website of the returning officer matched those that I
recorded. (They did.)

~~~
_Codemonkeyism
"As a sidenote, this is not just a theoretical right. People are exercising
it."

Same experience here.

------
fabian2k
Just to clarify, voting machines are not used at all in Germany. The votes are
made on paper ballots and counted entirely by hand.

The software this is about is for collecting the vote counts and transferring
it to a central location, as far as I understand it. It's still a serious
issue, but a quite different one to compromised voting machines.

~~~
r00fus
"It's not the people who vote that count. It's the people who count the
votes." (Joseph Stalin)"

s/people/machines/ and you get the gist. Centralized tabulation machines are a
ripe target for abuse.

~~~
harry8
you have paper as the source of truth. Sample paper counts look them up in the
aggregated computer count, if they don't match _exactly_ invalidate the count
and get the raw ballots.

Really it is serious, but not so serious as when you have _no_ paper as your
source of truth, USA.

~~~
Amezarak
The US situation varies by state. Most states do have paper ballots.

[https://ballotpedia.org/Voting_methods_and_equipment_by_stat...](https://ballotpedia.org/Voting_methods_and_equipment_by_state)

------
lordlarm
Norway recently decided [0] it would manually count the votes in the upcoming
election (11th of Sep) after it was revealed that the machines responsible for
automatic counting were connected to the Internet and full of potential
security exploits [1].

Some details on the software (ReadSoft FORMS) and the process (EVA Scanning):
[https://valg.no/om-valg/om-valg2/maskinell-opptelling-av-
val...](https://valg.no/om-valg/om-valg2/maskinell-opptelling-av-valg-i-
norge/)

Sources (Norwegian only):

[0]: [https://www.nrk.no/norge/krever-manuell-stemmetelling-i-
alle...](https://www.nrk.no/norge/krever-manuell-stemmetelling-i-alle-
kommuner-1.13668374)

[1]: [https://www.nrk.no/norge/teller-opp-stemmer-i-valget-pa-
data...](https://www.nrk.no/norge/teller-opp-stemmer-i-valget-pa-datamaskiner-
tilkoblet-internett-1.13660659)

------
sverige
I have yet to hear a compelling argument for any form of voting that involves
networked computers.

I worked with a guy who was in charge of the IT for Colombia's elections years
ago. He had many interesting (i.e., _harrowing_ ) stories of the attempts by
"bad guys" to gain physical access to the central servers. Plus what are
probably the usual stories of hacking attempts. I remember thinking, Why not
just use paper ballots? No one is going to take office until months after the
election.

The chief advantage of computers, speed of counting and providing results, is
not needed in that situation, so the liabilities from its inherent
vulnerability to altering votes outweigh the benefits.

~~~
conanbatt
>I have yet to hear a compelling argument for any form of voting that involves
networked computers.

You do bigger and more important decisions than voting everyday from your
phone and computer.

If voting were as easy as sending an email, you would be able to vote on every
topic, instead of voting on someone every 4 years.

------
Sujan
As scary as it is, this is one of the official websites of that software:

[https://www.wahlinfo.de/pcwahl/index.html](https://www.wahlinfo.de/pcwahl/index.html)
(German only)

There is also [https://vote-it.de/?page_id=156](https://vote-
it.de/?page_id=156) which is a bit more modern, but also shows this is a <10
person shop. Not at all what I expected.

~~~
Xylakant
> but also shows this is a <10 person shop

It's a niche market, I'm not surprised. I'd actually prefer if the software
was paid for by the government and developed by a single (or a pair of)
competent developers and open-sourced. It's probably possible to pull it of
with that man-count, you certainly won't need more than a handful.

~~~
pbhjpbhj
In the UK one of our problems is that a couple of companies really own it on
'expertise at winning government contracts'.

A small company isn't going to be able to compete there, Capita or someone
will get it. They know how to go over budget by £Billions and still not
deliver a working product ... I'm guessing it's similar across Europe because
of procurement regulations for governments??

------
madeofpalk
Australia has not moved to electronic voting, I can't see it moving to
electronic voting (especially in light of the recent online Census debacle),
and I'm very glad for this.

------
kennydude
Paper based elections are the only way to ensure and verify elections are
taking place honestly and fairly.

~~~
wakeywakeywakey
Why? Can you provide more detail?

~~~
kennydude
It can be inspected and visible. You cannot verify a computer is running the
exact same code you want it to be.

~~~
drdaeman
In a properly designed end-to-end verifiable voting system, you don't need to
verify the code. Black boxes work just fine, you need to be able to verify
that the output had indeed matched your input.

I'm not advocating use of computers, though. Believe paper ballots with some
math attached are the way to go. That way there are both anti-fraud properties
baked in the system (one can verify that their vote wasn't messed with), and
the classic hard copies so any person who can do some basic arithmetic can
count and re-count votes just fine.

Unfortunately, I think all the systems I've read about either were found to
have some issues (usually, it's about vote secrecy) or just too new
(essentially, not so well reviewed).

~~~
kennydude
In order to verify the output matched the input, you will need paper and to
verify it by hand. Which, is just a waste of time adding computers...

~~~
drdaeman
Not really. To verify, you need to perform the computations using the tools
you can trust. It can be pen-and-paper-and-brain, or it can be a personal
computer.

------
lordvon
I think cybersecurity in general is hugely lacking. I have had personal
devices compromised by an individualized targeted attack and found that there
are no tools to easily and reliably diagnose which of your devices are
compromised (at least for someone who is not a cybersecurity expert). It seems
to me that if someone wants to compromise your devices, they can; offensive
tools far outperform current defensive tools. There also does not seem to be
any strong legal recourse.

------
folli
From a PR perspective, it would make sense that some White Hat Hackers
(possibly crowd funded) put in the effort to actually capture such an election
and turn the result into an obvious joke (e.g. by voting a fictional character
or an obvious third-tier lunatic outsider).

This could be used as very illustrative material to teach the general public
about these risks, better than some hypothetical scenarios and "boring"
articles that the average voter is not going to read anyway.

~~~
leni536
To be fair, that's not really "white hat". Also being resistant to rigging is
only one of the threat models of an election. The votes remaining anonymous is
another one. I doubt that you can hack that in a "white hat" way.

------
moortaube
There is also a YT-stream in German with one of the three authors
(#heiseshow).

[https://www.youtube-nocookie.com/embed/t0hSiyM4jiM](https://www.youtube-
nocookie.com/embed/t0hSiyM4jiM)

