PC-Wahl software used in Germany for vote counting lack of security

The European biggest hacker collective Chaos Computer Club demonstrated that PC-Wahl software used in Germany for vote counting is insecure.

According to a study conducted by the hacker collective Chaos Computer Club (CCC), the software used in Germany for vote counting is insecure.

The experts have found several vulnerabilities in the voting software adopted by the German Government. The results of the research were released Chaos Computer Club (CCC) a few weeks before the upcoming election of the members of the Bundestag.

On September 24, German citizens will elect their representatives to the German Parliament.

The application used to tabulate votes, PC-Wahl software package, could be hacked. The PC-Wahl software package is used to capture, aggregate and tabulate the votes during elections and experts discovered it is affected by many vulnerabilities.

“Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios.” reads the blog post published by the CCC. “Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries. „PC-Wahl“, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades.”

White-hat hackers reported that the broken software update mechanism of PC-Wahl allows for one-click compromise, considering that the update server lack security,  an attacker can takeover it.

The attack scenario is described as trivial and ill-intentioned could easily target the voting process. The PC-Wahl has been used in any kind of in Germany for many years.

“Elementary principles of IT security were not heeded,” explained Linus Neumann, a CCC spokesman who participated in the study. “The amount of vulnerabilities and their severity exceeded our worst expectations.”

According to CCC, the state of Hesse is investigating every transmission made using the flawed software.

The CCC has released proof-of-concept attack tools with source code to demonstrate the vulnerabilities and to force authorities to take necessary actions.

“The primary goal of the CCC security analysis was to raise any security problems found with the authorities, reminding them of their responsibilities” continues the CCC.

“A brute manipulation of election results should be harder now because of the raised awareness and changed procedures.” 

Hacking of electronic voting systems has been discussed often in the last months especially after allegations that the Russian APTs interfered with US Presidential election.

In a public hearing into the Russian interference in the 2016 Presidential election held by the US Senate Intelligence Committee, the Department of Homeland Security director of the cyber division, Dr Samuel Liles, claimed that the electoral networks in 21 US states were probed by hackers a month before the election. The systems in a few of states were hacked.

The Department of Homeland Security director avoided disclosing the name of the US states. Russian hackers tried to exploit software vulnerabilities in the target systems by using a number of publicly known exploits.

The hackers aimed to get access into election registration and management systems, but not the vote-tallying equipment.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PC-Wahl software package, German election)

[adrotate banner=”12″]