Return to Video

#rC3 - Hacking German Elections

  • 0:00 - 0:12
    rC3 preroll music
  • 0:12 - 0:18
    Herald: Now, our next talk is Hacking
    German elections, insecure electronic
  • 0:18 - 0:24
    voting count, vote counting, how it
    returned and why you don't even know about
  • 0:24 - 0:32
    it. For the Germans listening here, did
    you noticed that in Germany, voting became
  • 0:32 - 0:38
    more electronic recently? In case you're
    out of Germany. I do live in Germany and I
  • 0:38 - 0:43
    did not notice that myself. However, both
    of our speakers volunteered as election
  • 0:43 - 0:50
    workers in Germany and research on the
    topic of security for elections. And they
  • 0:50 - 0:57
    promised to tell us how this can be, how
    elections can be made more secure again.
  • 0:57 - 1:02
    Our speakers are Tobias, he is an IT-
    Security researcher focusing on offensive
  • 1:02 - 1:07
    security, automotive security and capture
    the flag challenges. And Johannes. He's a
  • 1:07 - 1:12
    post-doctoral IT-Security researcher and
    both work together at the
  • 1:12 - 1:19
    Fraunhofer AISEC Institute.
    Enjoy the talk.
  • 1:19 - 1:25
    Stille
  • 1:25 - 1:29
    Johannes: Hello and welcome to our
    presentation on Hacking German Elections.
  • 1:29 - 1:34
    Insecure electronic vote counting, how it
    returned and why you don't even know about
  • 1:34 - 1:40
    it. My name is Johannes Obermaier
    Tobias: and I am Tobias Madl. We are both
  • 1:40 - 1:45
    very much involved in elections in Bavaria
    because we're election workers and offer
  • 1:45 - 1:49
    support here in Germany.
    J: And we are offensive IT-Security
  • 1:49 - 1:53
    researchers.
    T: First of all, we want to talk about the
  • 1:53 - 2:00
    scope we are presenting today. We got our
    information and the software from today,
  • 2:00 - 2:06
    from the municipal elections in Bavaria
    happening in the early 2020. And it was a
  • 2:06 - 2:12
    computer based vote counting technology.
    So we were very concerned, when we
  • 2:12 - 2:17
    interacted with it. And in the end, we
    featured the questions, are elections
  • 2:17 - 2:24
    still secure? Next, I presented the
    outline we are talking about today, and
  • 2:24 - 2:29
    first of all, we are looking at the
    electronic vote counting system. And next,
  • 2:29 - 2:34
    we identified some conceptual and
    practical issues with this technology.
  • 2:35 - 2:41
    Afterwards, we also inspected the software
    and found some insecurities. And in the
  • 2:41 - 2:47
    end, we have summary and conclude our
    presentation.
  • 2:47 - 2:52
    J: To understand why we need electronic
    vote counting, let's just have a look at
  • 2:52 - 2:58
    the voting ballot. This voting ballot is
    in its paper form about one meter wide and
  • 2:58 - 3:03
    50 centimeters high. So, that's a quite a
    large ballot, that's a lot of candidates.
  • 3:03 - 3:11
    Let's just sum up the facts. So, we have a
    total of 599 candidates that are spread
  • 3:11 - 3:17
    out over nine parties. Each citizen is
    allowed to cast up to 70 votes in this
  • 3:17 - 3:23
    election. So, that sounds simple, but it
    gets even more complicated now, because
  • 3:23 - 3:29
    you can cast up to three votes per
    candidate and you can even choose multiple
  • 3:29 - 3:36
    candidates of different parties up to your
    70 votes. And even if you decide yourself
  • 3:36 - 3:41
    to vote for a single party, you can still
    strike out candidate that you personally
  • 3:41 - 3:46
    don't like. And so they don't get any
    votes from your ballot. That means, this
  • 3:46 - 3:52
    voting system gives a lot of power to the
    citizens and voting is fun.
  • 3:52 - 3:58
    However, counting out those ballots is very
    difficult because you need to know a lot
  • 3:58 - 4:04
    of special rules in this voting system to
    really count each ballot correctly. That's
  • 4:04 - 4:09
    the reason that a software such as OK.VOTE
    has been developed. OK.VOTE is a typical
  • 4:09 - 4:15
    software for elections that's also used in
    the polling stations for vote counting.
  • 4:15 - 4:20
    So, OK.VOTE has a quite large market
    share. They say they have a like 75% in
  • 4:20 - 4:26
    Germany. So that software is used in
    several states. OK. VOTE has several
  • 4:26 - 4:32
    different modules for organizing
    elections, for example. But what we know
  • 4:32 - 4:40
    have a look at in this talk is only the
    vote counting module of OK.VOTE Where the
  • 4:40 - 4:47
    election voters insert each paper ballot
    and manually type it in all the votes in
  • 4:47 - 4:53
    each ballot and then they are stored in
    the computer system. So, and the task of
  • 4:53 - 4:59
    OK.VOTE is to process each ballot to count
    the votes, to find out if the ballot is
  • 4:59 - 5:04
    correct, then it stores all the ballots
    into its database and finally it does some
  • 5:04 - 5:10
    magic and computes the final result. So,
    this sounds quite similar to what a voting
  • 5:10 - 5:18
    machine does. But wait a moment. Voting
    machines, in my Germany?
  • 5:18 - 5:23
    T: Wait, that's illegal.
    J: Is it really illegal? Let's have a look
  • 5:23 - 5:30
    at the legal regulations about it. So,
    yes, in 2009, there was an important
  • 5:30 - 5:35
    decision by the German federal
    constitutional court and they said, that
  • 5:35 - 5:40
    the use of voting computers in the 2005
    Bundestag election was unconstitutional.
  • 5:40 - 5:49
    Because, for example, the voting computers were
    not transparently enough. So, that is very
  • 5:49 - 5:54
    similar to that what we have also found
    for the municipal elections. But wait, we
  • 5:54 - 5:59
    are here talking about the Bundestag
    election. But this is the municipal
  • 5:59 - 6:03
    election and we have different rules for
    the municipal elections. For example,
  • 6:03 - 6:10
    there is the GLKrWO, that's the Gemeinde-
    und Landkreiswahlordnung Bayern,
  • 6:10 - 6:17
    which basically translates to the Bavarian
    municipal election rules. And those rules
  • 6:17 - 6:23
    say, that we are indeed not allowed to use
    a computer for voting, but computers can
  • 6:23 - 6:29
    be used for vote counting. So, and in this
    situation, I would expect, that we have
  • 6:29 - 6:36
    some sort of security requirements there
    in those regulations. But I try to find
  • 6:36 - 6:41
    them. And I was really surprised. There
    are exactly zero.
  • 6:41 - 6:45
    T: So, if there are no legal requirements,
    are there at least any software side
  • 6:45 - 6:51
    requirements or certifications for
    OK.VOTE which promise some security?
  • 6:51 - 6:56
    J: Yes, there are. So, I had a look at the
    website and I saw this nice little
  • 6:56 - 7:03
    paragraph here. And it says, Elections
    with security and during the development
  • 7:03 - 7:11
    of OK.VOTE, they put the highest emphasis
    on the topic security. They follow the BSI
  • 7:11 - 7:16
    and OWASP recommendations on security, and
    they have a certified data center with
  • 7:16 - 7:21
    very high security standards
    T: And how does this look like in
  • 7:21 - 7:24
    practice?
    J: Oh, I rather would not show you this
  • 7:24 - 7:30
    here. It's it's really scary. This is what
    I have seen here, when I walked in the
  • 7:30 - 7:34
    election room. This is not a stock photo.
    I took this photo myself and this is the
  • 7:34 - 7:40
    reality. So, I walked up to the guys and
    said, well, shall we really use these
  • 7:40 - 7:44
    computers to count out the elections and
    they said, yes, that are the computers
  • 7:44 - 7:50
    that are available here. So, and I pray to
    God that for some reason does not work
  • 7:50 - 7:55
    out. And Windows XP did not disappoint me
    because when I tried to start the
  • 7:55 - 8:03
    software, it failed because that are 32
    bit systems and OK.VOTE needs 64 bits. So,
  • 8:03 - 8:09
    yeah, that was great. So, we did not use
    that Windows XP machine. So, instead we
  • 8:09 - 8:14
    had to search for another machine and came
    across this one here. That's a Windows 10
  • 8:14 - 8:21
    machine. That's fine. However, it has an
    outdated virus scanner. So, well, it it's
  • 8:21 - 8:27
    better than nothing. So, this machine was
    used instead then. So, but just let's keep
  • 8:27 - 8:34
    in mind what they are promising us:
    election security. We really doubt that.
  • 8:35 - 8:40
    Let's now look at the IT environment and
    why it came to that situation. So, first
  • 8:40 - 8:46
    of all, this is not fully the fault of
    OK.VOTE, because it's the task for the
  • 8:46 - 8:54
    local administration to provide hardware
    for vote counting and AKDB, the vendors of
  • 8:54 - 9:00
    OK.VOTE say, that they recommend to use
    secure administration computers. That's
  • 9:00 - 9:06
    fine so far, but we simply don't have
    enough secure administration computers for
  • 9:06 - 9:11
    that purpose. So, for example, in the town
    where I'm from, we needed around 8
  • 9:11 - 9:17
    computers to count out this election and
    we simply did not have enough in the town
  • 9:17 - 9:23
    hall. And whats even more, the election
    room, it was in a school and there are
  • 9:23 - 9:28
    already school PCs available there. So,
    they were just using the school PCs. So,
  • 9:28 - 9:34
    and those were even elementary school
    computers. So, I'm not really sure about,
  • 9:34 - 9:38
    if all the pupils know, which link they
    are allowed to click and which one they
  • 9:38 - 9:44
    should rather not click on. So, this
    systems might be insecure, there might be
  • 9:44 - 9:49
    malware within, and even if it's possible
    that someone had manipulated them in
  • 9:49 - 9:56
    advance, we cannot really exclude that.
    However, I don't want to blame the
  • 9:56 - 10:00
    administration here because they did a
    great job in organizing this election.
  • 10:00 - 10:06
    It's really much to do for them and it did
    really well. So, everything worked out
  • 10:06 - 10:12
    well at the end. However, they are no IT-
    Security specialists and we cannot demand
  • 10:12 - 10:19
    from them, that they know each detail on
    how to set up a system correctly and what
  • 10:19 - 10:24
    are the risks that are associated with
    insecure computer systems in elections?
  • 10:24 - 10:30
    That's just not their job. So, however, we
    still ended up with untrustworthy systems
  • 10:30 - 10:36
    here. Because, as we have seen before,
    there are no legal regulations against it.
  • 10:36 - 10:40
    Now, let's see how we create a digital
    result.
  • 10:40 - 10:47
    T: Exactly. So, we went to our voting
    places. We were presented with each one
  • 10:47 - 10:53
    got a PC and we got the ballot stack we
    had to count and then enter the results.
  • 10:53 - 10:59
    So, Johannes is Team 2 and I was Team 1
    and we started entering the ballots in the
  • 10:59 - 11:06
    PC. And from this on, they were digitized
    Team 1 in green and Team 2 in blue.
  • 11:06 - 11:11
    J: As soon as I was finished entering my
    ballots, I put them on a USB drive and
  • 11:11 - 11:17
    handed them over to Team 1.
    T: Exactly. I imported these votes,
  • 11:17 - 11:22
    because I was the master machine at this
    time, and the OK.VOTE software then
  • 11:22 - 11:29
    finalised these voting elections and
    exported their results finally again on an
  • 11:29 - 11:34
    USB stick. And these were then delivered
    on for further processing.
  • 11:34 - 11:39
    J: What is the problem with that all?
    First of all, there's a lot of
  • 11:39 - 11:43
    intransparency. So, for example, the
    software that is being used for vote
  • 11:43 - 11:49
    counting, OK.VOTE, it's not an open source
    software. It's closed source and nobody
  • 11:49 - 11:56
    was able to analyze this yet. So, and
    since this is closed source software, it
  • 11:56 - 12:00
    is also very hard to understand how the
    software works and if it really counts
  • 12:00 - 12:05
    correctly, Because we have, in the end, we
    have hundreds of ballots there and it's
  • 12:05 - 12:10
    really difficult to tell, if they have,
    indeed, been counted correctly. So, and
  • 12:10 - 12:17
    although we have seen this before, there
    is no basis for a secure vote counting, if
  • 12:17 - 12:22
    we have possibly rigged computer system.
    So, we cannot exclude that someone has
  • 12:22 - 12:29
    manipulated them pre-election wise. So, if
    there is some manipulation, this would
  • 12:29 - 12:35
    hardly be detectable by a standard
    election worker. So, this means that the
  • 12:35 - 12:41
    entire election process becomes very
    intransparent and hard to understand for a
  • 12:41 - 12:46
    person who just wants to observe the
    election. So, that is strictly against the
  • 12:46 - 12:53
    idea of a public counting of votes.
    T: So, now let's talk about the step that
  • 12:53 - 12:58
    happens after we finish counting
    in each of the teams.
  • 12:58 - 13:02
    J: So, what do you do after you have
    exported the final election results?
  • 13:02 - 13:05
    How do they come to the
    central administration?
  • 13:05 - 13:11
    T: Yeah, I've just entered my vehicle and
    took the USB sticks in my pocket and drove
  • 13:11 - 13:18
    to the master PC. But, as you maybe know,
    Election Day is always very busy day and
  • 13:18 - 13:24
    might some teams are slower at counting.
    Some teams are faster. So, the master team
  • 13:24 - 13:29
    doesn't know when these USB sticks arrive.
    If they take two or three hours or half an
  • 13:29 - 13:33
    hour, they don't know really. So, I could
    just go and grab something to eat on my
  • 13:33 - 13:39
    way. Or I can manipulate the vote. I mean,
    deliver the votes. And yeah, in the end,
  • 13:39 - 13:44
    one day, when I arrive at the master PC, I
    just give them my USB stick, they enter it
  • 13:44 - 13:48
    and they take the data that is stored on
    there and nothing else. And afterwards,
  • 13:48 - 13:53
    they just uploaded the final
    results on the page.
  • 13:53 - 13:59
    J: Now you might think, why is it possible
    for him to manipulate election results?
  • 13:59 - 14:05
    Because there's no authenticity. There's
    only integrity protection of the file that
  • 14:05 - 14:10
    he is transporting. So some CRC32 and a
    SHA hash, but nothing like a cryptographic
  • 14:10 - 14:16
    signature. So, even if he alters the data,
    he can just regenerate all the integrity
  • 14:16 - 14:22
    protection data and the data will just be
    accepted. So, the main issue here is also,
  • 14:22 - 14:29
    that this is one of the few spots where
    only a single person has unsupervised
  • 14:29 - 14:34
    access to the data during transport of the
    voting data at all. And that makes
  • 14:34 - 14:39
    manipulations possible and easily feasible
    in this case. And that should not be the
  • 14:39 - 14:48
    case, especially in an electronically
    supported election. Now, let's have a look
  • 14:48 - 14:52
    at the vote counting software itself,
    because there we found even more
  • 14:52 - 14:56
    interesting results.
    T: Exactly. Let's begin with the system
  • 14:56 - 15:02
    architecture. First of all, this is the
    local or decentralized version of the
  • 15:02 - 15:08
    software system. So all this is taking
    place on the local host, on the machine we
  • 15:08 - 15:13
    encountered in the lecture rooms and on
    these machines, where it was an Apache Tomcat
  • 15:13 - 15:18
    Web server running, which was connected to
    a MariaDB, and the user was interacting
  • 15:18 - 15:25
    with the voting system via a portable
    Firefox and as AKDB said in before they
  • 15:25 - 15:33
    were very concerned with security. So,
    let's think about what attackers are they
  • 15:33 - 15:38
    had in mind when they designed the system
    and from which the system is to protect
  • 15:38 - 15:44
    from. Is it the user that maybe attacks
    the system, the vote count system, which
  • 15:44 - 15:51
    is normally just election workers that are
    on their free time there to help executing
  • 15:51 - 15:58
    the election, or are they having the
    network attackers in minds that come from
  • 15:58 - 16:03
    completely different places and try to
    manipulate the network from outside? First
  • 16:03 - 16:10
    of all, we took the user as one of the
    possible attackers. And even in this
  • 16:10 - 16:15
    environment, we found some really broken
    stuff. First of all a broken access
  • 16:15 - 16:21
    control. But how it's how it's all about.
    Well, that's the log in page when we just
  • 16:21 - 16:27
    logged in our voting system and clicked on
    administration page where we can change
  • 16:27 - 16:31
    our password and edit our profile. These
    are the buttons on the left. And as you
  • 16:31 - 16:37
    can see, we are clearly logged in as the
    user42. And there is no more things to do
  • 16:37 - 16:43
    than select which counting part we want
    to do, the general regional vote or the
  • 16:43 - 16:48
    municipal votes. And that's all we can
    do on this page. Now let's switch to the
  • 16:48 - 16:54
    system administrator. There we have the
    admin account, as you can see on the left
  • 16:54 - 17:00
    upper side, where we can now do very much
    more than the normal user. We are again on
  • 17:00 - 17:04
    the administration page, but now we have
    the user administration where we can
  • 17:04 - 17:12
    create or delete users. We have the reopen
    or close voting mechanisms. We have
  • 17:12 - 17:18
    imports, we have exports and also what's
    not included in the screenshots submenus
  • 17:18 - 17:25
    like deleting finalized results or and so
    on. So, we picked out two very interesting
  • 17:25 - 17:32
    URLs for you. First of all, we are taking
    the "Bezirk wieder eröffnen" which is
  • 17:32 - 17:36
    translated just to reopen the election
    after election as closed at normal. It's
  • 17:36 - 17:41
    normally finalized, so no more votes can
    be entered in the system. And the other
  • 17:41 - 17:47
    link is "Löschen". So that translates to
    delete data, which then in the end deletes
  • 17:47 - 17:53
    all the data from from the machine. So, no
    more private or secure data is stored on
  • 17:53 - 17:59
    there. And this is what they look like
    when we only open them on the left side.
  • 17:59 - 18:04
    We see to reopen dialog. On the right
    side, we see the data delete. But wait,
  • 18:04 - 18:13
    this is not the admin view, this is the
    user view. So, they did not check if this
  • 18:13 - 18:18
    user is even allowed. And we also have to
    say, that this is not just the view of it,
  • 18:18 - 18:22
    it is fully working and is completely
    functional, when you just go through the
  • 18:22 - 18:26
    process of deleting or reopening as an
    election.
  • 18:26 - 18:29
    Alarm sound
    J: What's the problem with that?
  • 18:29 - 18:34
    T: Yeah, as you maybe already guessed,
    reopening elections could create a
  • 18:34 - 18:39
    probability of sneaking in some additional
    votes for the candidate I favor and
  • 18:39 - 18:45
    additionally, if I want to mess with all
    of the voting, I could just delete all the
  • 18:45 - 18:50
    election data and we would have to start
    from the beginning and completely delay or
  • 18:50 - 18:53
    deny the voting.
    J: But why is this even possible?
  • 18:53 - 19:00
    T: Yeah, we found out that this is their
    access control check in their software
  • 19:00 - 19:06
    this function is called getZugriffRollen,
    which translates to get access roles. So
  • 19:06 - 19:11
    normally there will also be the software
    in place to check if this role is allowed
  • 19:11 - 19:15
    to access this kind of site. But they just
    returned null and not implemented it.
  • 19:15 - 19:22
    And that's also nice work to implement
    access control. However, I think we can
  • 19:22 - 19:27
    propose some mechanisms that could have
    prevented this. First of all, hidden
  • 19:27 - 19:33
    information is nothing you could rely on.
    If you just don't show where you can click
  • 19:33 - 19:39
    to get to this url or to this page. That's
    not really secret because maybe you find
  • 19:39 - 19:43
    some leaked source code or you make sure
    serving at an admin or you just by
  • 19:43 - 19:49
    accident type in the wrong url and get to
    this hidden information. Or you, exactly,
  • 19:49 - 19:55
    use software scanners to find something
    hidden. So hidden data is just not secure.
  • 19:55 - 19:59
    And on the other hand, you should finalize
    your implementation of access control to
  • 19:59 - 20:03
    have access control and even test it
    once to be sure that it works. So in the
  • 20:03 - 20:08
    end we can conclude that hidden
    data is not protected data.
  • 20:08 - 20:12
    T: Let's now come to another type of
    attacks. Cross-site attacks. A cross-site
  • 20:12 - 20:17
    attack is some sort of interference
    between two websites. Where one website,
  • 20:17 - 20:22
    for example, tries to do something on
    behalf of the other. The goal is often to
  • 20:22 - 20:27
    deceit the user or to trigger the
    manipulations. First of all, we were quite
  • 20:27 - 20:33
    sure that they have thought of cross-site
    attacks. Because doing our testing, we saw
  • 20:33 - 20:40
    that they included some HTTP-Headers that
    target a wide range of attack vectors that
  • 20:40 - 20:45
    use Cross-site scripting attacks. For
    example, here we have X-Frame-Options:
  • 20:45 - 20:52
    same origin. That means that other pages
    can not include the voting software into
  • 20:52 - 20:57
    their own frames and so on. And also
    cross-site scripting protection is enabled
  • 20:57 - 21:04
    via X-XXS-Protection. So this looks quite
    good because this already excludes several
  • 21:04 - 21:10
    attack vectors. But how about cross-site
    request forgery? When we first tested
  • 21:10 - 21:16
    this, we found out that the vote counting
    system is not fully protected against it.
  • 21:16 - 21:21
    What is cross-site request forgery? So in
    the first step, the election worker uses
  • 21:21 - 21:27
    the integrated Firefox Browser to accept
    a malicious website. So the user is
  • 21:27 - 21:32
    triggered to visit this website. For
    example, someone sent him a link triggered
  • 21:32 - 21:38
    him to click on the link by the promise,
    for example, of a cute animal picture or
  • 21:38 - 21:43
    some sort of that. And then the user
    visits this website. And this website
  • 21:43 - 21:48
    contains form fields that resemble the
    form fields of the actual vote counting
  • 21:48 - 21:54
    software. And the malicious website now
    triggers your browser to submit this form
  • 21:54 - 22:00
    data, not to the original website, but
    rather to the vote counting software. And
  • 22:00 - 22:04
    as soon as it reaches the Tomcat web
    server, the web server is confused.
  • 22:04 - 22:11
    Because the web server cannot discern the
    input from the cross-site attack from the
  • 22:11 - 22:15
    malicious website from original user
    input. And then the Apache Tomcat server
  • 22:15 - 22:20
    just thinks that this is original user
    input and will process it. And that's
  • 22:20 - 22:26
    called a cross-site request forgery
    attack. So we saw that there is sometimes
  • 22:26 - 22:31
    a protection against this sort of attacks.
    But many pages are not protected against
  • 22:31 - 22:38
    it. And that is very concerning because
    that's a 2001's vulnerability. It's almost
  • 22:38 - 22:44
    20 years old now and it's still present in
    such a software. So this is quite
  • 22:44 - 22:50
    unsettling here. Now, let's sum this up.
    What we can do with it. So, first of all,
  • 22:50 - 22:56
    the issue is that they have missing CSRF
    tokens or any other good countermeasure
  • 22:56 - 23:00
    against cross site request forgery
    attacks. And the second point is here,
  • 23:00 - 23:05
    that only minimal user interaction is
    required. The user often doesn't even see
  • 23:05 - 23:11
    that a cross-site request forgery attack
    is currently being executed on his behalf.
  • 23:11 - 23:16
    So it's almost undetectable by the user.
    And it's very simple to trick a user into
  • 23:16 - 23:23
    clicking a link. So the impact is very
    devastating because we can now manipulate
  • 23:23 - 23:29
    settings in the vote counting software.
    And we can even insert fake ballots here.
  • 23:29 - 23:34
    Alarm sound
    T: So what's the result of this?
  • 23:34 - 23:38
    What we can do with it?
    J: Well, we can manipulate the entire
  • 23:38 - 23:43
    election with this. Let's just use a demo.
    How we do this.
  • 23:43 - 23:45
    T: Nice.
    J: We are already logged in into the vote
  • 23:45 - 23:55
    counting system. Our username is
    admin321934. Now let's count some votes.
  • 23:55 - 24:00
    As we can see here, these are all the
    ballots that we can enter. They are still
  • 24:00 - 24:07
    empty since we haven't entered any ballots
    yet. So let's start. For simplicity, we
  • 24:07 - 24:12
    just have two parties here. On the left
    hand side we have the good party. Who
  • 24:12 - 24:17
    wants the best for the people. On the
    right hand side we have the bad party
  • 24:17 - 24:22
    who wants to take power and is willing to
    even commit election fraud. Let us begin
  • 24:22 - 24:28
    and enter the first paper ballot. The
    person has voted for the good party. So we
  • 24:28 - 24:38
    enter this into the software. Now we save
    the ballot and go to the next one. Again,
  • 24:38 - 24:45
    it's a vote for the good party. Let's
    enter it and save it and go to the third
  • 24:45 - 24:53
    ballot. And again, it's for the good
    party. Let's save our third ballot. Now we
  • 24:53 - 25:00
    go to the ballot overview and we look what
    has happened. As you can see, we now have
  • 25:00 - 25:05
    three ballots that have successfully been
    entered. At next, let's check the
  • 25:05 - 25:11
    preliminary election results. As we can
    see here, we have a total of three ballots
  • 25:11 - 25:16
    that have been entered into the system.
    That's correct. Three ballots contained
  • 25:16 - 25:22
    votes for the good party. That's also
    correct. And zero votes have been given to
  • 25:22 - 25:28
    the bad party. That's fine so far. Next, I
    will show you what happens if i open a
  • 25:28 - 25:33
    malicious website. This website will
    execute a CSRF attack and manipulate the
  • 25:33 - 25:38
    election results. Let's just assume we
    want to take a break and simply both
  • 25:38 - 25:54
    twitter. OK, here we are. There's a cute
    cat picture and there's a link to even
  • 25:54 - 26:02
    more of them. Let's just play along and
    get tricked into clicking that link. Oh,
  • 26:02 - 26:08
    look at all those cute animal pictures,
    look a hungry rabbit, a monkey, a little
  • 26:08 - 26:14
    hedgehog and two cute goats and so on, and
    when we are done browsing, we close those
  • 26:14 - 26:23
    tabs again and return to our vote counting
    software. What we notice now is, that our
  • 26:23 - 26:29
    username has been altered and we just got
    pwned. We were tricked into visiting this
  • 26:29 - 26:35
    malicious website. The website executed a
    CSRF attack on the vote counting software
  • 26:35 - 26:43
    and did some manipulations. Let's see what
    else has changed. However, all three
  • 26:43 - 26:48
    ballots are still there, but now we take a
    look at the preliminary election results.
  • 26:48 - 26:54
    What you can see here is that the number
    of ballots that are in the system has been
  • 26:54 - 26:58
    increased to eight. We now have five
    additional ballots that were not entered
  • 26:58 - 27:04
    by us. As you can see, the good party
    still has three votes. That is what we
  • 27:04 - 27:10
    have entered. But now the bad party has
    taken the lead. They have five votes now.
  • 27:10 - 27:16
    This attack has indeed manipulated the
    election results. This is really bad
  • 27:16 - 27:21
    because we cannot even see those
    additional fake ballots that have been
  • 27:21 - 27:27
    injected. However, we are lucky because we
    noticed it since we have expected this
  • 27:27 - 27:32
    attack. But we won't notice
    it in every case.
  • 27:34 - 27:39
    T: But what happens if we don't notice?
    J: Well, that happens. So, for this
  • 27:39 - 27:44
    example, we just assume that team 1 had
    three ballots that they have entered into
  • 27:44 - 27:48
    the computer system and team 2 has six
    ballots that have been entered into the
  • 27:48 - 27:55
    computer system. Now team one visits a
    malicious website and five fake ballots
  • 27:55 - 28:01
    are injected into the election results. In
    this case, the attacker is very smart and
  • 28:01 - 28:06
    injects the ballots at the location where
    the team 2 ballots will be expected in the
  • 28:06 - 28:14
    future. So what happens now is: team 2
    exports their ballots and team 1 tries to
  • 28:14 - 28:21
    import the ballots of team 2. And now the
    following thing happens: Because there are
  • 28:21 - 28:26
    already ballots present at the location
    where the team 2 ballots should go to, the
  • 28:26 - 28:32
    import process is not fully successful and
    only a subset of the ballots are imported
  • 28:32 - 28:38
    so that the majority of the ballots into
    this case, five or six ballots are just
  • 28:38 - 28:42
    discarded because they don't fit in the
    database anymore because that location is
  • 28:42 - 28:48
    already taken by the fake ballots. So
    usually we would expect that this can
  • 28:48 - 28:53
    generate an error message or at least a
    warning. But this does not happen. This is
  • 28:53 - 29:00
    a silent failure of the software. And
    what's even worst is now that the sums
  • 29:00 - 29:05
    finally are correct. So that means we now
    have nine ballots present in the system
  • 29:05 - 29:10
    and nine paper ballots that were initially
    available. So this looks like we have
  • 29:10 - 29:14
    entered all the ballots and everything
    seems to be fine. So we will now close the
  • 29:14 - 29:19
    election and generate the final result.
    And that is what happens now. As you can
  • 29:19 - 29:26
    see, we have only four votes for the good
    party, but five votes for the bad party.
  • 29:26 - 29:32
    So the bad party has won the election by
    manipulating the voting system, using this
  • 29:32 - 29:38
    CSRF attack. And that should never be
    possible because this is not what we
  • 29:38 - 29:46
    expect for a voting software. And in this
    case, the result is rigged. So have we
  • 29:46 - 29:51
    thought about network vulnerabilities?
    T: Yeah, sure, that's exactly the other
  • 29:51 - 29:55
    side of the coin. First, we checked the
    election worker side for attacks, but now
  • 29:55 - 30:00
    we checked the network side and scanned
    and analyzed the system at first. And then
  • 30:00 - 30:08
    we looked like this: Open ports
    everywhere. And as you can see, they fully
  • 30:08 - 30:14
    exposed the Apache Tomcat and the MariaDB
    to each available network on the system.
  • 30:14 - 30:19
    And with this, we thought, well, let's maybe
    try some newly discovered vulnerability,
  • 30:19 - 30:25
    which was recently found in 2020 called
    Ghostcat. And Ghostcat is an attack
  • 30:25 - 30:31
    against AJP protocol from Apache. But
    let's check the Apache system and how it's
  • 30:31 - 30:38
    built. First, Apache has a web root which
    serves static resources and HTML or JSP
  • 30:38 - 30:43
    files. And additionally, it can include
    class files or class sublets which are
  • 30:43 - 30:49
    combined with this JSPs or HTML files and
    then served to the user. So we prepared
  • 30:49 - 30:57
    our ajpShooter with the URL of the
    application, the port and the file we want
  • 30:57 - 31:02
    to read. In our case, it's a PrivateTest
    class file because, what we
  • 31:02 - 31:07
    could leak about this, but we'll see. And
    then we said we only want to read it
  • 31:07 - 31:11
    because there would even be the
    possibility to evaluate it and execute the
  • 31:11 - 31:18
    code in it. So we've done this attack and
    TADA we've got a result. This is the byte
  • 31:18 - 31:23
    code of the PrivateTest class. So let's
    just drop this byte code in our cup of
  • 31:23 - 31:29
    coffee and maybe we can pull out some
    source code from it. And yeah that's what
  • 31:29 - 31:37
    we've read out because why not. Just test
    your encryption mechanism with the string.
  • 31:37 - 31:42
    But this is not a common string as you
    later found out. This is the real root
  • 31:42 - 31:46
    productive password of the MariaDB. And
    this was like:
  • 31:46 - 31:52
    Alarm sound
    So what's the problem? As you maybe
  • 31:52 - 31:57
    clearly see with this attack, we could
    leak out the login of the MariaDB and
  • 31:57 - 32:02
    probably even more logins or passwords.
    And additionally, we could leak the whole
  • 32:02 - 32:08
    source code over the network without ever
    accessing the PC in the election room. And
  • 32:08 - 32:16
    this was only possible because they
    completely exposed all machines and
  • 32:16 - 32:22
    applications to the network and this
    should never be the case. So in result:
  • 32:22 - 32:27
    How can this be prevented? First, you
    should never expose these unneeded ports
  • 32:27 - 32:31
    to internet because they don't even use
    the AJP proxy in their application, but
  • 32:31 - 32:38
    just left it on the 0.0.0.0 interface.
    Next is: You should keep your software up
  • 32:38 - 32:44
    to date. That if some vulnerabilities were
    found. You should not be vulnerable to it.
  • 32:44 - 32:50
    And last but not least: Never use
    productive passwords in your unit tests
  • 32:50 - 32:55
    because that's not the best idea to do. In
    the end, to sum it up: Avoid at all costs
  • 32:55 - 33:01
    any additional attack surface to prevent
    these kind of attacks, even if you don't
  • 33:01 - 33:05
    know about them yet.
    J: So, after Tobi has shown us a lot of
  • 33:05 - 33:10
    interesting and patchy stuff. I tested the
    database for its security. For the first
  • 33:10 - 33:15
    analysis. I was just starting with the
    same PC, but also the software was
  • 33:15 - 33:20
    installed and I tried to gain access to
    the database. So it was coming from the
  • 33:20 - 33:25
    host localhost. I tried to use the
    username root and then I saw that I am
  • 33:25 - 33:30
    asked for a password before I'm allowed to
    connect to the database. However, finding
  • 33:30 - 33:35
    the password was quite trivial to do
    because all the stuff I needed to know for
  • 33:35 - 33:41
    that was included in that last file and I
    was able to decrypt the password without
  • 33:41 - 33:46
    any issue here. And that moment I realized
    that also the password that Tobi has shown
  • 33:46 - 33:51
    us before, that he found with the Ghostcat
    vulnerability is indeed the MySQL root
  • 33:51 - 33:59
    password here. So after I had access to
    the MySQL system, I tried to dump the user
  • 33:59 - 34:06
    table to look which users are allowed to
    access the database. So and that is how
  • 34:06 - 34:11
    the user table looks like. We have four
    times the user root and the user root
  • 34:11 - 34:17
    requires a password if I'm coming from
    localhost. But wait a moment. Here we also
  • 34:17 - 34:24
    have the host pci90309. And as you can see
    here, there is no MySQL password
  • 34:24 - 34:30
    statement. That means that someone coming
    from host pci90309 is almost allowed to
  • 34:30 - 34:38
    connect as root and does not even need to
    provide any password for that. And thats
  • 34:38 - 34:42
    really strange.
    Alarm sound
  • 34:42 - 34:51
    T: So what could happen from this?
    J: Well, now someone on the network can
  • 34:51 - 34:56
    now just lump voting manipulation. That's
    quite trivial because as soon as I set my
  • 34:56 - 35:01
    host to the correct hostname, I get full
    access to the database where all my local
  • 35:01 - 35:06
    voting results are stored. And since I'm
    root, I can interfer with them. I can
  • 35:06 - 35:10
    change them however I want to. And this
    vulnerability is so damn weird and
  • 35:10 - 35:17
    trivial, it takes me no effort to do this
    at all. And so we won't even go into a
  • 35:17 - 35:23
    demo here because it's so stupid simple in
    this case. Usually I would say that's
  • 35:23 - 35:28
    enough for today because we already have
    full access to the voting system and can
  • 35:28 - 35:34
    change whatever we want to. However, this
    time we decided to go deeper because we
  • 35:34 - 35:42
    saw pci90309 is a real door opener. So we
    have access to the voting results. We can
  • 35:42 - 35:48
    change them, but we still don't have
    access to the entire voting system. So
  • 35:48 - 35:52
    what about the PC? Might it be possible,
    with that root access to the database
  • 35:52 - 36:00
    server, to gain remote code execution at
    that machine? So for this experiment, I
  • 36:00 - 36:05
    used the following setup. On the right hand
    side we have a voting system with the
  • 36:05 - 36:11
    exposed MariaDB database server. On the
    left hand side that's my system. I named
  • 36:11 - 36:16
    myself pci90309, just because i can do it,
    and I establish a connection to the
  • 36:16 - 36:24
    MariaDB server. I use root as a username.
    I don't need any password. And it is
  • 36:24 - 36:30
    immediately accepted. So now that I am
    connected, I'm allowed to issue commands.
  • 36:30 - 36:36
    For example, I can now instruct MariaDB to
    enable one of its plugins. This plugin is
  • 36:36 - 36:42
    called ha_connect. It's one of the plugins
    that usually come directly with MariaDB.
  • 36:42 - 36:50
    And this is a very powerful MySQL storage
    driver. So now I will show you what I can
  • 36:50 - 36:57
    do with that storage driver. So at next, I
    will now create a table that's called pwn.
  • 36:57 - 37:03
    And I'm using the ha_connect storage
    driver and instruct the storage driver to
  • 37:03 - 37:09
    create a file that's called pwn.dll and to
    place it right into that plugin folder.
  • 37:09 - 37:14
    There is nothing that stops me from doing
    so. So that is one of the special features
  • 37:14 - 37:20
    of the ha_connect storage driver, that I
    can just say, this table is mapped to that
  • 37:20 - 37:25
    file in the file system. However, this
    file is still empty because the table is
  • 37:25 - 37:31
    empty. But since this is a database, I can
    now just issue INSERT INTO statements and
  • 37:31 - 37:36
    load whatever data I want to, for example,
    some malicious DLL. I can just load into
  • 37:36 - 37:41
    the table, via that INSERT INTO a
    statement, and then it is directly written
  • 37:41 - 37:49
    into our malicious DLL "pwn.dll". Ok, so
    at next, after I've finished writing, I
  • 37:49 - 37:55
    will instruct MariaDB to enable this
    plugin that I have just uploaded. And
  • 37:55 - 38:00
    enabling a plugin means that we are
    executing the code that is stored in this
  • 38:00 - 38:05
    DLL file. So that means we have remote
    code execution.
  • 38:05 - 38:10
    Alarm Sound
    T: I don't even ask what you can with
  • 38:10 - 38:14
    remote code execution.
    J: Well, I can do anything. So that means
  • 38:14 - 38:20
    I have no gate, full control over the
    entire vote counting system. So I'm not
  • 38:20 - 38:25
    only talking about the data in the
    database, I'm talking about the entire
  • 38:25 - 38:30
    computer that I can now fully control and
    manipulate however I want to. And that's
  • 38:30 - 38:36
    possible, only by using the voting
    software and accessing it over the network
  • 38:36 - 38:41
    interfaces that it had exposed. And now
    I'll show you how simple this is to
  • 38:41 - 38:50
    execute an arbitrary program on the system.
    T: This is the vote counting computer
  • 38:50 - 39:02
    system. To begin, let's start the vote
    counting software. Now, the Apache Tomcat
  • 39:02 - 39:08
    Web server and the MariaDB database server
    are being launched. Finally, the Firefox
  • 39:08 - 39:15
    portable is started. The system is now
    ready for operation. But beware, the
  • 39:15 - 39:22
    attacker becomes active, his host name is
    the infamous pci90309, immediately it
  • 39:22 - 39:29
    launches the python attack script
    "fun.py". It connects to the MariaDB
  • 39:29 - 39:35
    server as root without a password and
    uploads a malicious DLL plugin. When the
  • 39:35 - 39:42
    upload has been finished, the malicious
    plugin is executed. As we can see, the
  • 39:42 - 39:48
    calculator was started thus remote code
    execution was successful. The vote
  • 39:48 - 39:53
    counting computer system is now under
    control of the attacker.
  • 39:53 - 40:01
    J: After we have found so devastating
    issues with the vote counting Software, we
  • 40:01 - 40:06
    immediately notified the vendor AKDB
    T: And they were very professional about
  • 40:06 - 40:11
    it and responded very quickly to our
    initial emails. So we really like working
  • 40:11 - 40:18
    together with them and telling them our
    results and they were always
  • 40:18 - 40:23
    positive about it. So they also
    recommended some fixes.
  • 40:23 - 40:28
    J: So, for example, they told us, you
    should only use that voting software in a
  • 40:28 - 40:32
    secure environment like in an
    administrational network. However, we
  • 40:32 - 40:36
    don't really believe that this is a good
    solution.
  • 40:36 - 40:40
    T: Exactly. And we are not very happy
    about this proposal, because we have two
  • 40:40 - 40:45
    problems that still arise, even if it's in
    a secure environment. First of all, an
  • 40:45 - 40:50
    administrative PC could still be infected
    with some malware or it could be
  • 40:50 - 40:56
    manipulated before the election takes
    place. And in the second hand, we have
  • 40:56 - 41:00
    this bug with the broken access control,
    you remember. And even if you would have
  • 41:00 - 41:05
    been in the secure environment, this bug
    would have been totally worked and you
  • 41:05 - 41:09
    could have completely deleted all data
    work or reopened elections or something
  • 41:09 - 41:12
    like this.
    J: But we are still quite happy that they
  • 41:12 - 41:18
    took us seriously, because they even have
    announced updates. So, for example, they
  • 41:18 - 41:23
    wrote us that they are planning on adding
    XSRF tokens for the pages where we found
  • 41:23 - 41:28
    cross-site vulnerabilities. So that's
    already a good step into the right
  • 41:28 - 41:35
    direction. So now let's summarize what we
    have presented today. So first of all, we
  • 41:35 - 41:40
    discovered several problematic aspects
    in the concept and its practical
  • 41:40 - 41:45
    implementation. So, first of all, the
    entire voting system, it's running on
  • 41:45 - 41:50
    untrustworthy computer systems. So it
    could have been manipulated beforehand.
  • 41:50 - 41:56
    They could have malware on them or they
    just could not function correctly. So
  • 41:56 - 42:01
    that's already very problematic from the
    beginning, because we have no underlying
  • 42:01 - 42:06
    trust that we can put into those systems
    and we are using them to count out our
  • 42:06 - 42:12
    votes, to count out the entire election.
    So what's even more is, that even if they
  • 42:12 - 42:19
    use the software and the PC, that lies
    beyond it, is secure, it still has not
  • 42:19 - 42:25
    enough transparency. It's very hard to
    understand what the software is exactly
  • 42:25 - 42:31
    doing and how it is doing this. So, I
    cannot really understand how does it come
  • 42:31 - 42:36
    to its result. Please keep in mind, that
    we have almost 600 candidates and several
  • 42:36 - 42:42
    hundreds of ballots that have all to be
    input into that computer system and then
  • 42:42 - 42:48
    some magic happens and it spits out its
    result. So, then we just have to take this
  • 42:48 - 42:53
    result, because it's just impossible to
    check, if really each vote has been
  • 42:53 - 42:58
    counted correctly or is there anything
    strange has happened or any manipulation
  • 42:58 - 43:01
    took place.
    T: And this is also possible, because we
  • 43:01 - 43:07
    found lots of vulnerable software and not
    just the system security was affected, but
  • 43:07 - 43:12
    it was also absolutely possible to
    manipulate the whole election from very
  • 43:12 - 43:20
    many parts in the network. And this leads
    us to conclude that these elections are at
  • 43:20 - 43:25
    a high risk with this technology.
    J: So, and that is the reason that we want
  • 43:25 - 43:31
    you as election worker. The more eyes are
    looking at the election, the more secure
  • 43:31 - 43:36
    it becomes. And if you are interested in
    becoming an election worker, just get into
  • 43:36 - 43:40
    contact with the local administration.
    They are always very happy to have
  • 43:40 - 43:45
    volunteers, who want to take part as
    election workers. So and for my personal
  • 43:45 - 43:50
    experience, I'm doing this for several
    years now. It's also a lot of fun. You get
  • 43:50 - 43:55
    into contact with a lot of people. So I
    enjoyed this a lot and I can just
  • 43:55 - 44:01
    recommended it and this is a good way, how
    everyone of us can support the democracy
  • 44:01 - 44:05
    in their country.
    T: So, to conclude our talk, we found out
  • 44:05 - 44:12
    that security in this technology is really
    bad and that's not all of it.
  • 44:12 - 44:17
    J: So, this is just the tip of the
    iceberg, because we look only at one of
  • 44:17 - 44:22
    the solutions that is available for vote
    counting. And this was also in a special
  • 44:22 - 44:28
    configuration. So what is even more
    difficult to see is, what happens behind
  • 44:28 - 44:35
    all the stuff we have seen today, because,
    when we export the data and bring it to
  • 44:35 - 44:40
    the central administration and the data is
    imported and uploaded, so where does all
  • 44:40 - 44:45
    this data go, where are all the results
    from all this data from all the polling
  • 44:45 - 44:50
    stations are summarized? We don't know
    that yet, how this works. We don't have
  • 44:50 - 44:54
    the software, that we can analyze. So
    there's still a lot of work that has to be
  • 44:54 - 44:59
    done. Here to really check the entire
    system, we just took a look at a very
  • 44:59 - 45:04
    small portion and that is just the vote
    counting software here.
  • 45:04 - 45:09
    T: Next, we were very shocked that this
    information, that vote counting is already
  • 45:09 - 45:14
    shifted to software, is not publicly
    known. And this is also why we we created
  • 45:14 - 45:20
    this talk today as this is an information,
    that is crucial for the democracy, that
  • 45:20 - 45:27
    there is already this software in use and
    it is not really secure. So this was a big
  • 45:27 - 45:34
    thing for us to keep bringing it out to
    the people.
  • 45:34 - 45:38
    J: So and one other thing is, everything
    that we have seen today is entirely legal,
  • 45:38 - 45:44
    because at least in Bavaria, we don't have
    any rules or any laws against the use of
  • 45:44 - 45:50
    unsecure computer systems, of unsecure
    vote counting software. So, as we've seen
  • 45:50 - 45:56
    in the beginning, we only have very rough
    legal guidelines that says, well, you can
  • 45:56 - 46:00
    just use computers for vote counting, but
    we need stricter guidelines here, because
  • 46:00 - 46:07
    it cannot continue as we've seen it today
    and in other states in Germany there is
  • 46:07 - 46:12
    sometimes something like, let's say,
    guidelines or even certification process
  • 46:12 - 46:18
    for such digital software. But in most
    states that I had a look at, there are no
  • 46:18 - 46:24
    rules at all and nothing that should
    continue in the next years that way.
  • 46:24 - 46:30
    T: Additionally, in the end, before any of
    this software to electronically count the
  • 46:30 - 46:37
    votes should go live, unbiased tests for
    everyone should be available to prove
  • 46:37 - 46:42
    themselves, that this software is secure
    and this software is doing what it's
  • 46:42 - 46:47
    promising to us. Because it is directly
    influencing our democracy. And if this
  • 46:47 - 46:52
    software is manipulated, it manipulates
    our voting, our election and our
  • 46:52 - 46:56
    democracy. So in the end, we can just
    leave you with two questions.
  • 46:56 - 47:01
    T: How much digital support is required?
    J: And how much is tolerable?
  • 47:01 - 47:19
    No Audio
  • 47:19 - 47:26
    Herald: Thank you very much for the
    interesting talk, Johannes and Tobias. And
  • 47:26 - 47:30
    thank you very much for your work on the
    topic. I hope you do have time for a
  • 47:30 - 47:36
    little Q&A. We have quite a few questions,
    actually.
  • 47:36 - 47:39
    J: Sure.
    M: All right. So the first question from
  • 47:39 - 47:45
    the Internet is, is there any suspicion
    that these vulnerabilities have been
  • 47:45 - 47:49
    actively used?
    J: Well, it's very hard to tell. So, at
  • 47:49 - 47:58
    least for the town that I am from, I did
    not notice any special occurrences there.
  • 47:58 - 48:05
    So, however, I don't have an overview of
    entire Bavaria, so, that's quite hard to
  • 48:05 - 48:10
    tell. I think it's even impossible to
    tell, if there were any manipulation so
  • 48:10 - 48:15
    far. So, unfortunately, we cannot say
    that.
  • 48:15 - 48:20
    T: Additionally, we are just at one place
    in this whole system. So we don't have an
  • 48:20 - 48:25
    overview, if there was any mismatching
    numbers or any other influences that
  • 48:25 - 48:31
    happened, but that we didn't see at the
    moment, because we were just at one
  • 48:31 - 48:36
    position in the system, at one station
    of the election.
  • 48:36 - 48:41
    M: OK, thank you for the answer. Ah, do
    you believe that it is possible to have a
  • 48:41 - 48:46
    digital ballot that is as secure and
    trustworthy as physical or paper based
  • 48:46 - 48:52
    voting is?
    J: Well, in my opinion, that's not
  • 48:52 - 48:57
    possible, if you want to have the same
    sort of transparency that we have in the
  • 48:57 - 49:02
    paper based voting system, because, when
    we have paper based voting, we can just go
  • 49:02 - 49:07
    into the voting room and watch what's
    going on there. We can see the ballots
  • 49:07 - 49:13
    that are handed in, the ballots that come
    out of the box. Then, they are counted,
  • 49:13 - 49:18
    are summed up. I can really try to find
    out what's going on there. I can have a
  • 49:18 - 49:24
    look at that. Understand what people are
    doing there, but at the moment, that we
  • 49:24 - 49:30
    have only a digital vote, I cannot really
    find out, if the computer is doing the
  • 49:30 - 49:34
    right thing, if there were some
    manipulations. So, in terms of
  • 49:34 - 49:41
    transparency, I don't think it is possible
    in the same. Yeah, in the same way as the
  • 49:41 - 49:48
    paper based ballots, for example.
    T: I would have to add to this, if there
  • 49:48 - 49:54
    would be the possibility to get the same
    traceability and visibility that you can
  • 49:54 - 50:00
    always see which results came from, from
    which position. And if they are signed
  • 50:00 - 50:07
    very transparent, then it may be possible
    in any future, but not with any kind of
  • 50:07 - 50:16
    this software, we saw there.
    M: All right. Thank you. Do you, by any
  • 50:16 - 50:22
    chance, know which states in Germany use
    these software OK.VOTE as far?
  • 50:22 - 50:29
    T: We cannot directly say which states
    actively use them, because we only took
  • 50:29 - 50:34
    place in elections here in Munich or
    Bavaria. But, we can tell, that we found
  • 50:34 - 50:40
    very much hints in the source code that
    they were also used in, for example,
  • 50:40 - 50:47
    Hamburg, Bremen, Hessen or Rheinland-
    Pfalz, but we don't know if they were
  • 50:47 - 50:54
    already used there or if it's planned to
    be used there or did they already used
  • 50:54 - 50:59
    them in the past elections and decided
    against them for future ones. We don't
  • 50:59 - 51:03
    know about this, exactly.
    M: OK, maybe we can stay for a second on
  • 51:03 - 51:11
    your job as an election worker. The
    process of manually entering data into the
  • 51:11 - 51:17
    system, is there a process for this? Do
    you have an idea on the risk of this part
  • 51:17 - 51:21
    here?
    J: Yes. So, it's basically the thing, that
  • 51:21 - 51:26
    they are at least two or three people
    sitting in front of each computer and then
  • 51:26 - 51:31
    they are entering each ballot. So people
    are really cross checking that the ballot
  • 51:31 - 51:36
    has been entered correctly. So, it's like
    one person has the ballot in front of him
  • 51:36 - 51:42
    or her and the other person reads the
    votes and the other person types it in and
  • 51:42 - 51:48
    they are cross checking each other. So,
    that there isn't any error doing typing in
  • 51:48 - 51:54
    those election results in the computer.
    M: All right. Thank you for the
  • 51:54 - 52:00
    elaboration. Someone is asking, how the
    system's connected to the Internet or some
  • 52:00 - 52:06
    other network of the understanding of the
    talk was correctly received by that
  • 52:06 - 52:10
    person. The results are written to some
    physical medium which is turned into
  • 52:10 - 52:16
    transmit the results. So you sense
    something physically. So, why care for the
  • 52:16 - 52:20
    Windows version or the, what is running on
    these machines? Is that correct
  • 52:20 - 52:25
    understanding?
    J: Well, the problem with that is, that it
  • 52:25 - 52:30
    depends on the local administration, how
    they set up their computer systems. So, I
  • 52:30 - 52:36
    also read this in a chat here. Someone has
    written, that they had their voting
  • 52:36 - 52:45
    software in a, yeah, in a very limited
    network connectivity. So, the computer was
  • 52:45 - 52:50
    not connected to the Internet. However, it
    depends very on the administration and on
  • 52:50 - 52:55
    the computer network that is being used
    there. So, it is entirely possible that
  • 52:55 - 53:00
    computers are connected to the Internet,
    because there are no guidelines on how
  • 53:00 - 53:06
    these computers are allowed to be set up.
    So, I cannot fully exclude this. So, and
  • 53:06 - 53:11
    if someone, for example, just enables the
    wireless network or connects to some
  • 53:11 - 53:17
    unsecured hotspot, they are connected
    then. So, it's it's hard to tell here, but
  • 53:17 - 53:23
    I would not exclude this possibility.
    T: To extend this answer. We even try to
  • 53:23 - 53:27
    find out, if there's any software side
    protection that checks, if there is any
  • 53:27 - 53:31
    internet connection is present and then
    would deny this voting system. But, there
  • 53:31 - 53:36
    wasn't or at least we couldn't find one.
    So even if the administration was not
  • 53:36 - 53:44
    advised, if these PCs should be
    disconnected from the network. There isn't
  • 53:44 - 53:48
    even a security mechanism in place, that
    would check this and stop it or even show
  • 53:48 - 53:52
    a warning, that this is connected and they
    should be disconnected from the Internet
  • 53:52 - 54:00
    before the counting can begin.
    M: Interesting. All right. We have one
  • 54:00 - 54:04
    message on the IRC, from someone who
    worked with this particular piece of
  • 54:04 - 54:10
    software in demo mode by themselves,
    obviously. And the question they have, is:
  • 54:10 - 54:18
    Did you notice the possibility to enter a
    negative votes for a candidate? So saying
  • 54:18 - 54:26
    minus two votes, for instance.
    J: Well, that's difficult to tell. I
  • 54:26 - 54:31
    thought about, if this is possible, so
    perhaps you might have to manipulate the
  • 54:31 - 54:37
    database directly. So I'm not entirely
    sure. I'm not sure, if I tried this out
  • 54:37 - 54:44
    this one. So, but however, as soon as I
    have a data, as I have database access,
  • 54:44 - 54:50
    it's entirely possible to manipulate
    anything. So. Well, we could try this out
  • 54:50 - 54:58
    again. However, I don't think that changes
    much in our result. So, yeah, that's
  • 54:58 - 55:03
    interesting questions of I cannot answer
    this right now, so I'm not sure, you Tobi,
  • 55:03 - 55:10
    have you tried out something like that?
    T: We've tried manipulating some already
  • 55:10 - 55:17
    submitted votes, but I think, this was not
    really possible. However, as you showed,
  • 55:17 - 55:23
    when you export the data and import into
    the main PC, the votes that were already
  • 55:23 - 55:28
    in place, possibly by an attacker, would
    then discard the newly imported votes. So,
  • 55:28 - 55:34
    this would probably replace this data and
    these votes, but via the Web interface, I
  • 55:34 - 55:39
    think it was not possible. However, we
    found the enough vulnerabilities with
  • 55:39 - 55:44
    database access that you could do it by
    this way, if you want to.
  • 55:44 - 55:51
    M: All right. Thank you for your
    explanation. Out of pure curiosity, people
  • 55:51 - 55:56
    ask, how did you get access to the software
    in the first place? To start your analysis?
  • 55:56 - 56:01
    J: Well, that's a good question here,
    because, theres a nice story behind that.
  • 56:01 - 56:06
    So, I was election worker and I was
    supporting setting up a system and doing
  • 56:06 - 56:12
    some IT support in the evening. And at
    some point, we tried to merge our results.
  • 56:12 - 56:17
    So we exported the results from one
    computer to move them to the other one.
  • 56:17 - 56:22
    However, the import failed, because, there
    is some artificial limitation in the
  • 56:22 - 56:28
    software. So, as soon as your export files
    are larger than 10 megabytes, they cannot
  • 56:28 - 56:34
    be imported anymore. So this happens quite
    quickly, when you have a few hundreds of
  • 56:34 - 56:38
    votes, of few hundreds of ballots and then
    the import doesn't work anymore. And I had
  • 56:38 - 56:42
    a look at this file, and that was just a
    JSON file with a lot of whitespace. So, I
  • 56:42 - 56:47
    copied all this stuff to my computer to
    fix this. And there was also later on, a
  • 56:47 - 56:51
    software fix that was published by the
    software vendor. However, then I had the
  • 56:51 - 56:56
    software on my computer, just because I
    wanted to fix this election. And it was
  • 56:56 - 57:00
    very late at night. And I returned home
    and I noticed, oh, I still have that
  • 57:00 - 57:07
    software on my computer. Let's have a look
    at this. So, yeah, it was just by chance.
  • 57:07 - 57:12
    So, I tried to fix something, got all the
    software on my PC and then I had it ready
  • 57:12 - 57:18
    to analyze even with some data on that, so
    that I really knew how this works in
  • 57:18 - 57:24
    practice. And yes, but if someone would
    try to gain access to that software,
  • 57:24 - 57:29
    that's quite simple, because they could
    just restore the deleted data from one of
  • 57:29 - 57:33
    the computers that are in the schools.
    Perhaps, someone doesn't even delete the
  • 57:33 - 57:38
    election software from their computers, in
    your school, or some person could just
  • 57:38 - 57:43
    steal one of the USB sticks, that have
    been used for installation. So, I don't
  • 57:43 - 57:54
    even think, that would be noticed then.
    M: Interesting, indeed, you mentioned in
  • 57:54 - 57:59
    your talk, that the software is certified
    by the BSI, that they claim to be
  • 57:59 - 58:03
    certified by the Open Web Application
    Security project, but how could such a
  • 58:03 - 58:08
    broken system can be certified by both
    parties in the first place? And what's
  • 58:08 - 58:12
    wrong with the certification process? Yes,
    this obviously happened. I mean, like, why
  • 58:12 - 58:19
    not use a certified. What do we do
    certified in the first place, if it gets
  • 58:19 - 58:24
    certified, even if it's broken?
    T: I think the first point about this is,
  • 58:24 - 58:28
    that we already mentioned in the talk,
    that there are no legal requirements. You
  • 58:28 - 58:33
    don't need any certification, that this
    software can be used in our voting, in our
  • 58:33 - 58:38
    elections here in Germany or in most parts
    of Germany. And additionally, this
  • 58:38 - 58:46
    screenshot we show with OWASP and the BSI
    was just the promotion of the AKDB for
  • 58:46 - 58:52
    their software, but I think there was no
    real certification attached. So, we don't
  • 58:52 - 58:58
    know if we the BSI ever saw this software for
    real or if they just put it on there and said,
  • 58:58 - 59:03
    yeah, BSI certificate certified or with
    the BSI standards in mind, like they
  • 59:03 - 59:07
    already have already the IT Grundschutz
    and they maybe tried to implement, after
  • 59:07 - 59:15
    this system architecture. But the BSI
    never checked on it. So, I don't think
  • 59:15 - 59:19
    there's any real certification for the
    software.
  • 59:19 - 59:23
    J: So, just to add a few details here,
    that's not really a certification, that
  • 59:23 - 59:29
    they just said that they follow the BSI
    and OWASP guidelines. I think, that was
  • 59:29 - 59:33
    also the wording that was used on the
    website. So, theres no real certification
  • 59:33 - 59:39
    behind that, so far.
    M: Thank you for the answer. Do you know
  • 59:39 - 59:46
    by chance, how the municipalities
    published the election results?
  • 59:46 - 59:54
    J: Well, I don't know in detail how it
    works. So, when we handed in our election
  • 59:54 - 60:00
    results, they got uploaded onto some other
    software. And that's also the end that
  • 60:00 - 60:06
    I've seen. So end up in the computer
    system and they are electronically
  • 60:06 - 60:10
    transmitted. And that, first of all, it
    generates a preliminary file. And finally,
  • 60:10 - 60:16
    that's a final result generated by it.
    However, I don't really know how this
  • 60:16 - 60:20
    works, but the election results that were
    generated, with OK.VOTE are definitely
  • 60:20 - 60:29
    going into the final result. So, perhaps
    there's also some paper based protocol
  • 60:29 - 60:33
    between them. I don't really know if
    they're using the data that's in the
  • 60:33 - 60:38
    computer or the data that is on the paper.
    But, however, it doesn't change very much
  • 60:38 - 60:46
    here.
    M: OK, on. Coming over here a bit, the
  • 60:46 - 60:51
    last question would be: What, in your
    experience, how practical and expensive
  • 60:51 - 60:56
    are hand recounts here and did you observe
    these?
  • 60:56 - 61:01
    T: I think, this is very different from
    election to election and from city to
  • 61:01 - 61:07
    city, if this is a rather small town, you
    could probably easily reelect all this or
  • 61:07 - 61:13
    all the votes and recount the votes. But,
    if this is a big city like Munich, for
  • 61:13 - 61:21
    example, with millions of votes, and you
    would have to recount this, this would
  • 61:21 - 61:26
    particularly delay the voting or the
    results pretty much. And this could have
  • 61:26 - 61:31
    really bad influences, if this would
    happen. That software has shown that kind
  • 61:31 - 61:37
    of manipulation has happened and they had
    to recount all the stuff by hand again.
  • 61:37 - 61:42
    J: So, counting this by hand is, indeed,
    very, very effortful, because they have
  • 61:42 - 61:49
    like 70 votes per ballot. And even summing
    up all that is still error prone, if it's
  • 61:49 - 61:55
    done by hand. So, it's difficult to do
    that. And up to my knowledge, it's not
  • 61:55 - 62:01
    generally recounted after the election.
    So, I try to find something in the
  • 62:01 - 62:07
    Internet regarding that. And I just found
    some PDF, that they said, well, it's not
  • 62:07 - 62:15
    feasible to recount all the election
    results and all the ballots. So, that's
  • 62:15 - 62:22
    just rather do a meter level check on: is
    the protocol complete? How about the
  • 62:22 - 62:27
    special ballots, that were not really
    clear and so on? But it's not like, every
  • 62:27 - 62:32
    ballot will be recounted, as far as I
    understand.
  • 62:32 - 62:38
    M: OK. Oh, thank you very much Tobias an
    Johannes for answering all the questions.
  • 62:38 - 62:42
    Thank you again for your talk.
    J: Thank you.
  • 62:42 - 62:42
    M: Thank you.
  • 62:42 - 63:10
    rC3 postroll music
  • 63:10 - 63:22
    Subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
#rC3 - Hacking German Elections
Description:

more » « less
Video Language:
English
Duration:
01:03:23

English subtitles

Revisions Compare revisions