rC3 preroll music
Herald: Now, our next talk is Hacking
German elections, insecure electronic
voting count, vote counting, how it
returned and why you don't even know about
it. For the Germans listening here, did
you noticed that in Germany, voting became
more electronic recently? In case you're
out of Germany. I do live in Germany and I
did not notice that myself. However, both
of our speakers volunteered as election
workers in Germany and research on the
topic of security for elections. And they
promised to tell us how this can be, how
elections can be made more secure again.
Our speakers are Tobias, he is an IT-
Security researcher focusing on offensive
security, automotive security and capture
the flag challenges. And Johannes. He's a
post-doctoral IT-Security researcher and
both work together at the
Fraunhofer AISEC Institute.
Enjoy the talk.
Stille
Johannes: Hello and welcome to our
presentation on Hacking German Elections.
Insecure electronic vote counting, how it
returned and why you don't even know about
it. My name is Johannes Obermaier
Tobias: and I am Tobias Madl. We are both
very much involved in elections in Bavaria
because we're election workers and offer
support here in Germany.
J: And we are offensive IT-Security
researchers.
T: First of all, we want to talk about the
scope we are presenting today. We got our
information and the software from today,
from the municipal elections in Bavaria
happening in the early 2020. And it was a
computer based vote counting technology.
So we were very concerned, when we
interacted with it. And in the end, we
featured the questions, are elections
still secure? Next, I presented the
outline we are talking about today, and
first of all, we are looking at the
electronic vote counting system. And next,
we identified some conceptual and
practical issues with this technology.
Afterwards, we also inspected the software
and found some insecurities. And in the
end, we have summary and conclude our
presentation.
J: To understand why we need electronic
vote counting, let's just have a look at
the voting ballot. This voting ballot is
in its paper form about one meter wide and
50 centimeters high. So, that's a quite a
large ballot, that's a lot of candidates.
Let's just sum up the facts. So, we have a
total of 599 candidates that are spread
out over nine parties. Each citizen is
allowed to cast up to 70 votes in this
election. So, that sounds simple, but it
gets even more complicated now, because
you can cast up to three votes per
candidate and you can even choose multiple
candidates of different parties up to your
70 votes. And even if you decide yourself
to vote for a single party, you can still
strike out candidate that you personally
don't like. And so they don't get any
votes from your ballot. That means, this
voting system gives a lot of power to the
citizens and voting is fun.
However, counting out those ballots is very
difficult because you need to know a lot
of special rules in this voting system to
really count each ballot correctly. That's
the reason that a software such as OK.VOTE
has been developed. OK.VOTE is a typical
software for elections that's also used in
the polling stations for vote counting.
So, OK.VOTE has a quite large market
share. They say they have a like 75% in
Germany. So that software is used in
several states. OK. VOTE has several
different modules for organizing
elections, for example. But what we know
have a look at in this talk is only the
vote counting module of OK.VOTE Where the
election voters insert each paper ballot
and manually type it in all the votes in
each ballot and then they are stored in
the computer system. So, and the task of
OK.VOTE is to process each ballot to count
the votes, to find out if the ballot is
correct, then it stores all the ballots
into its database and finally it does some
magic and computes the final result. So,
this sounds quite similar to what a voting
machine does. But wait a moment. Voting
machines, in my Germany?
T: Wait, that's illegal.
J: Is it really illegal? Let's have a look
at the legal regulations about it. So,
yes, in 2009, there was an important
decision by the German federal
constitutional court and they said, that
the use of voting computers in the 2005
Bundestag election was unconstitutional.
Because, for example, the voting computers were
not transparently enough. So, that is very
similar to that what we have also found
for the municipal elections. But wait, we
are here talking about the Bundestag
election. But this is the municipal
election and we have different rules for
the municipal elections. For example,
there is the GLKrWO, that's the Gemeinde-
und Landkreiswahlordnung Bayern,
which basically translates to the Bavarian
municipal election rules. And those rules
say, that we are indeed not allowed to use
a computer for voting, but computers can
be used for vote counting. So, and in this
situation, I would expect, that we have
some sort of security requirements there
in those regulations. But I try to find
them. And I was really surprised. There
are exactly zero.
T: So, if there are no legal requirements,
are there at least any software side
requirements or certifications for
OK.VOTE which promise some security?
J: Yes, there are. So, I had a look at the
website and I saw this nice little
paragraph here. And it says, Elections
with security and during the development
of OK.VOTE, they put the highest emphasis
on the topic security. They follow the BSI
and OWASP recommendations on security, and
they have a certified data center with
very high security standards
T: And how does this look like in
practice?
J: Oh, I rather would not show you this
here. It's it's really scary. This is what
I have seen here, when I walked in the
election room. This is not a stock photo.
I took this photo myself and this is the
reality. So, I walked up to the guys and
said, well, shall we really use these
computers to count out the elections and
they said, yes, that are the computers
that are available here. So, and I pray to
God that for some reason does not work
out. And Windows XP did not disappoint me
because when I tried to start the
software, it failed because that are 32
bit systems and OK.VOTE needs 64 bits. So,
yeah, that was great. So, we did not use
that Windows XP machine. So, instead we
had to search for another machine and came
across this one here. That's a Windows 10
machine. That's fine. However, it has an
outdated virus scanner. So, well, it it's
better than nothing. So, this machine was
used instead then. So, but just let's keep
in mind what they are promising us:
election security. We really doubt that.
Let's now look at the IT environment and
why it came to that situation. So, first
of all, this is not fully the fault of
OK.VOTE, because it's the task for the
local administration to provide hardware
for vote counting and AKDB, the vendors of
OK.VOTE say, that they recommend to use
secure administration computers. That's
fine so far, but we simply don't have
enough secure administration computers for
that purpose. So, for example, in the town
where I'm from, we needed around 8
computers to count out this election and
we simply did not have enough in the town
hall. And whats even more, the election
room, it was in a school and there are
already school PCs available there. So,
they were just using the school PCs. So,
and those were even elementary school
computers. So, I'm not really sure about,
if all the pupils know, which link they
are allowed to click and which one they
should rather not click on. So, this
systems might be insecure, there might be
malware within, and even if it's possible
that someone had manipulated them in
advance, we cannot really exclude that.
However, I don't want to blame the
administration here because they did a
great job in organizing this election.
It's really much to do for them and it did
really well. So, everything worked out
well at the end. However, they are no IT-
Security specialists and we cannot demand
from them, that they know each detail on
how to set up a system correctly and what
are the risks that are associated with
insecure computer systems in elections?
That's just not their job. So, however, we
still ended up with untrustworthy systems
here. Because, as we have seen before,
there are no legal regulations against it.
Now, let's see how we create a digital
result.
T: Exactly. So, we went to our voting
places. We were presented with each one
got a PC and we got the ballot stack we
had to count and then enter the results.
So, Johannes is Team 2 and I was Team 1
and we started entering the ballots in the
PC. And from this on, they were digitized
Team 1 in green and Team 2 in blue.
J: As soon as I was finished entering my
ballots, I put them on a USB drive and
handed them over to Team 1.
T: Exactly. I imported these votes,
because I was the master machine at this
time, and the OK.VOTE software then
finalised these voting elections and
exported their results finally again on an
USB stick. And these were then delivered
on for further processing.
J: What is the problem with that all?
First of all, there's a lot of
intransparency. So, for example, the
software that is being used for vote
counting, OK.VOTE, it's not an open source
software. It's closed source and nobody
was able to analyze this yet. So, and
since this is closed source software, it
is also very hard to understand how the
software works and if it really counts
correctly, Because we have, in the end, we
have hundreds of ballots there and it's
really difficult to tell, if they have,
indeed, been counted correctly. So, and
although we have seen this before, there
is no basis for a secure vote counting, if
we have possibly rigged computer system.
So, we cannot exclude that someone has
manipulated them pre-election wise. So, if
there is some manipulation, this would
hardly be detectable by a standard
election worker. So, this means that the
entire election process becomes very
intransparent and hard to understand for a
person who just wants to observe the
election. So, that is strictly against the
idea of a public counting of votes.
T: So, now let's talk about the step that
happens after we finish counting
in each of the teams.
J: So, what do you do after you have
exported the final election results?
How do they come to the
central administration?
T: Yeah, I've just entered my vehicle and
took the USB sticks in my pocket and drove
to the master PC. But, as you maybe know,
Election Day is always very busy day and
might some teams are slower at counting.
Some teams are faster. So, the master team
doesn't know when these USB sticks arrive.
If they take two or three hours or half an
hour, they don't know really. So, I could
just go and grab something to eat on my
way. Or I can manipulate the vote. I mean,
deliver the votes. And yeah, in the end,
one day, when I arrive at the master PC, I
just give them my USB stick, they enter it
and they take the data that is stored on
there and nothing else. And afterwards,
they just uploaded the final
results on the page.
J: Now you might think, why is it possible
for him to manipulate election results?
Because there's no authenticity. There's
only integrity protection of the file that
he is transporting. So some CRC32 and a
SHA hash, but nothing like a cryptographic
signature. So, even if he alters the data,
he can just regenerate all the integrity
protection data and the data will just be
accepted. So, the main issue here is also,
that this is one of the few spots where
only a single person has unsupervised
access to the data during transport of the
voting data at all. And that makes
manipulations possible and easily feasible
in this case. And that should not be the
case, especially in an electronically
supported election. Now, let's have a look
at the vote counting software itself,
because there we found even more
interesting results.
T: Exactly. Let's begin with the system
architecture. First of all, this is the
local or decentralized version of the
software system. So all this is taking
place on the local host, on the machine we
encountered in the lecture rooms and on
these machines, where it was an Apache Tomcat
Web server running, which was connected to
a MariaDB, and the user was interacting
with the voting system via a portable
Firefox and as AKDB said in before they
were very concerned with security. So,
let's think about what attackers are they
had in mind when they designed the system
and from which the system is to protect
from. Is it the user that maybe attacks
the system, the vote count system, which
is normally just election workers that are
on their free time there to help executing
the election, or are they having the
network attackers in minds that come from
completely different places and try to
manipulate the network from outside? First
of all, we took the user as one of the
possible attackers. And even in this
environment, we found some really broken
stuff. First of all a broken access
control. But how it's how it's all about.
Well, that's the log in page when we just
logged in our voting system and clicked on
administration page where we can change
our password and edit our profile. These
are the buttons on the left. And as you
can see, we are clearly logged in as the
user42. And there is no more things to do
than select which counting part we want
to do, the general regional vote or the
municipal votes. And that's all we can
do on this page. Now let's switch to the
system administrator. There we have the
admin account, as you can see on the left
upper side, where we can now do very much
more than the normal user. We are again on
the administration page, but now we have
the user administration where we can
create or delete users. We have the reopen
or close voting mechanisms. We have
imports, we have exports and also what's
not included in the screenshots submenus
like deleting finalized results or and so
on. So, we picked out two very interesting
URLs for you. First of all, we are taking
the "Bezirk wieder eröffnen" which is
translated just to reopen the election
after election as closed at normal. It's
normally finalized, so no more votes can
be entered in the system. And the other
link is "Löschen". So that translates to
delete data, which then in the end deletes
all the data from from the machine. So, no
more private or secure data is stored on
there. And this is what they look like
when we only open them on the left side.
We see to reopen dialog. On the right
side, we see the data delete. But wait,
this is not the admin view, this is the
user view. So, they did not check if this
user is even allowed. And we also have to
say, that this is not just the view of it,
it is fully working and is completely
functional, when you just go through the
process of deleting or reopening as an
election.
Alarm sound
J: What's the problem with that?
T: Yeah, as you maybe already guessed,
reopening elections could create a
probability of sneaking in some additional
votes for the candidate I favor and
additionally, if I want to mess with all
of the voting, I could just delete all the
election data and we would have to start
from the beginning and completely delay or
deny the voting.
J: But why is this even possible?
T: Yeah, we found out that this is their
access control check in their software
this function is called getZugriffRollen,
which translates to get access roles. So
normally there will also be the software
in place to check if this role is allowed
to access this kind of site. But they just
returned null and not implemented it.
And that's also nice work to implement
access control. However, I think we can
propose some mechanisms that could have
prevented this. First of all, hidden
information is nothing you could rely on.
If you just don't show where you can click
to get to this url or to this page. That's
not really secret because maybe you find
some leaked source code or you make sure
serving at an admin or you just by
accident type in the wrong url and get to
this hidden information. Or you, exactly,
use software scanners to find something
hidden. So hidden data is just not secure.
And on the other hand, you should finalize
your implementation of access control to
have access control and even test it
once to be sure that it works. So in the
end we can conclude that hidden
data is not protected data.
T: Let's now come to another type of
attacks. Cross-site attacks. A cross-site
attack is some sort of interference
between two websites. Where one website,
for example, tries to do something on
behalf of the other. The goal is often to
deceit the user or to trigger the
manipulations. First of all, we were quite
sure that they have thought of cross-site
attacks. Because doing our testing, we saw
that they included some HTTP-Headers that
target a wide range of attack vectors that
use Cross-site scripting attacks. For
example, here we have X-Frame-Options:
same origin. That means that other pages
can not include the voting software into
their own frames and so on. And also
cross-site scripting protection is enabled
via X-XXS-Protection. So this looks quite
good because this already excludes several
attack vectors. But how about cross-site
request forgery? When we first tested
this, we found out that the vote counting
system is not fully protected against it.
What is cross-site request forgery? So in
the first step, the election worker uses
the integrated Firefox Browser to accept
a malicious website. So the user is
triggered to visit this website. For
example, someone sent him a link triggered
him to click on the link by the promise,
for example, of a cute animal picture or
some sort of that. And then the user
visits this website. And this website
contains form fields that resemble the
form fields of the actual vote counting
software. And the malicious website now
triggers your browser to submit this form
data, not to the original website, but
rather to the vote counting software. And
as soon as it reaches the Tomcat web
server, the web server is confused.
Because the web server cannot discern the
input from the cross-site attack from the
malicious website from original user
input. And then the Apache Tomcat server
just thinks that this is original user
input and will process it. And that's
called a cross-site request forgery
attack. So we saw that there is sometimes
a protection against this sort of attacks.
But many pages are not protected against
it. And that is very concerning because
that's a 2001's vulnerability. It's almost
20 years old now and it's still present in
such a software. So this is quite
unsettling here. Now, let's sum this up.
What we can do with it. So, first of all,
the issue is that they have missing CSRF
tokens or any other good countermeasure
against cross site request forgery
attacks. And the second point is here,
that only minimal user interaction is
required. The user often doesn't even see
that a cross-site request forgery attack
is currently being executed on his behalf.
So it's almost undetectable by the user.
And it's very simple to trick a user into
clicking a link. So the impact is very
devastating because we can now manipulate
settings in the vote counting software.
And we can even insert fake ballots here.
Alarm sound
T: So what's the result of this?
What we can do with it?
J: Well, we can manipulate the entire
election with this. Let's just use a demo.
How we do this.
T: Nice.
J: We are already logged in into the vote
counting system. Our username is
admin321934. Now let's count some votes.
As we can see here, these are all the
ballots that we can enter. They are still
empty since we haven't entered any ballots
yet. So let's start. For simplicity, we
just have two parties here. On the left
hand side we have the good party. Who
wants the best for the people. On the
right hand side we have the bad party
who wants to take power and is willing to
even commit election fraud. Let us begin
and enter the first paper ballot. The
person has voted for the good party. So we
enter this into the software. Now we save
the ballot and go to the next one. Again,
it's a vote for the good party. Let's
enter it and save it and go to the third
ballot. And again, it's for the good
party. Let's save our third ballot. Now we
go to the ballot overview and we look what
has happened. As you can see, we now have
three ballots that have successfully been
entered. At next, let's check the
preliminary election results. As we can
see here, we have a total of three ballots
that have been entered into the system.
That's correct. Three ballots contained
votes for the good party. That's also
correct. And zero votes have been given to
the bad party. That's fine so far. Next, I
will show you what happens if i open a
malicious website. This website will
execute a CSRF attack and manipulate the
election results. Let's just assume we
want to take a break and simply both
twitter. OK, here we are. There's a cute
cat picture and there's a link to even
more of them. Let's just play along and
get tricked into clicking that link. Oh,
look at all those cute animal pictures,
look a hungry rabbit, a monkey, a little
hedgehog and two cute goats and so on, and
when we are done browsing, we close those
tabs again and return to our vote counting
software. What we notice now is, that our
username has been altered and we just got
pwned. We were tricked into visiting this
malicious website. The website executed a
CSRF attack on the vote counting software
and did some manipulations. Let's see what
else has changed. However, all three
ballots are still there, but now we take a
look at the preliminary election results.
What you can see here is that the number
of ballots that are in the system has been
increased to eight. We now have five
additional ballots that were not entered
by us. As you can see, the good party
still has three votes. That is what we
have entered. But now the bad party has
taken the lead. They have five votes now.
This attack has indeed manipulated the
election results. This is really bad
because we cannot even see those
additional fake ballots that have been
injected. However, we are lucky because we
noticed it since we have expected this
attack. But we won't notice
it in every case.
T: But what happens if we don't notice?
J: Well, that happens. So, for this
example, we just assume that team 1 had
three ballots that they have entered into
the computer system and team 2 has six
ballots that have been entered into the
computer system. Now team one visits a
malicious website and five fake ballots
are injected into the election results. In
this case, the attacker is very smart and
injects the ballots at the location where
the team 2 ballots will be expected in the
future. So what happens now is: team 2
exports their ballots and team 1 tries to
import the ballots of team 2. And now the
following thing happens: Because there are
already ballots present at the location
where the team 2 ballots should go to, the
import process is not fully successful and
only a subset of the ballots are imported
so that the majority of the ballots into
this case, five or six ballots are just
discarded because they don't fit in the
database anymore because that location is
already taken by the fake ballots. So
usually we would expect that this can
generate an error message or at least a
warning. But this does not happen. This is
a silent failure of the software. And
what's even worst is now that the sums
finally are correct. So that means we now
have nine ballots present in the system
and nine paper ballots that were initially
available. So this looks like we have
entered all the ballots and everything
seems to be fine. So we will now close the
election and generate the final result.
And that is what happens now. As you can
see, we have only four votes for the good
party, but five votes for the bad party.
So the bad party has won the election by
manipulating the voting system, using this
CSRF attack. And that should never be
possible because this is not what we
expect for a voting software. And in this
case, the result is rigged. So have we
thought about network vulnerabilities?
T: Yeah, sure, that's exactly the other
side of the coin. First, we checked the
election worker side for attacks, but now
we checked the network side and scanned
and analyzed the system at first. And then
we looked like this: Open ports
everywhere. And as you can see, they fully
exposed the Apache Tomcat and the MariaDB
to each available network on the system.
And with this, we thought, well, let's maybe
try some newly discovered vulnerability,
which was recently found in 2020 called
Ghostcat. And Ghostcat is an attack
against AJP protocol from Apache. But
let's check the Apache system and how it's
built. First, Apache has a web root which
serves static resources and HTML or JSP
files. And additionally, it can include
class files or class sublets which are
combined with this JSPs or HTML files and
then served to the user. So we prepared
our ajpShooter with the URL of the
application, the port and the file we want
to read. In our case, it's a PrivateTest
class file because, what we
could leak about this, but we'll see. And
then we said we only want to read it
because there would even be the
possibility to evaluate it and execute the
code in it. So we've done this attack and
TADA we've got a result. This is the byte
code of the PrivateTest class. So let's
just drop this byte code in our cup of
coffee and maybe we can pull out some
source code from it. And yeah that's what
we've read out because why not. Just test
your encryption mechanism with the string.
But this is not a common string as you
later found out. This is the real root
productive password of the MariaDB. And
this was like:
Alarm sound
So what's the problem? As you maybe
clearly see with this attack, we could
leak out the login of the MariaDB and
probably even more logins or passwords.
And additionally, we could leak the whole
source code over the network without ever
accessing the PC in the election room. And
this was only possible because they
completely exposed all machines and
applications to the network and this
should never be the case. So in result:
How can this be prevented? First, you
should never expose these unneeded ports
to internet because they don't even use
the AJP proxy in their application, but
just left it on the 0.0.0.0 interface.
Next is: You should keep your software up
to date. That if some vulnerabilities were
found. You should not be vulnerable to it.
And last but not least: Never use
productive passwords in your unit tests
because that's not the best idea to do. In
the end, to sum it up: Avoid at all costs
any additional attack surface to prevent
these kind of attacks, even if you don't
know about them yet.
J: So, after Tobi has shown us a lot of
interesting and patchy stuff. I tested the
database for its security. For the first
analysis. I was just starting with the
same PC, but also the software was
installed and I tried to gain access to
the database. So it was coming from the
host localhost. I tried to use the
username root and then I saw that I am
asked for a password before I'm allowed to
connect to the database. However, finding
the password was quite trivial to do
because all the stuff I needed to know for
that was included in that last file and I
was able to decrypt the password without
any issue here. And that moment I realized
that also the password that Tobi has shown
us before, that he found with the Ghostcat
vulnerability is indeed the MySQL root
password here. So after I had access to
the MySQL system, I tried to dump the user
table to look which users are allowed to
access the database. So and that is how
the user table looks like. We have four
times the user root and the user root
requires a password if I'm coming from
localhost. But wait a moment. Here we also
have the host pci90309. And as you can see
here, there is no MySQL password
statement. That means that someone coming
from host pci90309 is almost allowed to
connect as root and does not even need to
provide any password for that. And thats
really strange.
Alarm sound
T: So what could happen from this?
J: Well, now someone on the network can
now just lump voting manipulation. That's
quite trivial because as soon as I set my
host to the correct hostname, I get full
access to the database where all my local
voting results are stored. And since I'm
root, I can interfer with them. I can
change them however I want to. And this
vulnerability is so damn weird and
trivial, it takes me no effort to do this
at all. And so we won't even go into a
demo here because it's so stupid simple in
this case. Usually I would say that's
enough for today because we already have
full access to the voting system and can
change whatever we want to. However, this
time we decided to go deeper because we
saw pci90309 is a real door opener. So we
have access to the voting results. We can
change them, but we still don't have
access to the entire voting system. So
what about the PC? Might it be possible,
with that root access to the database
server, to gain remote code execution at
that machine? So for this experiment, I
used the following setup. On the right hand
side we have a voting system with the
exposed MariaDB database server. On the
left hand side that's my system. I named
myself pci90309, just because i can do it,
and I establish a connection to the
MariaDB server. I use root as a username.
I don't need any password. And it is
immediately accepted. So now that I am
connected, I'm allowed to issue commands.
For example, I can now instruct MariaDB to
enable one of its plugins. This plugin is
called ha_connect. It's one of the plugins
that usually come directly with MariaDB.
And this is a very powerful MySQL storage
driver. So now I will show you what I can
do with that storage driver. So at next, I
will now create a table that's called pwn.
And I'm using the ha_connect storage
driver and instruct the storage driver to
create a file that's called pwn.dll and to
place it right into that plugin folder.
There is nothing that stops me from doing
so. So that is one of the special features
of the ha_connect storage driver, that I
can just say, this table is mapped to that
file in the file system. However, this
file is still empty because the table is
empty. But since this is a database, I can
now just issue INSERT INTO statements and
load whatever data I want to, for example,
some malicious DLL. I can just load into
the table, via that INSERT INTO a
statement, and then it is directly written
into our malicious DLL "pwn.dll". Ok, so
at next, after I've finished writing, I
will instruct MariaDB to enable this
plugin that I have just uploaded. And
enabling a plugin means that we are
executing the code that is stored in this
DLL file. So that means we have remote
code execution.
Alarm Sound
T: I don't even ask what you can with
remote code execution.
J: Well, I can do anything. So that means
I have no gate, full control over the
entire vote counting system. So I'm not
only talking about the data in the
database, I'm talking about the entire
computer that I can now fully control and
manipulate however I want to. And that's
possible, only by using the voting
software and accessing it over the network
interfaces that it had exposed. And now
I'll show you how simple this is to
execute an arbitrary program on the system.
T: This is the vote counting computer
system. To begin, let's start the vote
counting software. Now, the Apache Tomcat
Web server and the MariaDB database server
are being launched. Finally, the Firefox
portable is started. The system is now
ready for operation. But beware, the
attacker becomes active, his host name is
the infamous pci90309, immediately it
launches the python attack script
"fun.py". It connects to the MariaDB
server as root without a password and
uploads a malicious DLL plugin. When the
upload has been finished, the malicious
plugin is executed. As we can see, the
calculator was started thus remote code
execution was successful. The vote
counting computer system is now under
control of the attacker.
J: After we have found so devastating
issues with the vote counting Software, we
immediately notified the vendor AKDB
T: And they were very professional about
it and responded very quickly to our
initial emails. So we really like working
together with them and telling them our
results and they were always
positive about it. So they also
recommended some fixes.
J: So, for example, they told us, you
should only use that voting software in a
secure environment like in an
administrational network. However, we
don't really believe that this is a good
solution.
T: Exactly. And we are not very happy
about this proposal, because we have two
problems that still arise, even if it's in
a secure environment. First of all, an
administrative PC could still be infected
with some malware or it could be
manipulated before the election takes
place. And in the second hand, we have
this bug with the broken access control,
you remember. And even if you would have
been in the secure environment, this bug
would have been totally worked and you
could have completely deleted all data
work or reopened elections or something
like this.
J: But we are still quite happy that they
took us seriously, because they even have
announced updates. So, for example, they
wrote us that they are planning on adding
XSRF tokens for the pages where we found
cross-site vulnerabilities. So that's
already a good step into the right
direction. So now let's summarize what we
have presented today. So first of all, we
discovered several problematic aspects
in the concept and its practical
implementation. So, first of all, the
entire voting system, it's running on
untrustworthy computer systems. So it
could have been manipulated beforehand.
They could have malware on them or they
just could not function correctly. So
that's already very problematic from the
beginning, because we have no underlying
trust that we can put into those systems
and we are using them to count out our
votes, to count out the entire election.
So what's even more is, that even if they
use the software and the PC, that lies
beyond it, is secure, it still has not
enough transparency. It's very hard to
understand what the software is exactly
doing and how it is doing this. So, I
cannot really understand how does it come
to its result. Please keep in mind, that
we have almost 600 candidates and several
hundreds of ballots that have all to be
input into that computer system and then
some magic happens and it spits out its
result. So, then we just have to take this
result, because it's just impossible to
check, if really each vote has been
counted correctly or is there anything
strange has happened or any manipulation
took place.
T: And this is also possible, because we
found lots of vulnerable software and not
just the system security was affected, but
it was also absolutely possible to
manipulate the whole election from very
many parts in the network. And this leads
us to conclude that these elections are at
a high risk with this technology.
J: So, and that is the reason that we want
you as election worker. The more eyes are
looking at the election, the more secure
it becomes. And if you are interested in
becoming an election worker, just get into
contact with the local administration.
They are always very happy to have
volunteers, who want to take part as
election workers. So and for my personal
experience, I'm doing this for several
years now. It's also a lot of fun. You get
into contact with a lot of people. So I
enjoyed this a lot and I can just
recommended it and this is a good way, how
everyone of us can support the democracy
in their country.
T: So, to conclude our talk, we found out
that security in this technology is really
bad and that's not all of it.
J: So, this is just the tip of the
iceberg, because we look only at one of
the solutions that is available for vote
counting. And this was also in a special
configuration. So what is even more
difficult to see is, what happens behind
all the stuff we have seen today, because,
when we export the data and bring it to
the central administration and the data is
imported and uploaded, so where does all
this data go, where are all the results
from all this data from all the polling
stations are summarized? We don't know
that yet, how this works. We don't have
the software, that we can analyze. So
there's still a lot of work that has to be
done. Here to really check the entire
system, we just took a look at a very
small portion and that is just the vote
counting software here.
T: Next, we were very shocked that this
information, that vote counting is already
shifted to software, is not publicly
known. And this is also why we we created
this talk today as this is an information,
that is crucial for the democracy, that
there is already this software in use and
it is not really secure. So this was a big
thing for us to keep bringing it out to
the people.
J: So and one other thing is, everything
that we have seen today is entirely legal,
because at least in Bavaria, we don't have
any rules or any laws against the use of
unsecure computer systems, of unsecure
vote counting software. So, as we've seen
in the beginning, we only have very rough
legal guidelines that says, well, you can
just use computers for vote counting, but
we need stricter guidelines here, because
it cannot continue as we've seen it today
and in other states in Germany there is
sometimes something like, let's say,
guidelines or even certification process
for such digital software. But in most
states that I had a look at, there are no
rules at all and nothing that should
continue in the next years that way.
T: Additionally, in the end, before any of
this software to electronically count the
votes should go live, unbiased tests for
everyone should be available to prove
themselves, that this software is secure
and this software is doing what it's
promising to us. Because it is directly
influencing our democracy. And if this
software is manipulated, it manipulates
our voting, our election and our
democracy. So in the end, we can just
leave you with two questions.
T: How much digital support is required?
J: And how much is tolerable?
No Audio
Herald: Thank you very much for the
interesting talk, Johannes and Tobias. And
thank you very much for your work on the
topic. I hope you do have time for a
little Q&A. We have quite a few questions,
actually.
J: Sure.
M: All right. So the first question from
the Internet is, is there any suspicion
that these vulnerabilities have been
actively used?
J: Well, it's very hard to tell. So, at
least for the town that I am from, I did
not notice any special occurrences there.
So, however, I don't have an overview of
entire Bavaria, so, that's quite hard to
tell. I think it's even impossible to
tell, if there were any manipulation so
far. So, unfortunately, we cannot say
that.
T: Additionally, we are just at one place
in this whole system. So we don't have an
overview, if there was any mismatching
numbers or any other influences that
happened, but that we didn't see at the
moment, because we were just at one
position in the system, at one station
of the election.
M: OK, thank you for the answer. Ah, do
you believe that it is possible to have a
digital ballot that is as secure and
trustworthy as physical or paper based
voting is?
J: Well, in my opinion, that's not
possible, if you want to have the same
sort of transparency that we have in the
paper based voting system, because, when
we have paper based voting, we can just go
into the voting room and watch what's
going on there. We can see the ballots
that are handed in, the ballots that come
out of the box. Then, they are counted,
are summed up. I can really try to find
out what's going on there. I can have a
look at that. Understand what people are
doing there, but at the moment, that we
have only a digital vote, I cannot really
find out, if the computer is doing the
right thing, if there were some
manipulations. So, in terms of
transparency, I don't think it is possible
in the same. Yeah, in the same way as the
paper based ballots, for example.
T: I would have to add to this, if there
would be the possibility to get the same
traceability and visibility that you can
always see which results came from, from
which position. And if they are signed
very transparent, then it may be possible
in any future, but not with any kind of
this software, we saw there.
M: All right. Thank you. Do you, by any
chance, know which states in Germany use
these software OK.VOTE as far?
T: We cannot directly say which states
actively use them, because we only took
place in elections here in Munich or
Bavaria. But, we can tell, that we found
very much hints in the source code that
they were also used in, for example,
Hamburg, Bremen, Hessen or Rheinland-
Pfalz, but we don't know if they were
already used there or if it's planned to
be used there or did they already used
them in the past elections and decided
against them for future ones. We don't
know about this, exactly.
M: OK, maybe we can stay for a second on
your job as an election worker. The
process of manually entering data into the
system, is there a process for this? Do
you have an idea on the risk of this part
here?
J: Yes. So, it's basically the thing, that
they are at least two or three people
sitting in front of each computer and then
they are entering each ballot. So people
are really cross checking that the ballot
has been entered correctly. So, it's like
one person has the ballot in front of him
or her and the other person reads the
votes and the other person types it in and
they are cross checking each other. So,
that there isn't any error doing typing in
those election results in the computer.
M: All right. Thank you for the
elaboration. Someone is asking, how the
system's connected to the Internet or some
other network of the understanding of the
talk was correctly received by that
person. The results are written to some
physical medium which is turned into
transmit the results. So you sense
something physically. So, why care for the
Windows version or the, what is running on
these machines? Is that correct
understanding?
J: Well, the problem with that is, that it
depends on the local administration, how
they set up their computer systems. So, I
also read this in a chat here. Someone has
written, that they had their voting
software in a, yeah, in a very limited
network connectivity. So, the computer was
not connected to the Internet. However, it
depends very on the administration and on
the computer network that is being used
there. So, it is entirely possible that
computers are connected to the Internet,
because there are no guidelines on how
these computers are allowed to be set up.
So, I cannot fully exclude this. So, and
if someone, for example, just enables the
wireless network or connects to some
unsecured hotspot, they are connected
then. So, it's it's hard to tell here, but
I would not exclude this possibility.
T: To extend this answer. We even try to
find out, if there's any software side
protection that checks, if there is any
internet connection is present and then
would deny this voting system. But, there
wasn't or at least we couldn't find one.
So even if the administration was not
advised, if these PCs should be
disconnected from the network. There isn't
even a security mechanism in place, that
would check this and stop it or even show
a warning, that this is connected and they
should be disconnected from the Internet
before the counting can begin.
M: Interesting. All right. We have one
message on the IRC, from someone who
worked with this particular piece of
software in demo mode by themselves,
obviously. And the question they have, is:
Did you notice the possibility to enter a
negative votes for a candidate? So saying
minus two votes, for instance.
J: Well, that's difficult to tell. I
thought about, if this is possible, so
perhaps you might have to manipulate the
database directly. So I'm not entirely
sure. I'm not sure, if I tried this out
this one. So, but however, as soon as I
have a data, as I have database access,
it's entirely possible to manipulate
anything. So. Well, we could try this out
again. However, I don't think that changes
much in our result. So, yeah, that's
interesting questions of I cannot answer
this right now, so I'm not sure, you Tobi,
have you tried out something like that?
T: We've tried manipulating some already
submitted votes, but I think, this was not
really possible. However, as you showed,
when you export the data and import into
the main PC, the votes that were already
in place, possibly by an attacker, would
then discard the newly imported votes. So,
this would probably replace this data and
these votes, but via the Web interface, I
think it was not possible. However, we
found the enough vulnerabilities with
database access that you could do it by
this way, if you want to.
M: All right. Thank you for your
explanation. Out of pure curiosity, people
ask, how did you get access to the software
in the first place? To start your analysis?
J: Well, that's a good question here,
because, theres a nice story behind that.
So, I was election worker and I was
supporting setting up a system and doing
some IT support in the evening. And at
some point, we tried to merge our results.
So we exported the results from one
computer to move them to the other one.
However, the import failed, because, there
is some artificial limitation in the
software. So, as soon as your export files
are larger than 10 megabytes, they cannot
be imported anymore. So this happens quite
quickly, when you have a few hundreds of
votes, of few hundreds of ballots and then
the import doesn't work anymore. And I had
a look at this file, and that was just a
JSON file with a lot of whitespace. So, I
copied all this stuff to my computer to
fix this. And there was also later on, a
software fix that was published by the
software vendor. However, then I had the
software on my computer, just because I
wanted to fix this election. And it was
very late at night. And I returned home
and I noticed, oh, I still have that
software on my computer. Let's have a look
at this. So, yeah, it was just by chance.
So, I tried to fix something, got all the
software on my PC and then I had it ready
to analyze even with some data on that, so
that I really knew how this works in
practice. And yes, but if someone would
try to gain access to that software,
that's quite simple, because they could
just restore the deleted data from one of
the computers that are in the schools.
Perhaps, someone doesn't even delete the
election software from their computers, in
your school, or some person could just
steal one of the USB sticks, that have
been used for installation. So, I don't
even think, that would be noticed then.
M: Interesting, indeed, you mentioned in
your talk, that the software is certified
by the BSI, that they claim to be
certified by the Open Web Application
Security project, but how could such a
broken system can be certified by both
parties in the first place? And what's
wrong with the certification process? Yes,
this obviously happened. I mean, like, why
not use a certified. What do we do
certified in the first place, if it gets
certified, even if it's broken?
T: I think the first point about this is,
that we already mentioned in the talk,
that there are no legal requirements. You
don't need any certification, that this
software can be used in our voting, in our
elections here in Germany or in most parts
of Germany. And additionally, this
screenshot we show with OWASP and the BSI
was just the promotion of the AKDB for
their software, but I think there was no
real certification attached. So, we don't
know if we the BSI ever saw this software for
real or if they just put it on there and said,
yeah, BSI certificate certified or with
the BSI standards in mind, like they
already have already the IT Grundschutz
and they maybe tried to implement, after
this system architecture. But the BSI
never checked on it. So, I don't think
there's any real certification for the
software.
J: So, just to add a few details here,
that's not really a certification, that
they just said that they follow the BSI
and OWASP guidelines. I think, that was
also the wording that was used on the
website. So, theres no real certification
behind that, so far.
M: Thank you for the answer. Do you know
by chance, how the municipalities
published the election results?
J: Well, I don't know in detail how it
works. So, when we handed in our election
results, they got uploaded onto some other
software. And that's also the end that
I've seen. So end up in the computer
system and they are electronically
transmitted. And that, first of all, it
generates a preliminary file. And finally,
that's a final result generated by it.
However, I don't really know how this
works, but the election results that were
generated, with OK.VOTE are definitely
going into the final result. So, perhaps
there's also some paper based protocol
between them. I don't really know if
they're using the data that's in the
computer or the data that is on the paper.
But, however, it doesn't change very much
here.
M: OK, on. Coming over here a bit, the
last question would be: What, in your
experience, how practical and expensive
are hand recounts here and did you observe
these?
T: I think, this is very different from
election to election and from city to
city, if this is a rather small town, you
could probably easily reelect all this or
all the votes and recount the votes. But,
if this is a big city like Munich, for
example, with millions of votes, and you
would have to recount this, this would
particularly delay the voting or the
results pretty much. And this could have
really bad influences, if this would
happen. That software has shown that kind
of manipulation has happened and they had
to recount all the stuff by hand again.
J: So, counting this by hand is, indeed,
very, very effortful, because they have
like 70 votes per ballot. And even summing
up all that is still error prone, if it's
done by hand. So, it's difficult to do
that. And up to my knowledge, it's not
generally recounted after the election.
So, I try to find something in the
Internet regarding that. And I just found
some PDF, that they said, well, it's not
feasible to recount all the election
results and all the ballots. So, that's
just rather do a meter level check on: is
the protocol complete? How about the
special ballots, that were not really
clear and so on? But it's not like, every
ballot will be recounted, as far as I
understand.
M: OK. Oh, thank you very much Tobias an
Johannes for answering all the questions.
Thank you again for your talk.
J: Thank you.
M: Thank you.
rC3 postroll music
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!