Vulnerability Management

Severe flaws in voting software threaten integrity of German elections, hacking collective reports

A European hacker association on Thursday warned that software being used to tabulate and transmit vote totals in Germany's upcoming parliamentary elections contains major vulnerabilities that could threaten the integrity of the outcome and undermine voter confidence.

The Germany-based Chaos Computer Club is claiming in an organizational blog post and technical report that the software, PC-Wahl version 10, is susceptible to various external attacks, including those that could secretly modify vote totals before they are reported to electoral officials. To further back up its assertions, the group also published proof-of-concept attack tools on GitHub, including source code.

In its release, the CCC said its findings amount to a "total loss" for PC-Wahl, as the software allegedly does not even adhere even basic principles of IT security.

"The amount of vulnerabilities and their severity exceeded our worst expectations," said Linus Neumann, a speaker for the CCC, in the blog post. "A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one," Neumann continues." The technical report, written in German, elaborates on these scenarios.

Among the key vulnerabilities, the CCC warns, are a broken software update mechanism that "allows for one-click compromise," and insufficient security measures on the update server that could allow attackers to take it over and distribute malicious updates to users.

"It is simply not the right millennium to quietly ignore IT-security problems in voting," said Neumann in the blog post. "Effective protective measures have been available for decades, there is no conceivable reason not to use them."

SC Media contacted PC-Wahl's via email for a response, and also reached out to the offices of Dieter Sarreither, Germany's Federal Returning Officer, who is responsible for overseeing federal elections (known in local terms as Bundestagswahl), including September 24's parliamentary elections. The latter inquiry was responded to by Germany's Federal Statistical Office, which referred SC Media to a press release from Sarreither's office.

"For me as a federal election leader, the prevention of manipulation possibilities of the election results for the coming Bundestag election is of the highest priority," said Sarreither in the release. The press statement also says Sarreither has asked regional election leaders to install the latest security updates for PC-Wahl software (including those introduced in response to the CCC's findings) and take steps to ensure the authenticity of electronic election results. Additionally, Sarreither has asked PC-Wahl to address any remaining vulnerabilities by taking into account the recommendations of Germany's Federal Office for Information Security (BSI).

In November 2016, German Chancellor Angela Merkel expressed concern that Russia-sponsored hackers could attempt to interfere with her country's electoral process, much as they are accused of doing during the 2016 U.S. presidential election.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.