<i>rC3 preroll music</i>

Herald: Now, our next talk is Hacking
German elections, insecure electronic

voting count, vote counting, how it
returned and why you don't even know about

it. For the Germans listening here, did
you noticed that in Germany, voting became

more electronic recently? In case you're
out of Germany. I do live in Germany and I

did not notice that myself. However, both
of our speakers volunteered as election

workers in Germany and research on the
topic of security for elections. And they

promised to tell us how this can be, how
elections can be made more secure again.

Our speakers are Tobias, he is an IT-
Security researcher focusing on offensive

security, automotive security and capture
the flag challenges. And Johannes. He's a

post-doctoral IT-Security researcher and
both work together at the

Fraunhofer AISEC Institute.
Enjoy the talk.

<i>Stille</i>

Johannes: Hello and welcome to our
presentation on Hacking German Elections.

Insecure electronic vote counting, how it
returned and why you don't even know about

it. My name is Johannes Obermaier
Tobias: and I am Tobias Madl. We are both

very much involved in elections in Bavaria
because we're election workers and offer

support here in Germany.
J: And we are offensive IT-Security

researchers.
T: First of all, we want to talk about the

scope we are presenting today. We got our
information and the software from today,

from the municipal elections in Bavaria
happening in the early 2020. And it was a

computer based vote counting technology.
So we were very concerned, when we

interacted with it. And in the end, we
featured the questions, are elections

still secure? Next, I presented the
outline we are talking about today, and

first of all, we are looking at the
electronic vote counting system. And next,

we identified some conceptual and
practical issues with this technology.

Afterwards, we also inspected the software
and found some insecurities. And in the

end, we have summary and conclude our
presentation.

J: To understand why we need electronic
vote counting, let's just have a look at

the voting ballot. This voting ballot is
in its paper form about one meter wide and

50 centimeters high. So, that's a quite a
large ballot, that's a lot of candidates.

Let's just sum up the facts. So, we have a
total of 599 candidates that are spread

out over nine parties. Each citizen is
allowed to cast up to 70 votes in this

election. So, that sounds simple, but it
gets even more complicated now, because

you can cast up to three votes per
candidate and you can even choose multiple

candidates of different parties up to your
70 votes. And even if you decide yourself

to vote for a single party, you can still
strike out candidate that you personally

don't like. And so they don't get any
votes from your ballot. That means, this

voting system gives a lot of power to the
citizens and voting is fun.

However, counting out those ballots is very
difficult because you need to know a lot

of special rules in this voting system to
really count each ballot correctly. That's

the reason that a software such as OK.VOTE
has been developed. OK.VOTE is a typical

software for elections that's also used in
the polling stations for vote counting.

So, OK.VOTE has a quite large market
share. They say they have a like 75% in

Germany. So that software is used in
several states. OK. VOTE has several

different modules for organizing
elections, for example. But what we know

have a look at in this talk is only the
vote counting module of OK.VOTE Where the

election voters insert each paper ballot
and manually type it in all the votes in

each ballot and then they are stored in
the computer system. So, and the task of

OK.VOTE is to process each ballot to count
the votes, to find out if the ballot is

correct, then it stores all the ballots
into its database and finally it does some

magic and computes the final result. So,
this sounds quite similar to what a voting

machine does. But wait a moment. Voting
machines, in my Germany?

T: Wait, that's illegal.
J: Is it really illegal? Let's have a look

at the legal regulations about it. So,
yes, in 2009, there was an important

decision by the German federal
constitutional court and they said, that

the use of voting computers in the 2005
Bundestag election was unconstitutional.

Because, for example, the voting computers were 
not transparently enough. So, that is very

similar to that what we have also found
for the municipal elections. But wait, we

are here talking about the Bundestag
election. But this is the municipal

election and we have different rules for
the municipal elections. For example,

there is the GLKrWO, that's the Gemeinde-
und Landkreiswahlordnung Bayern,

which basically translates to the Bavarian
municipal election rules. And those rules

say, that we are indeed not allowed to use
a computer for voting, but computers can

be used for vote counting. So, and in this
situation, I would expect, that we have

some sort of security requirements there
in those regulations. But I try to find

them. And I was really surprised. There
are exactly zero.

T: So, if there are no legal requirements, 
are there at least any software side

requirements or certifications for 
OK.VOTE which promise some security?

J: Yes, there are. So, I had a look at the
website and I saw this nice little

paragraph here. And it says, Elections
with security and during the development

of OK.VOTE, they put the highest emphasis
on the topic security. They follow the BSI

and OWASP recommendations on security, and
they have a certified data center with

very high security standards
T: And how does this look like in

practice?
J: Oh, I rather would not show you this

here. It's it's really scary. This is what
I have seen here, when I walked in the

election room. This is not a stock photo.
I took this photo myself and this is the

reality. So, I walked up to the guys and
said, well, shall we really use these

computers to count out the elections and
they said, yes, that are the computers

that are available here. So, and I pray to
God that for some reason does not work

out. And Windows XP did not disappoint me
because when I tried to start the

software, it failed because that are 32
bit systems and OK.VOTE needs 64 bits. So,

yeah, that was great. So, we did not use
that Windows XP machine. So, instead we

had to search for another machine and came
across this one here. That's a Windows 10

machine. That's fine. However, it has an
outdated virus scanner. So, well, it it's

better than nothing. So, this machine was
used instead then. So, but just let's keep

in mind what they are promising us:
election security. We really doubt that.

Let's now look at the IT environment and
why it came to that situation. So, first

of all, this is not fully the fault of
OK.VOTE, because it's the task for the

local administration to provide hardware
for vote counting and AKDB, the vendors of

OK.VOTE say, that they recommend to use
secure administration computers. That's

fine so far, but we simply don't have
enough secure administration computers for

that purpose. So, for example, in the town
where I'm from, we needed around 8

computers to count out this election and
we simply did not have enough in the town

hall. And whats even more, the election
room, it was in a school and there are

already school PCs available there. So,
they were just using the school PCs. So,

and those were even elementary school
computers. So, I'm not really sure about,

if all the pupils know, which link they
are allowed to click and which one they

should rather not click on. So, this
systems might be insecure, there might be

malware within, and even if it's possible
that someone had manipulated them in

advance, we cannot really exclude that.
However, I don't want to blame the

administration here because they did a
great job in organizing this election.

It's really much to do for them and it did
really well. So, everything worked out

well at the end. However, they are no IT-
Security specialists and we cannot demand

from them, that they know each detail on
how to set up a system correctly and what

are the risks that are associated with
insecure computer systems in elections?

That's just not their job. So, however, we
still ended up with untrustworthy systems

here. Because, as we have seen before,
there are no legal regulations against it.

Now, let's see how we create a digital
result.

T: Exactly. So, we went to our voting
places. We were presented with each one

got a PC and we got the ballot stack we
had to count and then enter the results.

So, Johannes is Team 2 and I was Team 1
and we started entering the ballots in the

PC. And from this on, they were digitized
Team 1 in green and Team 2 in blue.

J: As soon as I was finished entering my
ballots, I put them on a USB drive and

handed them over to Team 1.
T: Exactly. I imported these votes,

because I was the master machine at this
time, and the OK.VOTE software then

finalised these voting elections and
exported their results finally again on an

USB stick. And these were then delivered
on for further processing.

J: What is the problem with that all?
First of all, there's a lot of

intransparency. So, for example, the
software that is being used for vote

counting, OK.VOTE, it's not an open source
software. It's closed source and nobody

was able to analyze this yet. So, and
since this is closed source software, it

is also very hard to understand how the
software works and if it really counts

correctly, Because we have, in the end, we
have hundreds of ballots there and it's

really difficult to tell, if they have,
indeed, been counted correctly. So, and

although we have seen this before, there
is no basis for a secure vote counting, if

we have possibly rigged computer system.
So, we cannot exclude that someone has

manipulated them pre-election wise. So, if
there is some manipulation, this would

hardly be detectable by a standard
election worker. So, this means that the

entire election process becomes very
intransparent and hard to understand for a

person who just wants to observe the
election. So, that is strictly against the

idea of a public counting of votes.
T: So, now let's talk about the step that

happens after we finish counting 
in each of the teams.

J: So, what do you do after you have
exported the final election results?

How do they come to the 
central administration?

T: Yeah, I've just entered my vehicle and
took the USB sticks in my pocket and drove

to the master PC. But, as you maybe know,
Election Day is always very busy day and

might some teams are slower at counting.
Some teams are faster. So, the master team

doesn't know when these USB sticks arrive.
If they take two or three hours or half an

hour, they don't know really. So, I could
just go and grab something to eat on my

way. Or I can manipulate the vote. I mean,
deliver the votes. And yeah, in the end,

one day, when I arrive at the master PC, I
just give them my USB stick, they enter it

and they take the data that is stored on
there and nothing else. And afterwards,

they just uploaded the final 
results on the page.

J: Now you might think, why is it possible
for him to manipulate election results?

Because there's no authenticity. There's
only integrity protection of the file that

he is transporting. So some CRC32 and a
SHA hash, but nothing like a cryptographic

signature. So, even if he alters the data,
he can just regenerate all the integrity

protection data and the data will just be
accepted. So, the main issue here is also,

that this is one of the few spots where
only a single person has unsupervised

access to the data during transport of the
voting data at all. And that makes

manipulations possible and easily feasible
in this case. And that should not be the

case, especially in an electronically
supported election. Now, let's have a look

at the vote counting software itself,
because there we found even more

interesting results.
T: Exactly. Let's begin with the system

architecture. First of all, this is the
local or decentralized version of the

software system. So all this is taking 
place on the local host, on the machine we

encountered in the lecture rooms and on 
these machines, where it was an Apache Tomcat

Web server running, which was connected to
a MariaDB, and the user was interacting

with the voting system via a portable
Firefox and as AKDB said in before they

were very concerned with security. So,
let's think about what attackers are they

had in mind when they designed the system
and from which the system is to protect

from. Is it the user that maybe attacks
the system, the vote count system, which

is normally just election workers that are
on their free time there to help executing

the election, or are they having the
network attackers in minds that come from

completely different places and try to
manipulate the network from outside? First

of all, we took the user as one of the
possible attackers. And even in this

environment, we found some really broken
stuff. First of all a broken access

control. But how it's how it's all about.
Well, that's the log in page when we just

logged in our voting system and clicked on
administration page where we can change

our password and edit our profile. These
are the buttons on the left. And as you

can see, we are clearly logged in as the
user42. And there is no more things to do

than select which counting part we want 
to do, the general regional vote or the

municipal votes. And that's all we can 
do on this page. Now let's switch to the

system administrator. There we have the 
admin account, as you can see on the left

upper side, where we can now do very much
more than the normal user. We are again on

the administration page, but now we have
the user administration where we can

create or delete users. We have the reopen
or close voting mechanisms. We have

imports, we have exports and also what's
not included in the screenshots submenus

like deleting finalized results or and so
on. So, we picked out two very interesting

URLs for you. First of all, we are taking
the "Bezirk wieder eröffnen" which is

translated just to reopen the election
after election as closed at normal. It's

normally finalized, so no more votes can
be entered in the system. And the other

link is "Löschen". So that translates to
delete data, which then in the end deletes

all the data from from the machine. So, no
more private or secure data is stored on

there. And this is what they look like
when we only open them on the left side.

We see to reopen dialog. On the right
side, we see the data delete. But wait,

this is not the admin view, this is the
user view. So, they did not check if this

user is even allowed. And we also have to
say, that this is not just the view of it,

it is fully working and is completely
functional, when you just go through the

process of deleting or reopening as an
election.

<i>Alarm sound</i>
J: What's the problem with that?

T: Yeah, as you maybe already guessed,
reopening elections could create a

probability of sneaking in some additional
votes for the candidate I favor and

additionally, if I want to mess with all
of the voting, I could just delete all the

election data and we would have to start
from the beginning and completely delay or

deny the voting.
J: But why is this even possible?

T: Yeah, we found out that this is their
access control check in their software

this function is called getZugriffRollen,
which translates to get access roles. So

normally there will also be the software
in place to check if this role is allowed

to access this kind of site. But they just
returned null and not implemented it.

And that's also nice work to implement
access control. However, I think we can

propose some mechanisms that could have
prevented this. First of all, hidden

information is nothing you could rely on.
If you just don't show where you can click

to get to this url or to this page. That's
not really secret because maybe you find

some leaked source code or you make sure
serving at an admin or you just by

accident type in the wrong url and get to
this hidden information. Or you, exactly,

use software scanners to find something
hidden. So hidden data is just not secure.

And on the other hand, you should finalize
your implementation of access control to

have access control and even test it 
once to be sure that it works. So in the

end we can conclude that hidden 
data is not protected data.

T: Let's now come to another type of
attacks. Cross-site attacks. A cross-site

attack is some sort of interference
between two websites. Where one website,

for example, tries to do something on
behalf of the other. The goal is often to

deceit the user or to trigger the
manipulations. First of all, we were quite

sure that they have thought of cross-site
attacks. Because doing our testing, we saw

that they included some HTTP-Headers that
target a wide range of attack vectors that

use Cross-site scripting attacks. For
example, here we have X-Frame-Options:

same origin. That means that other pages
can not include the voting software into

their own frames and so on. And also
cross-site scripting protection is enabled

via X-XXS-Protection. So this looks quite
good because this already excludes several

attack vectors. But how about cross-site
request forgery? When we first tested

this, we found out that the vote counting
system is not fully protected against it.

What is cross-site request forgery? So in
the first step, the election worker uses

the integrated Firefox Browser to accept 
a malicious website. So the user is

triggered to visit this website. For
example, someone sent him a link triggered

him to click on the link by the promise,
for example, of a cute animal picture or

some sort of that. And then the user
visits this website. And this website

contains form fields that resemble the
form fields of the actual vote counting

software. And the malicious website now
triggers your browser to submit this form

data, not to the original website, but
rather to the vote counting software. And

as soon as it reaches the Tomcat web
server, the web server is confused.

Because the web server cannot discern the
input from the cross-site attack from the

malicious website from original user
input. And then the Apache Tomcat server

just thinks that this is original user
input and will process it. And that's

called a cross-site request forgery
attack. So we saw that there is sometimes

a protection against this sort of attacks.
But many pages are not protected against

it. And that is very concerning because
that's a 2001's vulnerability. It's almost

20 years old now and it's still present in
such a software. So this is quite

unsettling here. Now, let's sum this up.
What we can do with it. So, first of all,

the issue is that they have missing CSRF
tokens or any other good countermeasure

against cross site request forgery
attacks. And the second point is here,

that only minimal user interaction is
required. The user often doesn't even see

that a cross-site request forgery attack
is currently being executed on his behalf.

So it's almost undetectable by the user.
And it's very simple to trick a user into

clicking a link. So the impact is very
devastating because we can now manipulate

settings in the vote counting software.
And we can even insert fake ballots here.

<i>Alarm sound </i>
T: So what's the result of this?

What we can do with it?
J: Well, we can manipulate the entire

election with this. Let's just use a demo.
How we do this.

T: Nice.
J: We are already logged in into the vote

counting system. Our username is
admin321934. Now let's count some votes.

As we can see here, these are all the
ballots that we can enter. They are still

empty since we haven't entered any ballots
yet. So let's start. For simplicity, we

just have two parties here. On the left
hand side we have the good party. Who

wants the best for the people. On the
right hand side we have the bad party

who wants to take power and is willing to
even commit election fraud. Let us begin

and enter the first paper ballot. The
person has voted for the good party. So we

enter this into the software. Now we save
the ballot and go to the next one. Again,

it's a vote for the good party. Let's
enter it and save it and go to the third

ballot. And again, it's for the good
party. Let's save our third ballot. Now we

go to the ballot overview and we look what
has happened. As you can see, we now have

three ballots that have successfully been
entered. At next, let's check the

preliminary election results. As we can
see here, we have a total of three ballots

that have been entered into the system.
That's correct. Three ballots contained

votes for the good party. That's also
correct. And zero votes have been given to

the bad party. That's fine so far. Next, I
will show you what happens if i open a

malicious website. This website will
execute a CSRF attack and manipulate the

election results. Let's just assume we
want to take a break and simply both

twitter. OK, here we are. There's a cute
cat picture and there's a link to even

more of them. Let's just play along and
get tricked into clicking that link. Oh,

look at all those cute animal pictures,
look a hungry rabbit, a monkey, a little

hedgehog and two cute goats and so on, and
when we are done browsing, we close those

tabs again and return to our vote counting
software. What we notice now is, that our

username has been altered and we just got
pwned. We were tricked into visiting this

malicious website. The website executed a
CSRF attack on the vote counting software

and did some manipulations. Let's see what
else has changed. However, all three

ballots are still there, but now we take a
look at the preliminary election results.

What you can see here is that the number
of ballots that are in the system has been

increased to eight. We now have five
additional ballots that were not entered

by us. As you can see, the good party
still has three votes. That is what we

have entered. But now the bad party has
taken the lead. They have five votes now.

This attack has indeed manipulated the
election results. This is really bad

because we cannot even see those
additional fake ballots that have been

injected. However, we are lucky because we
noticed it since we have expected this

attack. But we won't notice 
it in every case.

T: But what happens if we don't notice?
J: Well, that happens. So, for this

example, we just assume that team 1 had
three ballots that they have entered into

the computer system and team 2 has six
ballots that have been entered into the

computer system. Now team one visits a
malicious website and five fake ballots

are injected into the election results. In
this case, the attacker is very smart and

injects the ballots at the location where
the team 2 ballots will be expected in the

future. So what happens now is: team 2
exports their ballots and team 1 tries to

import the ballots of team 2. And now the
following thing happens: Because there are

already ballots present at the location
where the team 2 ballots should go to, the

import process is not fully successful and
only a subset of the ballots are imported

so that the majority of the ballots into
this case, five or six ballots are just

discarded because they don't fit in the
database anymore because that location is

already taken by the fake ballots. So
usually we would expect that this can

generate an error message or at least a
warning. But this does not happen. This is

a silent failure of the software. And
what's even worst is now that the sums

finally are correct. So that means we now
have nine ballots present in the system

and nine paper ballots that were initially
available. So this looks like we have

entered all the ballots and everything
seems to be fine. So we will now close the

election and generate the final result.
And that is what happens now. As you can

see, we have only four votes for the good
party, but five votes for the bad party.

So the bad party has won the election by
manipulating the voting system, using this

CSRF attack. And that should never be
possible because this is not what we

expect for a voting software. And in this
case, the result is rigged. So have we

thought about network vulnerabilities?
T: Yeah, sure, that's exactly the other

side of the coin. First, we checked the
election worker side for attacks, but now

we checked the network side and scanned
and analyzed the system at first. And then

we looked like this: Open ports
everywhere. And as you can see, they fully

exposed the Apache Tomcat and the MariaDB
to each available network on the system.

And with this, we thought, well, let's maybe 
try some newly discovered vulnerability,

which was recently found in 2020 called
Ghostcat. And Ghostcat is an attack

against AJP protocol from Apache. But
let's check the Apache system and how it's

built. First, Apache has a web root which
serves static resources and HTML or JSP

files. And additionally, it can include
class files or class sublets which are

combined with this JSPs or HTML files and
then served to the user. So we prepared

our ajpShooter with the URL of the
application, the port and the file we want

to read. In our case, it's a PrivateTest
class file because, what we

could leak about this, but we'll see. And
then we said we only want to read it

because there would even be the
possibility to evaluate it and execute the

code in it. So we've done this attack and
TADA we've got a result. This is the byte

code of the PrivateTest class. So let's
just drop this byte code in our cup of

coffee and maybe we can pull out some
source code from it. And yeah that's what

we've read out because why not. Just test
your encryption mechanism with the string.

But this is not a common string as you
later found out. This is the real root

productive password of the MariaDB. And
this was like:

<i>Alarm sound</i>
So what's the problem? As you maybe

clearly see with this attack, we could
leak out the login of the MariaDB and

probably even more logins or passwords.
And additionally, we could leak the whole

source code over the network without ever
accessing the PC in the election room. And

this was only possible because they
completely exposed all machines and

applications to the network and this
should never be the case. So in result:

How can this be prevented? First, you
should never expose these unneeded ports

to internet because they don't even use
the AJP proxy in their application, but

just left it on the 0.0.0.0 interface.
Next is: You should keep your software up

to date. That if some vulnerabilities were
found. You should not be vulnerable to it.

And last but not least: Never use
productive passwords in your unit tests

because that's not the best idea to do. In
the end, to sum it up: Avoid at all costs

any additional attack surface to prevent
these kind of attacks, even if you don't

know about them yet.
J: So, after Tobi has shown us a lot of

interesting and patchy stuff. I tested the
database for its security. For the first

analysis. I was just starting with the
same PC, but also the software was

installed and I tried to gain access to
the database. So it was coming from the

host localhost. I tried to use the
username root and then I saw that I am

asked for a password before I'm allowed to
connect to the database. However, finding

the password was quite trivial to do
because all the stuff I needed to know for

that was included in that last file and I
was able to decrypt the password without

any issue here. And that moment I realized
that also the password that Tobi has shown

us before, that he found with the Ghostcat
vulnerability is indeed the MySQL root

password here. So after I had access to
the MySQL system, I tried to dump the user

table to look which users are allowed to
access the database. So and that is how

the user table looks like. We have four
times the user root and the user root

requires a password if I'm coming from
localhost. But wait a moment. Here we also

have the host pci90309. And as you can see
here, there is no MySQL password

statement. That means that someone coming
from host pci90309 is almost allowed to

connect as root and does not even need to
provide any password for that. And thats

really strange.
<i> Alarm sound </i>

T: So what could happen from this?
J: Well, now someone on the network can

now just lump voting manipulation. That's
quite trivial because as soon as I set my

host to the correct hostname, I get full
access to the database where all my local

voting results are stored. And since I'm
root, I can interfer with them. I can

change them however I want to. And this
vulnerability is so damn weird and

trivial, it takes me no effort to do this
at all. And so we won't even go into a

demo here because it's so stupid simple in
this case. Usually I would say that's

enough for today because we already have
full access to the voting system and can

change whatever we want to. However, this
time we decided to go deeper because we

saw pci90309 is a real door opener. So we
have access to the voting results. We can

change them, but we still don't have
access to the entire voting system. So

what about the PC? Might it be possible,
with that root access to the database

server, to gain remote code execution at
that machine? So for this experiment, I

used the following setup. On the right hand
side we have a voting system with the

exposed MariaDB database server. On the
left hand side that's my system. I named

myself pci90309, just because i can do it,
and I establish a connection to the

MariaDB server. I use root as a username.
I don't need any password. And it is

immediately accepted. So now that I am
connected, I'm allowed to issue commands.

For example, I can now instruct MariaDB to
enable one of its plugins. This plugin is

called ha_connect. It's one of the plugins
that usually come directly with MariaDB.

And this is a very powerful MySQL storage
driver. So now I will show you what I can

do with that storage driver. So at next, I
will now create a table that's called pwn.

And I'm using the ha_connect storage
driver and instruct the storage driver to

create a file that's called pwn.dll and to
place it right into that plugin folder.

There is nothing that stops me from doing
so. So that is one of the special features

of the ha_connect storage driver, that I
can just say, this table is mapped to that

file in the file system. However, this
file is still empty because the table is

empty. But since this is a database, I can
now just issue INSERT INTO statements and

load whatever data I want to, for example,
some malicious DLL. I can just load into

the table, via that INSERT INTO a
statement, and then it is directly written

into our malicious DLL "pwn.dll". Ok, so
at next, after I've finished writing, I

will instruct MariaDB to enable this
plugin that I have just uploaded. And

enabling a plugin means that we are
executing the code that is stored in this

DLL file. So that means we have remote
code execution.

<i> Alarm Sound </i>
T: I don't even ask what you can with

remote code execution.
J: Well, I can do anything. So that means

I have no gate, full control over the
entire vote counting system. So I'm not

only talking about the data in the
database, I'm talking about the entire

computer that I can now fully control and
manipulate however I want to. And that's

possible, only by using the voting
software and accessing it over the network

interfaces that it had exposed. And now
I'll show you how simple this is to

execute an arbitrary program on the system.
T: This is the vote counting computer

system. To begin, let's start the vote
counting software. Now, the Apache Tomcat

Web server and the MariaDB database server
are being launched. Finally, the Firefox

portable is started. The system is now
ready for operation. But beware, the

attacker becomes active, his host name is
the infamous pci90309, immediately it

launches the python attack script
"fun.py". It connects to the MariaDB

server as root without a password and
uploads a malicious DLL plugin. When the

upload has been finished, the malicious
plugin is executed. As we can see, the

calculator was started thus remote code
execution was successful. The vote

counting computer system is now under
control of the attacker.

J: After we have found so devastating
issues with the vote counting Software, we

immediately notified the vendor AKDB
T: And they were very professional about

it and responded very quickly to our
initial emails. So we really like working

together with them and telling them our
results and they were always

positive about it. So they also
recommended some fixes.

J: So, for example, they told us, you
should only use that voting software in a

secure environment like in an
administrational network. However, we

don't really believe that this is a good
solution.

T: Exactly. And we are not very happy
about this proposal, because we have two

problems that still arise, even if it's in
a secure environment. First of all, an

administrative PC could still be infected
with some malware or it could be

manipulated before the election takes
place. And in the second hand, we have

this bug with the broken access control,
you remember. And even if you would have

been in the secure environment, this bug
would have been totally worked and you

could have completely deleted all data
work or reopened elections or something

like this.
J: But we are still quite happy that they

took us seriously, because they even have
announced updates. So, for example, they

wrote us that they are planning on adding
XSRF tokens for the pages where we found

cross-site vulnerabilities. So that's
already a good step into the right

direction. So now let's summarize what we
have presented today. So first of all, we

discovered several problematic aspects
in the concept and its practical

implementation. So, first of all, the
entire voting system, it's running on

untrustworthy computer systems. So it
could have been manipulated beforehand.

They could have malware on them or they
just could not function correctly. So

that's already very problematic from the
beginning, because we have no underlying

trust that we can put into those systems
and we are using them to count out our

votes, to count out the entire election.
So what's even more is, that even if they

use the software and the PC, that lies
beyond it, is secure, it still has not

enough transparency. It's very hard to
understand what the software is exactly

doing and how it is doing this. So, I
cannot really understand how does it come

to its result. Please keep in mind, that
we have almost 600 candidates and several

hundreds of ballots that have all to be
input into that computer system and then

some magic happens and it spits out its
result. So, then we just have to take this

result, because it's just impossible to
check, if really each vote has been

counted correctly or is there anything
strange has happened or any manipulation

took place.
T: And this is also possible, because we

found lots of vulnerable software and not
just the system security was affected, but

it was also absolutely possible to
manipulate the whole election from very

many parts in the network. And this leads
us to conclude that these elections are at

a high risk with this technology.
J: So, and that is the reason that we want

you as election worker. The more eyes are
looking at the election, the more secure

it becomes. And if you are interested in
becoming an election worker, just get into

contact with the local administration.
They are always very happy to have

volunteers, who want to take part as
election workers. So and for my personal

experience, I'm doing this for several
years now. It's also a lot of fun. You get

into contact with a lot of people. So I
enjoyed this a lot and I can just

recommended it and this is a good way, how
everyone of us can support the democracy

in their country.
T: So, to conclude our talk, we found out

that security in this technology is really
bad and that's not all of it.

J: So, this is just the tip of the
iceberg, because we look only at one of

the solutions that is available for vote
counting. And this was also in a special

configuration. So what is even more
difficult to see is, what happens behind

all the stuff we have seen today, because,
when we export the data and bring it to

the central administration and the data is
imported and uploaded, so where does all

this data go, where are all the results
from all this data from all the polling

stations are summarized? We don't know
that yet, how this works. We don't have

the software, that we can analyze. So
there's still a lot of work that has to be

done. Here to really check the entire
system, we just took a look at a very

small portion and that is just the vote
counting software here.

T: Next, we were very shocked that this
information, that vote counting is already

shifted to software, is not publicly
known. And this is also why we we created

this talk today as this is an information,
that is crucial for the democracy, that

there is already this software in use and
it is not really secure. So this was a big

thing for us to keep bringing it out to
the people.

J: So and one other thing is, everything
that we have seen today is entirely legal,

because at least in Bavaria, we don't have
any rules or any laws against the use of

unsecure computer systems, of unsecure
vote counting software. So, as we've seen

in the beginning, we only have very rough
legal guidelines that says, well, you can

just use computers for vote counting, but
we need stricter guidelines here, because

it cannot continue as we've seen it today
and in other states in Germany there is

sometimes something like, let's say,
guidelines or even certification process

for such digital software. But in most
states that I had a look at, there are no

rules at all and nothing that should
continue in the next years that way.

T: Additionally, in the end, before any of
this software to electronically count the

votes should go live, unbiased tests for
everyone should be available to prove

themselves, that this software is secure
and this software is doing what it's

promising to us. Because it is directly
influencing our democracy. And if this

software is manipulated, it manipulates
our voting, our election and our

democracy. So in the end, we can just
leave you with two questions.

T: How much digital support is required?
J: And how much is tolerable?

<i>No Audio</i>

Herald: Thank you very much for the
interesting talk, Johannes and Tobias. And

thank you very much for your work on the
topic. I hope you do have time for a

little Q&amp;A. We have quite a few questions,
actually.

J: Sure.
M: All right. So the first question from

the Internet is, is there any suspicion
that these vulnerabilities have been

actively used?
J: Well, it's very hard to tell. So, at

least for the town that I am from, I did
not notice any special occurrences there.

So, however, I don't have an overview of
entire Bavaria, so, that's quite hard to

tell. I think it's even impossible to
tell, if there were any manipulation so

far. So, unfortunately, we cannot say
that.

T: Additionally, we are just at one place
in this whole system. So we don't have an

overview, if there was any mismatching
numbers or any other influences that

happened, but that we didn't see at the
moment, because we were just at one

position in the system, at one station 
of the election.

M: OK, thank you for the answer. Ah, do
you believe that it is possible to have a

digital ballot that is as secure and
trustworthy as physical or paper based

voting is?
J: Well, in my opinion, that's not

possible, if you want to have the same
sort of transparency that we have in the

paper based voting system, because, when
we have paper based voting, we can just go

into the voting room and watch what's
going on there. We can see the ballots

that are handed in, the ballots that come
out of the box. Then, they are counted,

are summed up. I can really try to find
out what's going on there. I can have a

look at that. Understand what people are
doing there, but at the moment, that we

have only a digital vote, I cannot really
find out, if the computer is doing the

right thing, if there were some
manipulations. So, in terms of

transparency, I don't think it is possible
in the same. Yeah, in the same way as the

paper based ballots, for example.
T: I would have to add to this, if there

would be the possibility to get the same
traceability and visibility that you can

always see which results came from, from
which position. And if they are signed

very transparent, then it may be possible
in any future, but not with any kind of

this software, we saw there.
M: All right. Thank you. Do you, by any

chance, know which states in Germany use
these software OK.VOTE as far?

T: We cannot directly say which states
actively use them, because we only took

place in elections here in Munich or
Bavaria. But, we can tell, that we found

very much hints in the source code that
they were also used in, for example,

Hamburg, Bremen, Hessen or Rheinland-
Pfalz, but we don't know if they were

already used there or if it's planned to
be used there or did they already used

them in the past elections and decided
against them for future ones. We don't

know about this, exactly.
M: OK, maybe we can stay for a second on

your job as an election worker. The
process of manually entering data into the

system, is there a process for this? Do
you have an idea on the risk of this part

here?
J: Yes. So, it's basically the thing, that

they are at least two or three people
sitting in front of each computer and then

they are entering each ballot. So people
are really cross checking that the ballot

has been entered correctly. So, it's like
one person has the ballot in front of him

or her and the other person reads the
votes and the other person types it in and

they are cross checking each other. So,
that there isn't any error doing typing in

those election results in the computer.
M: All right. Thank you for the

elaboration. Someone is asking, how the
system's connected to the Internet or some

other network of the understanding of the
talk was correctly received by that

person. The results are written to some
physical medium which is turned into

transmit the results. So you sense
something physically. So, why care for the

Windows version or the, what is running on
these machines? Is that correct

understanding?
J: Well, the problem with that is, that it

depends on the local administration, how
they set up their computer systems. So, I

also read this in a chat here. Someone has
written, that they had their voting

software in a, yeah, in a very limited
network connectivity. So, the computer was

not connected to the Internet. However, it
depends very on the administration and on

the computer network that is being used
there. So, it is entirely possible that

computers are connected to the Internet,
because there are no guidelines on how

these computers are allowed to be set up.
So, I cannot fully exclude this. So, and

if someone, for example, just enables the
wireless network or connects to some

unsecured hotspot, they are connected
then. So, it's it's hard to tell here, but

I would not exclude this possibility.
T: To extend this answer. We even try to

find out, if there's any software side
protection that checks, if there is any

internet connection is present and then
would deny this voting system. But, there

wasn't or at least we couldn't find one.
So even if the administration was not

advised, if these PCs should be
disconnected from the network. There isn't

even a security mechanism in place, that
would check this and stop it or even show

a warning, that this is connected and they
should be disconnected from the Internet

before the counting can begin.
M: Interesting. All right. We have one

message on the IRC, from someone who
worked with this particular piece of

software in demo mode by themselves,
obviously. And the question they have, is:

Did you notice the possibility to enter a
negative votes for a candidate? So saying

minus two votes, for instance.
J: Well, that's difficult to tell. I

thought about, if this is possible, so
perhaps you might have to manipulate the

database directly. So I'm not entirely
sure. I'm not sure, if I tried this out

this one. So, but however, as soon as I
have a data, as I have database access,

it's entirely possible to manipulate
anything. So. Well, we could try this out

again. However, I don't think that changes
much in our result. So, yeah, that's

interesting questions of I cannot answer
this right now, so I'm not sure, you Tobi,

have you tried out something like that?
T: We've tried manipulating some already

submitted votes, but I think, this was not
really possible. However, as you showed,

when you export the data and import into
the main PC, the votes that were already

in place, possibly by an attacker, would
then discard the newly imported votes. So,

this would probably replace this data and
these votes, but via the Web interface, I

think it was not possible. However, we
found the enough vulnerabilities with

database access that you could do it by
this way, if you want to.

M: All right. Thank you for your
explanation. Out of pure curiosity, people

ask, how did you get access to the software
in the first place? To start your analysis?

J: Well, that's a good question here,
because, theres a nice story behind that.

So, I was election worker and I was
supporting setting up a system and doing

some IT support in the evening. And at
some point, we tried to merge our results.

So we exported the results from one
computer to move them to the other one.

However, the import failed, because, there
is some artificial limitation in the

software. So, as soon as your export files
are larger than 10 megabytes, they cannot

be imported anymore. So this happens quite
quickly, when you have a few hundreds of

votes, of few hundreds of ballots and then
the import doesn't work anymore. And I had

a look at this file, and that was just a
JSON file with a lot of whitespace. So, I

copied all this stuff to my computer to
fix this. And there was also later on, a

software fix that was published by the
software vendor. However, then I had the

software on my computer, just because I
wanted to fix this election. And it was

very late at night. And I returned home
and I noticed, oh, I still have that

software on my computer. Let's have a look
at this. So, yeah, it was just by chance.

So, I tried to fix something, got all the
software on my PC and then I had it ready

to analyze even with some data on that, so
that I really knew how this works in

practice. And yes, but if someone would
try to gain access to that software,

that's quite simple, because they could
just restore the deleted data from one of

the computers that are in the schools.
Perhaps, someone doesn't even delete the

election software from their computers, in
your school, or some person could just

steal one of the USB sticks, that have
been used for installation. So, I don't

even think, that would be noticed then.
M: Interesting, indeed, you mentioned in

your talk, that the software is certified
by the BSI, that they claim to be

certified by the Open Web Application
Security project, but how could such a

broken system can be certified by both
parties in the first place? And what's

wrong with the certification process? Yes,
this obviously happened. I mean, like, why

not use a certified. What do we do
certified in the first place, if it gets

certified, even if it's broken?
T: I think the first point about this is,

that we already mentioned in the talk,
that there are no legal requirements. You

don't need any certification, that this
software can be used in our voting, in our

elections here in Germany or in most parts
of Germany. And additionally, this

screenshot we show with OWASP and the BSI
was just the promotion of the AKDB for

their software, but I think there was no
real certification attached. So, we don't

know if we the BSI ever saw this software for 
real or if they just put it on there and said,

yeah, BSI certificate certified or with
the BSI standards in mind, like they

already have already the IT Grundschutz
and they maybe tried to implement, after

this system architecture. But the BSI
never checked on it. So, I don't think

there's any real certification for the
software.

J: So, just to add a few details here,
that's not really a certification, that

they just said that they follow the BSI
and OWASP guidelines. I think, that was

also the wording that was used on the
website. So, theres no real certification

behind that, so far.
M: Thank you for the answer. Do you know

by chance, how the municipalities
published the election results?

J: Well, I don't know in detail how it
works. So, when we handed in our election

results, they got uploaded onto some other
software. And that's also the end that

I've seen. So end up in the computer
system and they are electronically

transmitted. And that, first of all, it
generates a preliminary file. And finally,

that's a final result generated by it.
However, I don't really know how this

works, but the election results that were
generated, with OK.VOTE are definitely

going into the final result. So, perhaps
there's also some paper based protocol

between them. I don't really know if
they're using the data that's in the

computer or the data that is on the paper.
But, however, it doesn't change very much

here.
M: OK, on. Coming over here a bit, the

last question would be: What, in your
experience, how practical and expensive

are hand recounts here and did you observe
these?

T: I think, this is very different from
election to election and from city to

city, if this is a rather small town, you
could probably easily reelect all this or

all the votes and recount the votes. But,
if this is a big city like Munich, for

example, with millions of votes, and you
would have to recount this, this would

particularly delay the voting or the
results pretty much. And this could have

really bad influences, if this would
happen. That software has shown that kind

of manipulation has happened and they had
to recount all the stuff by hand again.

J: So, counting this by hand is, indeed,
very, very effortful, because they have

like 70 votes per ballot. And even summing
up all that is still error prone, if it's

done by hand. So, it's difficult to do
that. And up to my knowledge, it's not

generally recounted after the election.
So, I try to find something in the

Internet regarding that. And I just found
some PDF, that they said, well, it's not

feasible to recount all the election
results and all the ballots. So, that's

just rather do a meter level check on: is
the protocol complete? How about the

special ballots, that were not really
clear and so on? But it's not like, every

ballot will be recounted, as far as I
understand.

M: OK. Oh, thank you very much Tobias an
Johannes for answering all the questions.

Thank you again for your talk.
J: Thank you.

M: Thank you.

<i>rC3 postroll music</i>

Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!