A Chaos Computer Club spokesman said that the number and severity of vulnerabilities found in PC-Wahl software, which will be used in Germany's federal elections, "exceeded our worst expectations."
A Chaos Computer Club spokesman said that the number and severity of vulnerabilities found in PC-Wahl software, which will be used in Germany's federal elections, "exceeded our worst expectations."

A European hacker association on Thursday warned that software being used to tabulate and transmit vote totals in Germany's upcoming parliamentary elections contains major vulnerabilities that could threaten the integrity of the outcome and undermine voter confidence.

The Germany-based Chaos Computer Club is claiming in an organizational blog post and technical report that the software, PC-Wahl version 10, is susceptible to various external attacks, including those that could secretly modify vote totals before they are reported to electoral officials. To further back up its assertions, the group also published proof-of-concept attack tools on GitHub, including source code.

In its release, the CCC said its findings amount to a "total loss" for PC-Wahl, as the software allegedly does not even adhere even basic principles of IT security.

"The amount of vulnerabilities and their severity exceeded our worst expectations," said Linus Neumann, a speaker for the CCC, in the blog post. "A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one," Neumann continues." The technical report, written in German, elaborates on these scenarios.

Among the key vulnerabilities, the CCC warns, are a broken software update mechanism that "allows for one-click compromise," and insufficient security measures on the update server that could allow attackers to take it over and distribute malicious updates to users.

"It is simply not the right millennium to quietly ignore IT-security problems in voting," said Neumann in the blog post. "Effective protective measures have been available for decades, there is no conceivable reason not to use them."

SC Media contacted PC-Wahl's via email for a response, and also reached out to the offices of Dieter Sarreither, Germany's Federal Returning Officer, who is responsible for overseeing federal elections (known in local terms as Bundestagswahl), including September 24's parliamentary elections. The latter inquiry was responded to by Germany's Federal Statistical Office, which referred SC Media to a press release from Sarreither's office.

"For me as a federal election leader, the prevention of manipulation possibilities of the election results for the coming Bundestag election is of the highest priority," said Sarreither in the release. The press statement also says Sarreither has asked regional election leaders to install the latest security updates for PC-Wahl software (including those introduced in response to the CCC's findings) and take steps to ensure the authenticity of electronic election results. Additionally, Sarreither has asked PC-Wahl to address any remaining vulnerabilities by taking into account the recommendations of Germany's Federal Office for Information Security (BSI).

In November 2016, German Chancellor Angela Merkel expressed concern that Russia-sponsored hackers could attempt to interfere with her country's electoral process, much as they are accused of doing during the 2016 U.S. presidential election.