Barely weeks before Germany's upcoming federal elections, hackers have detected serious flaws in election software that can be exploited by a moderately skilled hacker.
Germany's election software can be hacked and modified to change vote totals across electoral district and state boundaries.
Chaos Computer Club, a German hackers' collective, has said that it observed a "host of problems and security holes" in election software that will be used for recording and tallying votes during the upcoming federal elections. The vulnerable PC-Wahl software has been used in Germany's national, state and municipal elections for decades and will be used again on 24th September.
"The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries," said Chaos Computer Club in a statement.
Even though the German Federal Court has declared usage of electoral machines unconstitutional, the PC-Wahl software is still in use as it helps in the organization, recording, and evaluation of elections. However, if manipulated by a hacker, the software has the power to influence the ultimate outcome. This may not be good news for Angela Merkel who is seeking re-election to a fourth term as Chancellor and is not exactly a Kremlin favourite.
According to Chaos Computer Club, PC-Wahl can be configured to manipulate the results in several electoral districts at the same time. However, if a hacker is more proficient, he can use it to manipulate the results in several Federal States at the same time.
The vulnerable software can be used to manipulate the final result and also to control the votes cast by citizens. While the vulnerability is a serious concern, what is worrying is the fact that the election software can be hacked into so easily.
During their analysis, the hackers observed that the PC-Wahl software contains several different, apparently self-developed symmetrical "encryption routines" which are used to back up software updates against tampering and to upload critical passwords.
Given that all information necessary for decryption is included in the programme code itself, a hacker can easily extract such information and re-implement them. The hacker can also read 'encrypted' passwords in the .INI files and can use them to maniputate election results. What's worse, a hacker can install a malicious patch in the software and can use the modified variant to manipulate official results.
In all, the hacker consortium identified several flaws, including inadequate protection of the server used for distribution and operation of the software, lack of encryption and signature of the transmitted results, inadequate encryption of login information, and lack of authentication and fingerprinting in the software and its updates.
The consortium also confirmed that following their analysis, Vote-IT, the manufacturer of the said software, has introduced new patches to remove vulnerabilities in servers and has also taken other steps to ensure the software remains safe from malicious hackers.
According to Frank Rieger, a spokesman for the Chaos Computer Club, the consortium began its analysis after an independent security researcher had raised questions about problems with PC-Wahl.
He told CNN that the 'CCC has called on the government to "promote and use software in the election process that has a publicly readable source code," so that security flaws can be found and resolved more quickly, and to support the development of new, state-of-the-art election software.