1
00:00:00,000 --> 00:00:12,256
rC3 preroll music
2
00:00:12,256 --> 00:00:18,400
Herald: Now, our next talk is Hacking
German elections, insecure electronic
3
00:00:18,400 --> 00:00:23,600
voting count, vote counting, how it
returned and why you don't even know about
4
00:00:23,600 --> 00:00:32,330
it. For the Germans listening here, did
you noticed that in Germany, voting became
5
00:00:32,330 --> 00:00:37,647
more electronic recently? In case you're
out of Germany. I do live in Germany and I
6
00:00:37,647 --> 00:00:43,200
did not notice that myself. However, both
of our speakers volunteered as election
7
00:00:43,200 --> 00:00:50,080
workers in Germany and research on the
topic of security for elections. And they
8
00:00:50,080 --> 00:00:56,630
promised to tell us how this can be, how
elections can be made more secure again.
9
00:00:56,630 --> 00:01:01,680
Our speakers are Tobias, he is an IT-
Security researcher focusing on offensive
10
00:01:01,680 --> 00:01:07,120
security, automotive security and capture
the flag challenges. And Johannes. He's a
11
00:01:07,120 --> 00:01:11,960
post-doctoral IT-Security researcher and
both work together at the
12
00:01:11,960 --> 00:01:18,528
Fraunhofer AISEC Institute.
Enjoy the talk.
13
00:01:18,528 --> 00:01:24,722
Stille
14
00:01:24,722 --> 00:01:29,450
Johannes: Hello and welcome to our
presentation on Hacking German Elections.
15
00:01:29,450 --> 00:01:33,840
Insecure electronic vote counting, how it
returned and why you don't even know about
16
00:01:33,840 --> 00:01:39,840
it. My name is Johannes Obermaier
Tobias: and I am Tobias Madl. We are both
17
00:01:39,840 --> 00:01:44,720
very much involved in elections in Bavaria
because we're election workers and offer
18
00:01:44,720 --> 00:01:49,200
support here in Germany.
J: And we are offensive IT-Security
19
00:01:49,200 --> 00:01:52,778
researchers.
T: First of all, we want to talk about the
20
00:01:52,778 --> 00:01:59,554
scope we are presenting today. We got our
information and the software from today,
21
00:01:59,554 --> 00:02:06,048
from the municipal elections in Bavaria
happening in the early 2020. And it was a
22
00:02:06,048 --> 00:02:12,237
computer based vote counting technology.
So we were very concerned, when we
23
00:02:12,237 --> 00:02:16,620
interacted with it. And in the end, we
featured the questions, are elections
24
00:02:16,620 --> 00:02:24,025
still secure? Next, I presented the
outline we are talking about today, and
25
00:02:24,025 --> 00:02:28,862
first of all, we are looking at the
electronic vote counting system. And next,
26
00:02:28,862 --> 00:02:34,425
we identified some conceptual and
practical issues with this technology.
27
00:02:34,735 --> 00:02:40,626
Afterwards, we also inspected the software
and found some insecurities. And in the
28
00:02:40,626 --> 00:02:46,727
end, we have summary and conclude our
presentation.
29
00:02:46,727 --> 00:02:52,060
J: To understand why we need electronic
vote counting, let's just have a look at
30
00:02:52,060 --> 00:02:57,766
the voting ballot. This voting ballot is
in its paper form about one meter wide and
31
00:02:57,766 --> 00:03:03,466
50 centimeters high. So, that's a quite a
large ballot, that's a lot of candidates.
32
00:03:03,466 --> 00:03:11,091
Let's just sum up the facts. So, we have a
total of 599 candidates that are spread
33
00:03:11,091 --> 00:03:17,287
out over nine parties. Each citizen is
allowed to cast up to 70 votes in this
34
00:03:17,287 --> 00:03:23,150
election. So, that sounds simple, but it
gets even more complicated now, because
35
00:03:23,150 --> 00:03:28,616
you can cast up to three votes per
candidate and you can even choose multiple
36
00:03:28,616 --> 00:03:35,572
candidates of different parties up to your
70 votes. And even if you decide yourself
37
00:03:35,572 --> 00:03:40,771
to vote for a single party, you can still
strike out candidate that you personally
38
00:03:40,771 --> 00:03:46,142
don't like. And so they don't get any
votes from your ballot. That means, this
39
00:03:46,142 --> 00:03:51,984
voting system gives a lot of power to the
citizens and voting is fun.
40
00:03:51,984 --> 00:03:57,902
However, counting out those ballots is very
difficult because you need to know a lot
41
00:03:57,902 --> 00:04:03,986
of special rules in this voting system to
really count each ballot correctly. That's
42
00:04:03,986 --> 00:04:09,320
the reason that a software such as OK.VOTE
has been developed. OK.VOTE is a typical
43
00:04:09,320 --> 00:04:15,154
software for elections that's also used in
the polling stations for vote counting.
44
00:04:15,154 --> 00:04:20,478
So, OK.VOTE has a quite large market
share. They say they have a like 75% in
45
00:04:20,478 --> 00:04:26,112
Germany. So that software is used in
several states. OK. VOTE has several
46
00:04:26,112 --> 00:04:32,114
different modules for organizing
elections, for example. But what we know
47
00:04:32,114 --> 00:04:40,082
have a look at in this talk is only the
vote counting module of OK.VOTE Where the
48
00:04:40,082 --> 00:04:47,328
election voters insert each paper ballot
and manually type it in all the votes in
49
00:04:47,328 --> 00:04:52,928
each ballot and then they are stored in
the computer system. So, and the task of
50
00:04:52,928 --> 00:04:58,734
OK.VOTE is to process each ballot to count
the votes, to find out if the ballot is
51
00:04:58,734 --> 00:05:03,708
correct, then it stores all the ballots
into its database and finally it does some
52
00:05:03,708 --> 00:05:10,065
magic and computes the final result. So,
this sounds quite similar to what a voting
53
00:05:10,065 --> 00:05:17,592
machine does. But wait a moment. Voting
machines, in my Germany?
54
00:05:17,592 --> 00:05:22,585
T: Wait, that's illegal.
J: Is it really illegal? Let's have a look
55
00:05:22,585 --> 00:05:29,618
at the legal regulations about it. So,
yes, in 2009, there was an important
56
00:05:29,618 --> 00:05:35,258
decision by the German federal
constitutional court and they said, that
57
00:05:35,258 --> 00:05:40,474
the use of voting computers in the 2005
Bundestag election was unconstitutional.
58
00:05:40,474 --> 00:05:48,755
Because, for example, the voting computers were
not transparently enough. So, that is very
59
00:05:48,755 --> 00:05:54,393
similar to that what we have also found
for the municipal elections. But wait, we
60
00:05:54,393 --> 00:05:58,564
are here talking about the Bundestag
election. But this is the municipal
61
00:05:58,564 --> 00:06:03,430
election and we have different rules for
the municipal elections. For example,
62
00:06:03,430 --> 00:06:10,374
there is the GLKrWO, that's the Gemeinde-
und Landkreiswahlordnung Bayern,
63
00:06:10,374 --> 00:06:16,605
which basically translates to the Bavarian
municipal election rules. And those rules
64
00:06:16,605 --> 00:06:23,009
say, that we are indeed not allowed to use
a computer for voting, but computers can
65
00:06:23,009 --> 00:06:29,417
be used for vote counting. So, and in this
situation, I would expect, that we have
66
00:06:29,417 --> 00:06:35,686
some sort of security requirements there
in those regulations. But I try to find
67
00:06:35,686 --> 00:06:40,713
them. And I was really surprised. There
are exactly zero.
68
00:06:40,713 --> 00:06:45,370
T: So, if there are no legal requirements,
are there at least any software side
69
00:06:45,370 --> 00:06:50,590
requirements or certifications for
OK.VOTE which promise some security?
70
00:06:50,590 --> 00:06:55,813
J: Yes, there are. So, I had a look at the
website and I saw this nice little
71
00:06:55,813 --> 00:07:03,127
paragraph here. And it says, Elections
with security and during the development
72
00:07:03,127 --> 00:07:10,540
of OK.VOTE, they put the highest emphasis
on the topic security. They follow the BSI
73
00:07:10,540 --> 00:07:16,193
and OWASP recommendations on security, and
they have a certified data center with
74
00:07:16,193 --> 00:07:20,540
very high security standards
T: And how does this look like in
75
00:07:20,540 --> 00:07:23,507
practice?
J: Oh, I rather would not show you this
76
00:07:23,507 --> 00:07:29,597
here. It's it's really scary. This is what
I have seen here, when I walked in the
77
00:07:29,597 --> 00:07:33,909
election room. This is not a stock photo.
I took this photo myself and this is the
78
00:07:33,909 --> 00:07:40,187
reality. So, I walked up to the guys and
said, well, shall we really use these
79
00:07:40,187 --> 00:07:44,069
computers to count out the elections and
they said, yes, that are the computers
80
00:07:44,069 --> 00:07:50,037
that are available here. So, and I pray to
God that for some reason does not work
81
00:07:50,037 --> 00:07:55,102
out. And Windows XP did not disappoint me
because when I tried to start the
82
00:07:55,102 --> 00:08:02,812
software, it failed because that are 32
bit systems and OK.VOTE needs 64 bits. So,
83
00:08:02,812 --> 00:08:09,354
yeah, that was great. So, we did not use
that Windows XP machine. So, instead we
84
00:08:09,354 --> 00:08:14,331
had to search for another machine and came
across this one here. That's a Windows 10
85
00:08:14,331 --> 00:08:20,749
machine. That's fine. However, it has an
outdated virus scanner. So, well, it it's
86
00:08:20,749 --> 00:08:26,916
better than nothing. So, this machine was
used instead then. So, but just let's keep
87
00:08:26,916 --> 00:08:34,246
in mind what they are promising us:
election security. We really doubt that.
88
00:08:34,726 --> 00:08:39,503
Let's now look at the IT environment and
why it came to that situation. So, first
89
00:08:39,503 --> 00:08:46,211
of all, this is not fully the fault of
OK.VOTE, because it's the task for the
90
00:08:46,211 --> 00:08:53,682
local administration to provide hardware
for vote counting and AKDB, the vendors of
91
00:08:53,682 --> 00:08:59,771
OK.VOTE say, that they recommend to use
secure administration computers. That's
92
00:08:59,771 --> 00:09:05,515
fine so far, but we simply don't have
enough secure administration computers for
93
00:09:05,515 --> 00:09:10,845
that purpose. So, for example, in the town
where I'm from, we needed around 8
94
00:09:10,845 --> 00:09:16,571
computers to count out this election and
we simply did not have enough in the town
95
00:09:16,571 --> 00:09:23,211
hall. And whats even more, the election
room, it was in a school and there are
96
00:09:23,211 --> 00:09:27,923
already school PCs available there. So,
they were just using the school PCs. So,
97
00:09:27,923 --> 00:09:33,520
and those were even elementary school
computers. So, I'm not really sure about,
98
00:09:33,520 --> 00:09:38,466
if all the pupils know, which link they
are allowed to click and which one they
99
00:09:38,466 --> 00:09:43,991
should rather not click on. So, this
systems might be insecure, there might be
100
00:09:43,991 --> 00:09:49,038
malware within, and even if it's possible
that someone had manipulated them in
101
00:09:49,038 --> 00:09:55,854
advance, we cannot really exclude that.
However, I don't want to blame the
102
00:09:55,854 --> 00:10:00,058
administration here because they did a
great job in organizing this election.
103
00:10:00,058 --> 00:10:05,967
It's really much to do for them and it did
really well. So, everything worked out
104
00:10:05,967 --> 00:10:12,283
well at the end. However, they are no IT-
Security specialists and we cannot demand
105
00:10:12,283 --> 00:10:18,532
from them, that they know each detail on
how to set up a system correctly and what
106
00:10:18,532 --> 00:10:24,045
are the risks that are associated with
insecure computer systems in elections?
107
00:10:24,045 --> 00:10:29,890
That's just not their job. So, however, we
still ended up with untrustworthy systems
108
00:10:29,890 --> 00:10:36,069
here. Because, as we have seen before,
there are no legal regulations against it.
109
00:10:36,069 --> 00:10:40,108
Now, let's see how we create a digital
result.
110
00:10:40,108 --> 00:10:47,214
T: Exactly. So, we went to our voting
places. We were presented with each one
111
00:10:47,214 --> 00:10:52,811
got a PC and we got the ballot stack we
had to count and then enter the results.
112
00:10:52,811 --> 00:10:59,468
So, Johannes is Team 2 and I was Team 1
and we started entering the ballots in the
113
00:10:59,468 --> 00:11:06,232
PC. And from this on, they were digitized
Team 1 in green and Team 2 in blue.
114
00:11:06,232 --> 00:11:11,103
J: As soon as I was finished entering my
ballots, I put them on a USB drive and
115
00:11:11,103 --> 00:11:16,735
handed them over to Team 1.
T: Exactly. I imported these votes,
116
00:11:16,735 --> 00:11:22,094
because I was the master machine at this
time, and the OK.VOTE software then
117
00:11:22,094 --> 00:11:28,578
finalised these voting elections and
exported their results finally again on an
118
00:11:28,578 --> 00:11:34,055
USB stick. And these were then delivered
on for further processing.
119
00:11:34,055 --> 00:11:39,160
J: What is the problem with that all?
First of all, there's a lot of
120
00:11:39,160 --> 00:11:43,301
intransparency. So, for example, the
software that is being used for vote
121
00:11:43,301 --> 00:11:49,171
counting, OK.VOTE, it's not an open source
software. It's closed source and nobody
122
00:11:49,171 --> 00:11:55,572
was able to analyze this yet. So, and
since this is closed source software, it
123
00:11:55,572 --> 00:12:00,433
is also very hard to understand how the
software works and if it really counts
124
00:12:00,433 --> 00:12:05,192
correctly, Because we have, in the end, we
have hundreds of ballots there and it's
125
00:12:05,192 --> 00:12:10,217
really difficult to tell, if they have,
indeed, been counted correctly. So, and
126
00:12:10,217 --> 00:12:16,887
although we have seen this before, there
is no basis for a secure vote counting, if
127
00:12:16,887 --> 00:12:22,264
we have possibly rigged computer system.
So, we cannot exclude that someone has
128
00:12:22,264 --> 00:12:29,346
manipulated them pre-election wise. So, if
there is some manipulation, this would
129
00:12:29,346 --> 00:12:34,988
hardly be detectable by a standard
election worker. So, this means that the
130
00:12:34,988 --> 00:12:40,947
entire election process becomes very
intransparent and hard to understand for a
131
00:12:40,947 --> 00:12:46,460
person who just wants to observe the
election. So, that is strictly against the
132
00:12:46,460 --> 00:12:52,953
idea of a public counting of votes.
T: So, now let's talk about the step that
133
00:12:52,953 --> 00:12:58,323
happens after we finish counting
in each of the teams.
134
00:12:58,323 --> 00:13:02,038
J: So, what do you do after you have
exported the final election results?
135
00:13:02,038 --> 00:13:04,581
How do they come to the
central administration?
136
00:13:04,581 --> 00:13:10,666
T: Yeah, I've just entered my vehicle and
took the USB sticks in my pocket and drove
137
00:13:10,666 --> 00:13:17,868
to the master PC. But, as you maybe know,
Election Day is always very busy day and
138
00:13:17,868 --> 00:13:24,386
might some teams are slower at counting.
Some teams are faster. So, the master team
139
00:13:24,386 --> 00:13:29,052
doesn't know when these USB sticks arrive.
If they take two or three hours or half an
140
00:13:29,052 --> 00:13:33,191
hour, they don't know really. So, I could
just go and grab something to eat on my
141
00:13:33,191 --> 00:13:39,311
way. Or I can manipulate the vote. I mean,
deliver the votes. And yeah, in the end,
142
00:13:39,311 --> 00:13:44,307
one day, when I arrive at the master PC, I
just give them my USB stick, they enter it
143
00:13:44,307 --> 00:13:48,340
and they take the data that is stored on
there and nothing else. And afterwards,
144
00:13:48,340 --> 00:13:52,574
they just uploaded the final
results on the page.
145
00:13:52,574 --> 00:13:59,035
J: Now you might think, why is it possible
for him to manipulate election results?
146
00:13:59,035 --> 00:14:04,844
Because there's no authenticity. There's
only integrity protection of the file that
147
00:14:04,844 --> 00:14:10,388
he is transporting. So some CRC32 and a
SHA hash, but nothing like a cryptographic
148
00:14:10,388 --> 00:14:16,464
signature. So, even if he alters the data,
he can just regenerate all the integrity
149
00:14:16,464 --> 00:14:22,089
protection data and the data will just be
accepted. So, the main issue here is also,
150
00:14:22,089 --> 00:14:28,508
that this is one of the few spots where
only a single person has unsupervised
151
00:14:28,508 --> 00:14:34,268
access to the data during transport of the
voting data at all. And that makes
152
00:14:34,268 --> 00:14:39,255
manipulations possible and easily feasible
in this case. And that should not be the
153
00:14:39,255 --> 00:14:48,145
case, especially in an electronically
supported election. Now, let's have a look
154
00:14:48,145 --> 00:14:52,487
at the vote counting software itself,
because there we found even more
155
00:14:52,487 --> 00:14:55,962
interesting results.
T: Exactly. Let's begin with the system
156
00:14:55,962 --> 00:15:01,951
architecture. First of all, this is the
local or decentralized version of the
157
00:15:01,951 --> 00:15:08,008
software system. So all this is taking
place on the local host, on the machine we
158
00:15:08,008 --> 00:15:13,154
encountered in the lecture rooms and on
these machines, where it was an Apache Tomcat
159
00:15:13,154 --> 00:15:18,011
Web server running, which was connected to
a MariaDB, and the user was interacting
160
00:15:18,011 --> 00:15:25,414
with the voting system via a portable
Firefox and as AKDB said in before they
161
00:15:25,414 --> 00:15:33,166
were very concerned with security. So,
let's think about what attackers are they
162
00:15:33,166 --> 00:15:38,349
had in mind when they designed the system
and from which the system is to protect
163
00:15:38,349 --> 00:15:44,342
from. Is it the user that maybe attacks
the system, the vote count system, which
164
00:15:44,342 --> 00:15:51,336
is normally just election workers that are
on their free time there to help executing
165
00:15:51,336 --> 00:15:57,549
the election, or are they having the
network attackers in minds that come from
166
00:15:57,549 --> 00:16:03,077
completely different places and try to
manipulate the network from outside? First
167
00:16:03,077 --> 00:16:09,895
of all, we took the user as one of the
possible attackers. And even in this
168
00:16:09,895 --> 00:16:15,412
environment, we found some really broken
stuff. First of all a broken access
169
00:16:15,412 --> 00:16:20,525
control. But how it's how it's all about.
Well, that's the log in page when we just
170
00:16:20,525 --> 00:16:26,630
logged in our voting system and clicked on
administration page where we can change
171
00:16:26,630 --> 00:16:31,467
our password and edit our profile. These
are the buttons on the left. And as you
172
00:16:31,467 --> 00:16:36,585
can see, we are clearly logged in as the
user42. And there is no more things to do
173
00:16:36,585 --> 00:16:42,976
than select which counting part we want
to do, the general regional vote or the
174
00:16:42,976 --> 00:16:48,223
municipal votes. And that's all we can
do on this page. Now let's switch to the
175
00:16:48,223 --> 00:16:53,726
system administrator. There we have the
admin account, as you can see on the left
176
00:16:53,726 --> 00:17:00,193
upper side, where we can now do very much
more than the normal user. We are again on
177
00:17:00,193 --> 00:17:04,483
the administration page, but now we have
the user administration where we can
178
00:17:04,483 --> 00:17:12,495
create or delete users. We have the reopen
or close voting mechanisms. We have
179
00:17:12,495 --> 00:17:18,471
imports, we have exports and also what's
not included in the screenshots submenus
180
00:17:18,471 --> 00:17:25,003
like deleting finalized results or and so
on. So, we picked out two very interesting
181
00:17:25,003 --> 00:17:31,602
URLs for you. First of all, we are taking
the "Bezirk wieder eröffnen" which is
182
00:17:31,602 --> 00:17:36,360
translated just to reopen the election
after election as closed at normal. It's
183
00:17:36,360 --> 00:17:41,296
normally finalized, so no more votes can
be entered in the system. And the other
184
00:17:41,296 --> 00:17:46,709
link is "Löschen". So that translates to
delete data, which then in the end deletes
185
00:17:46,709 --> 00:17:53,156
all the data from from the machine. So, no
more private or secure data is stored on
186
00:17:53,156 --> 00:17:59,470
there. And this is what they look like
when we only open them on the left side.
187
00:17:59,470 --> 00:18:04,428
We see to reopen dialog. On the right
side, we see the data delete. But wait,
188
00:18:04,428 --> 00:18:12,609
this is not the admin view, this is the
user view. So, they did not check if this
189
00:18:12,609 --> 00:18:18,184
user is even allowed. And we also have to
say, that this is not just the view of it,
190
00:18:18,184 --> 00:18:22,008
it is fully working and is completely
functional, when you just go through the
191
00:18:22,008 --> 00:18:25,533
process of deleting or reopening as an
election.
192
00:18:25,533 --> 00:18:29,296
Alarm sound
J: What's the problem with that?
193
00:18:29,296 --> 00:18:33,754
T: Yeah, as you maybe already guessed,
reopening elections could create a
194
00:18:33,754 --> 00:18:38,529
probability of sneaking in some additional
votes for the candidate I favor and
195
00:18:38,529 --> 00:18:44,795
additionally, if I want to mess with all
of the voting, I could just delete all the
196
00:18:44,795 --> 00:18:50,043
election data and we would have to start
from the beginning and completely delay or
197
00:18:50,043 --> 00:18:53,422
deny the voting.
J: But why is this even possible?
198
00:18:53,422 --> 00:18:59,710
T: Yeah, we found out that this is their
access control check in their software
199
00:18:59,710 --> 00:19:05,694
this function is called getZugriffRollen,
which translates to get access roles. So
200
00:19:05,694 --> 00:19:10,859
normally there will also be the software
in place to check if this role is allowed
201
00:19:10,859 --> 00:19:15,304
to access this kind of site. But they just
returned null and not implemented it.
202
00:19:15,304 --> 00:19:21,863
And that's also nice work to implement
access control. However, I think we can
203
00:19:21,863 --> 00:19:27,422
propose some mechanisms that could have
prevented this. First of all, hidden
204
00:19:27,422 --> 00:19:33,174
information is nothing you could rely on.
If you just don't show where you can click
205
00:19:33,174 --> 00:19:38,835
to get to this url or to this page. That's
not really secret because maybe you find
206
00:19:38,835 --> 00:19:43,488
some leaked source code or you make sure
serving at an admin or you just by
207
00:19:43,488 --> 00:19:48,774
accident type in the wrong url and get to
this hidden information. Or you, exactly,
208
00:19:48,774 --> 00:19:54,505
use software scanners to find something
hidden. So hidden data is just not secure.
209
00:19:54,505 --> 00:19:59,009
And on the other hand, you should finalize
your implementation of access control to
210
00:19:59,009 --> 00:20:03,394
have access control and even test it
once to be sure that it works. So in the
211
00:20:03,394 --> 00:20:07,678
end we can conclude that hidden
data is not protected data.
212
00:20:07,678 --> 00:20:11,802
T: Let's now come to another type of
attacks. Cross-site attacks. A cross-site
213
00:20:11,802 --> 00:20:17,009
attack is some sort of interference
between two websites. Where one website,
214
00:20:17,009 --> 00:20:21,862
for example, tries to do something on
behalf of the other. The goal is often to
215
00:20:21,862 --> 00:20:27,052
deceit the user or to trigger the
manipulations. First of all, we were quite
216
00:20:27,052 --> 00:20:33,217
sure that they have thought of cross-site
attacks. Because doing our testing, we saw
217
00:20:33,217 --> 00:20:39,979
that they included some HTTP-Headers that
target a wide range of attack vectors that
218
00:20:39,979 --> 00:20:45,140
use Cross-site scripting attacks. For
example, here we have X-Frame-Options:
219
00:20:45,140 --> 00:20:52,179
same origin. That means that other pages
can not include the voting software into
220
00:20:52,179 --> 00:20:56,608
their own frames and so on. And also
cross-site scripting protection is enabled
221
00:20:56,608 --> 00:21:03,739
via X-XXS-Protection. So this looks quite
good because this already excludes several
222
00:21:03,739 --> 00:21:10,328
attack vectors. But how about cross-site
request forgery? When we first tested
223
00:21:10,328 --> 00:21:16,157
this, we found out that the vote counting
system is not fully protected against it.
224
00:21:16,157 --> 00:21:21,490
What is cross-site request forgery? So in
the first step, the election worker uses
225
00:21:21,490 --> 00:21:26,566
the integrated Firefox Browser to accept
a malicious website. So the user is
226
00:21:26,566 --> 00:21:31,965
triggered to visit this website. For
example, someone sent him a link triggered
227
00:21:31,965 --> 00:21:37,805
him to click on the link by the promise,
for example, of a cute animal picture or
228
00:21:37,805 --> 00:21:43,088
some sort of that. And then the user
visits this website. And this website
229
00:21:43,088 --> 00:21:47,972
contains form fields that resemble the
form fields of the actual vote counting
230
00:21:47,972 --> 00:21:53,890
software. And the malicious website now
triggers your browser to submit this form
231
00:21:53,890 --> 00:21:59,576
data, not to the original website, but
rather to the vote counting software. And
232
00:21:59,576 --> 00:22:04,489
as soon as it reaches the Tomcat web
server, the web server is confused.
233
00:22:04,489 --> 00:22:11,266
Because the web server cannot discern the
input from the cross-site attack from the
234
00:22:11,266 --> 00:22:15,432
malicious website from original user
input. And then the Apache Tomcat server
235
00:22:15,432 --> 00:22:20,482
just thinks that this is original user
input and will process it. And that's
236
00:22:20,482 --> 00:22:25,550
called a cross-site request forgery
attack. So we saw that there is sometimes
237
00:22:25,550 --> 00:22:31,360
a protection against this sort of attacks.
But many pages are not protected against
238
00:22:31,360 --> 00:22:37,647
it. And that is very concerning because
that's a 2001's vulnerability. It's almost
239
00:22:37,647 --> 00:22:43,873
20 years old now and it's still present in
such a software. So this is quite
240
00:22:43,873 --> 00:22:49,950
unsettling here. Now, let's sum this up.
What we can do with it. So, first of all,
241
00:22:49,950 --> 00:22:55,508
the issue is that they have missing CSRF
tokens or any other good countermeasure
242
00:22:55,508 --> 00:23:00,456
against cross site request forgery
attacks. And the second point is here,
243
00:23:00,456 --> 00:23:05,161
that only minimal user interaction is
required. The user often doesn't even see
244
00:23:05,161 --> 00:23:11,233
that a cross-site request forgery attack
is currently being executed on his behalf.
245
00:23:11,233 --> 00:23:15,695
So it's almost undetectable by the user.
And it's very simple to trick a user into
246
00:23:15,695 --> 00:23:22,824
clicking a link. So the impact is very
devastating because we can now manipulate
247
00:23:22,824 --> 00:23:29,414
settings in the vote counting software.
And we can even insert fake ballots here.
248
00:23:29,414 --> 00:23:33,604
Alarm sound
T: So what's the result of this?
249
00:23:33,604 --> 00:23:37,899
What we can do with it?
J: Well, we can manipulate the entire
250
00:23:37,899 --> 00:23:42,534
election with this. Let's just use a demo.
How we do this.
251
00:23:42,534 --> 00:23:45,009
T: Nice.
J: We are already logged in into the vote
252
00:23:45,009 --> 00:23:54,763
counting system. Our username is
admin321934. Now let's count some votes.
253
00:23:54,763 --> 00:23:59,625
As we can see here, these are all the
ballots that we can enter. They are still
254
00:23:59,625 --> 00:24:07,226
empty since we haven't entered any ballots
yet. So let's start. For simplicity, we
255
00:24:07,226 --> 00:24:12,337
just have two parties here. On the left
hand side we have the good party. Who
256
00:24:12,337 --> 00:24:16,812
wants the best for the people. On the
right hand side we have the bad party
257
00:24:16,812 --> 00:24:22,339
who wants to take power and is willing to
even commit election fraud. Let us begin
258
00:24:22,339 --> 00:24:27,957
and enter the first paper ballot. The
person has voted for the good party. So we
259
00:24:27,957 --> 00:24:37,867
enter this into the software. Now we save
the ballot and go to the next one. Again,
260
00:24:37,867 --> 00:24:44,743
it's a vote for the good party. Let's
enter it and save it and go to the third
261
00:24:44,743 --> 00:24:52,906
ballot. And again, it's for the good
party. Let's save our third ballot. Now we
262
00:24:52,906 --> 00:24:59,870
go to the ballot overview and we look what
has happened. As you can see, we now have
263
00:24:59,870 --> 00:25:05,244
three ballots that have successfully been
entered. At next, let's check the
264
00:25:05,244 --> 00:25:11,353
preliminary election results. As we can
see here, we have a total of three ballots
265
00:25:11,353 --> 00:25:15,983
that have been entered into the system.
That's correct. Three ballots contained
266
00:25:15,983 --> 00:25:21,764
votes for the good party. That's also
correct. And zero votes have been given to
267
00:25:21,764 --> 00:25:28,235
the bad party. That's fine so far. Next, I
will show you what happens if i open a
268
00:25:28,235 --> 00:25:32,616
malicious website. This website will
execute a CSRF attack and manipulate the
269
00:25:32,616 --> 00:25:38,335
election results. Let's just assume we
want to take a break and simply both
270
00:25:38,335 --> 00:25:54,058
twitter. OK, here we are. There's a cute
cat picture and there's a link to even
271
00:25:54,058 --> 00:26:02,388
more of them. Let's just play along and
get tricked into clicking that link. Oh,
272
00:26:02,388 --> 00:26:08,001
look at all those cute animal pictures,
look a hungry rabbit, a monkey, a little
273
00:26:08,001 --> 00:26:14,318
hedgehog and two cute goats and so on, and
when we are done browsing, we close those
274
00:26:14,318 --> 00:26:23,343
tabs again and return to our vote counting
software. What we notice now is, that our
275
00:26:23,343 --> 00:26:29,460
username has been altered and we just got
pwned. We were tricked into visiting this
276
00:26:29,460 --> 00:26:34,599
malicious website. The website executed a
CSRF attack on the vote counting software
277
00:26:34,599 --> 00:26:42,758
and did some manipulations. Let's see what
else has changed. However, all three
278
00:26:42,758 --> 00:26:48,426
ballots are still there, but now we take a
look at the preliminary election results.
279
00:26:48,426 --> 00:26:53,792
What you can see here is that the number
of ballots that are in the system has been
280
00:26:53,792 --> 00:26:58,190
increased to eight. We now have five
additional ballots that were not entered
281
00:26:58,190 --> 00:27:03,728
by us. As you can see, the good party
still has three votes. That is what we
282
00:27:03,728 --> 00:27:09,531
have entered. But now the bad party has
taken the lead. They have five votes now.
283
00:27:09,531 --> 00:27:15,648
This attack has indeed manipulated the
election results. This is really bad
284
00:27:15,648 --> 00:27:21,111
because we cannot even see those
additional fake ballots that have been
285
00:27:21,111 --> 00:27:26,789
injected. However, we are lucky because we
noticed it since we have expected this
286
00:27:26,789 --> 00:27:32,288
attack. But we won't notice
it in every case.
287
00:27:33,563 --> 00:27:39,124
T: But what happens if we don't notice?
J: Well, that happens. So, for this
288
00:27:39,124 --> 00:27:44,213
example, we just assume that team 1 had
three ballots that they have entered into
289
00:27:44,213 --> 00:27:48,247
the computer system and team 2 has six
ballots that have been entered into the
290
00:27:48,247 --> 00:27:55,038
computer system. Now team one visits a
malicious website and five fake ballots
291
00:27:55,038 --> 00:28:01,085
are injected into the election results. In
this case, the attacker is very smart and
292
00:28:01,085 --> 00:28:06,498
injects the ballots at the location where
the team 2 ballots will be expected in the
293
00:28:06,498 --> 00:28:14,209
future. So what happens now is: team 2
exports their ballots and team 1 tries to
294
00:28:14,209 --> 00:28:20,736
import the ballots of team 2. And now the
following thing happens: Because there are
295
00:28:20,736 --> 00:28:26,460
already ballots present at the location
where the team 2 ballots should go to, the
296
00:28:26,460 --> 00:28:32,353
import process is not fully successful and
only a subset of the ballots are imported
297
00:28:32,353 --> 00:28:37,955
so that the majority of the ballots into
this case, five or six ballots are just
298
00:28:37,955 --> 00:28:42,483
discarded because they don't fit in the
database anymore because that location is
299
00:28:42,483 --> 00:28:48,120
already taken by the fake ballots. So
usually we would expect that this can
300
00:28:48,120 --> 00:28:52,786
generate an error message or at least a
warning. But this does not happen. This is
301
00:28:52,786 --> 00:28:59,567
a silent failure of the software. And
what's even worst is now that the sums
302
00:28:59,567 --> 00:29:04,639
finally are correct. So that means we now
have nine ballots present in the system
303
00:29:04,639 --> 00:29:09,926
and nine paper ballots that were initially
available. So this looks like we have
304
00:29:09,926 --> 00:29:14,250
entered all the ballots and everything
seems to be fine. So we will now close the
305
00:29:14,250 --> 00:29:19,486
election and generate the final result.
And that is what happens now. As you can
306
00:29:19,486 --> 00:29:25,624
see, we have only four votes for the good
party, but five votes for the bad party.
307
00:29:25,624 --> 00:29:31,747
So the bad party has won the election by
manipulating the voting system, using this
308
00:29:31,747 --> 00:29:38,272
CSRF attack. And that should never be
possible because this is not what we
309
00:29:38,272 --> 00:29:45,812
expect for a voting software. And in this
case, the result is rigged. So have we
310
00:29:45,812 --> 00:29:50,570
thought about network vulnerabilities?
T: Yeah, sure, that's exactly the other
311
00:29:50,570 --> 00:29:55,010
side of the coin. First, we checked the
election worker side for attacks, but now
312
00:29:55,010 --> 00:30:00,345
we checked the network side and scanned
and analyzed the system at first. And then
313
00:30:00,345 --> 00:30:07,530
we looked like this: Open ports
everywhere. And as you can see, they fully
314
00:30:07,530 --> 00:30:13,729
exposed the Apache Tomcat and the MariaDB
to each available network on the system.
315
00:30:13,729 --> 00:30:19,010
And with this, we thought, well, let's maybe
try some newly discovered vulnerability,
316
00:30:19,010 --> 00:30:25,090
which was recently found in 2020 called
Ghostcat. And Ghostcat is an attack
317
00:30:25,090 --> 00:30:31,290
against AJP protocol from Apache. But
let's check the Apache system and how it's
318
00:30:31,290 --> 00:30:37,780
built. First, Apache has a web root which
serves static resources and HTML or JSP
319
00:30:37,780 --> 00:30:43,270
files. And additionally, it can include
class files or class sublets which are
320
00:30:43,270 --> 00:30:48,979
combined with this JSPs or HTML files and
then served to the user. So we prepared
321
00:30:48,979 --> 00:30:56,503
our ajpShooter with the URL of the
application, the port and the file we want
322
00:30:56,503 --> 00:31:01,980
to read. In our case, it's a PrivateTest
class file because, what we
323
00:31:01,980 --> 00:31:07,250
could leak about this, but we'll see. And
then we said we only want to read it
324
00:31:07,250 --> 00:31:10,750
because there would even be the
possibility to evaluate it and execute the
325
00:31:10,750 --> 00:31:17,600
code in it. So we've done this attack and
TADA we've got a result. This is the byte
326
00:31:17,600 --> 00:31:22,510
code of the PrivateTest class. So let's
just drop this byte code in our cup of
327
00:31:22,510 --> 00:31:29,132
coffee and maybe we can pull out some
source code from it. And yeah that's what
328
00:31:29,132 --> 00:31:36,700
we've read out because why not. Just test
your encryption mechanism with the string.
329
00:31:36,700 --> 00:31:42,020
But this is not a common string as you
later found out. This is the real root
330
00:31:42,020 --> 00:31:45,661
productive password of the MariaDB. And
this was like:
331
00:31:45,661 --> 00:31:51,775
Alarm sound
So what's the problem? As you maybe
332
00:31:51,775 --> 00:31:56,850
clearly see with this attack, we could
leak out the login of the MariaDB and
333
00:31:56,850 --> 00:32:02,363
probably even more logins or passwords.
And additionally, we could leak the whole
334
00:32:02,363 --> 00:32:08,392
source code over the network without ever
accessing the PC in the election room. And
335
00:32:08,392 --> 00:32:15,533
this was only possible because they
completely exposed all machines and
336
00:32:15,533 --> 00:32:22,285
applications to the network and this
should never be the case. So in result:
337
00:32:22,285 --> 00:32:26,902
How can this be prevented? First, you
should never expose these unneeded ports
338
00:32:26,902 --> 00:32:31,445
to internet because they don't even use
the AJP proxy in their application, but
339
00:32:31,445 --> 00:32:38,185
just left it on the 0.0.0.0 interface.
Next is: You should keep your software up
340
00:32:38,185 --> 00:32:43,948
to date. That if some vulnerabilities were
found. You should not be vulnerable to it.
341
00:32:43,948 --> 00:32:49,771
And last but not least: Never use
productive passwords in your unit tests
342
00:32:49,771 --> 00:32:55,430
because that's not the best idea to do. In
the end, to sum it up: Avoid at all costs
343
00:32:55,430 --> 00:33:01,316
any additional attack surface to prevent
these kind of attacks, even if you don't
344
00:33:01,316 --> 00:33:04,671
know about them yet.
J: So, after Tobi has shown us a lot of
345
00:33:04,671 --> 00:33:09,759
interesting and patchy stuff. I tested the
database for its security. For the first
346
00:33:09,759 --> 00:33:14,918
analysis. I was just starting with the
same PC, but also the software was
347
00:33:14,918 --> 00:33:20,154
installed and I tried to gain access to
the database. So it was coming from the
348
00:33:20,154 --> 00:33:25,040
host localhost. I tried to use the
username root and then I saw that I am
349
00:33:25,040 --> 00:33:29,723
asked for a password before I'm allowed to
connect to the database. However, finding
350
00:33:29,723 --> 00:33:35,338
the password was quite trivial to do
because all the stuff I needed to know for
351
00:33:35,338 --> 00:33:40,744
that was included in that last file and I
was able to decrypt the password without
352
00:33:40,744 --> 00:33:46,397
any issue here. And that moment I realized
that also the password that Tobi has shown
353
00:33:46,397 --> 00:33:51,313
us before, that he found with the Ghostcat
vulnerability is indeed the MySQL root
354
00:33:51,313 --> 00:33:58,846
password here. So after I had access to
the MySQL system, I tried to dump the user
355
00:33:58,846 --> 00:34:05,507
table to look which users are allowed to
access the database. So and that is how
356
00:34:05,507 --> 00:34:11,357
the user table looks like. We have four
times the user root and the user root
357
00:34:11,357 --> 00:34:16,576
requires a password if I'm coming from
localhost. But wait a moment. Here we also
358
00:34:16,576 --> 00:34:23,840
have the host pci90309. And as you can see
here, there is no MySQL password
359
00:34:23,840 --> 00:34:29,687
statement. That means that someone coming
from host pci90309 is almost allowed to
360
00:34:29,687 --> 00:34:37,518
connect as root and does not even need to
provide any password for that. And thats
361
00:34:37,518 --> 00:34:42,104
really strange.
Alarm sound
362
00:34:42,104 --> 00:34:50,530
T: So what could happen from this?
J: Well, now someone on the network can
363
00:34:50,530 --> 00:34:56,310
now just lump voting manipulation. That's
quite trivial because as soon as I set my
364
00:34:56,310 --> 00:35:01,250
host to the correct hostname, I get full
access to the database where all my local
365
00:35:01,250 --> 00:35:05,750
voting results are stored. And since I'm
root, I can interfer with them. I can
366
00:35:05,750 --> 00:35:09,943
change them however I want to. And this
vulnerability is so damn weird and
367
00:35:09,943 --> 00:35:16,850
trivial, it takes me no effort to do this
at all. And so we won't even go into a
368
00:35:16,850 --> 00:35:22,770
demo here because it's so stupid simple in
this case. Usually I would say that's
369
00:35:22,770 --> 00:35:28,370
enough for today because we already have
full access to the voting system and can
370
00:35:28,370 --> 00:35:33,620
change whatever we want to. However, this
time we decided to go deeper because we
371
00:35:33,620 --> 00:35:42,290
saw pci90309 is a real door opener. So we
have access to the voting results. We can
372
00:35:42,290 --> 00:35:47,630
change them, but we still don't have
access to the entire voting system. So
373
00:35:47,630 --> 00:35:52,186
what about the PC? Might it be possible,
with that root access to the database
374
00:35:52,186 --> 00:35:59,840
server, to gain remote code execution at
that machine? So for this experiment, I
375
00:35:59,840 --> 00:36:04,740
used the following setup. On the right hand
side we have a voting system with the
376
00:36:04,740 --> 00:36:10,620
exposed MariaDB database server. On the
left hand side that's my system. I named
377
00:36:10,620 --> 00:36:16,480
myself pci90309, just because i can do it,
and I establish a connection to the
378
00:36:16,480 --> 00:36:23,927
MariaDB server. I use root as a username.
I don't need any password. And it is
379
00:36:23,927 --> 00:36:30,119
immediately accepted. So now that I am
connected, I'm allowed to issue commands.
380
00:36:30,119 --> 00:36:36,440
For example, I can now instruct MariaDB to
enable one of its plugins. This plugin is
381
00:36:36,440 --> 00:36:42,390
called ha_connect. It's one of the plugins
that usually come directly with MariaDB.
382
00:36:42,390 --> 00:36:49,980
And this is a very powerful MySQL storage
driver. So now I will show you what I can
383
00:36:49,980 --> 00:36:57,020
do with that storage driver. So at next, I
will now create a table that's called pwn.
384
00:36:57,020 --> 00:37:02,538
And I'm using the ha_connect storage
driver and instruct the storage driver to
385
00:37:02,538 --> 00:37:09,470
create a file that's called pwn.dll and to
place it right into that plugin folder.
386
00:37:09,470 --> 00:37:14,270
There is nothing that stops me from doing
so. So that is one of the special features
387
00:37:14,270 --> 00:37:20,289
of the ha_connect storage driver, that I
can just say, this table is mapped to that
388
00:37:20,289 --> 00:37:25,180
file in the file system. However, this
file is still empty because the table is
389
00:37:25,180 --> 00:37:30,690
empty. But since this is a database, I can
now just issue INSERT INTO statements and
390
00:37:30,690 --> 00:37:36,430
load whatever data I want to, for example,
some malicious DLL. I can just load into
391
00:37:36,430 --> 00:37:41,270
the table, via that INSERT INTO a
statement, and then it is directly written
392
00:37:41,270 --> 00:37:49,470
into our malicious DLL "pwn.dll". Ok, so
at next, after I've finished writing, I
393
00:37:49,470 --> 00:37:55,060
will instruct MariaDB to enable this
plugin that I have just uploaded. And
394
00:37:55,060 --> 00:38:00,447
enabling a plugin means that we are
executing the code that is stored in this
395
00:38:00,447 --> 00:38:05,184
DLL file. So that means we have remote
code execution.
396
00:38:05,184 --> 00:38:09,960
Alarm Sound
T: I don't even ask what you can with
397
00:38:09,960 --> 00:38:14,410
remote code execution.
J: Well, I can do anything. So that means
398
00:38:14,410 --> 00:38:19,870
I have no gate, full control over the
entire vote counting system. So I'm not
399
00:38:19,870 --> 00:38:24,520
only talking about the data in the
database, I'm talking about the entire
400
00:38:24,520 --> 00:38:30,040
computer that I can now fully control and
manipulate however I want to. And that's
401
00:38:30,040 --> 00:38:35,580
possible, only by using the voting
software and accessing it over the network
402
00:38:35,580 --> 00:38:41,080
interfaces that it had exposed. And now
I'll show you how simple this is to
403
00:38:41,080 --> 00:38:49,720
execute an arbitrary program on the system.
T: This is the vote counting computer
404
00:38:49,720 --> 00:39:01,575
system. To begin, let's start the vote
counting software. Now, the Apache Tomcat
405
00:39:01,575 --> 00:39:07,733
Web server and the MariaDB database server
are being launched. Finally, the Firefox
406
00:39:07,733 --> 00:39:14,598
portable is started. The system is now
ready for operation. But beware, the
407
00:39:14,598 --> 00:39:21,954
attacker becomes active, his host name is
the infamous pci90309, immediately it
408
00:39:21,954 --> 00:39:28,738
launches the python attack script
"fun.py". It connects to the MariaDB
409
00:39:28,738 --> 00:39:34,845
server as root without a password and
uploads a malicious DLL plugin. When the
410
00:39:34,845 --> 00:39:41,512
upload has been finished, the malicious
plugin is executed. As we can see, the
411
00:39:41,512 --> 00:39:47,506
calculator was started thus remote code
execution was successful. The vote
412
00:39:47,506 --> 00:39:52,869
counting computer system is now under
control of the attacker.
413
00:39:52,869 --> 00:40:00,893
J: After we have found so devastating
issues with the vote counting Software, we
414
00:40:00,893 --> 00:40:06,156
immediately notified the vendor AKDB
T: And they were very professional about
415
00:40:06,156 --> 00:40:11,269
it and responded very quickly to our
initial emails. So we really like working
416
00:40:11,269 --> 00:40:18,114
together with them and telling them our
results and they were always
417
00:40:18,114 --> 00:40:23,340
positive about it. So they also
recommended some fixes.
418
00:40:23,340 --> 00:40:27,624
J: So, for example, they told us, you
should only use that voting software in a
419
00:40:27,624 --> 00:40:31,662
secure environment like in an
administrational network. However, we
420
00:40:31,662 --> 00:40:35,890
don't really believe that this is a good
solution.
421
00:40:35,890 --> 00:40:39,563
T: Exactly. And we are not very happy
about this proposal, because we have two
422
00:40:39,563 --> 00:40:44,645
problems that still arise, even if it's in
a secure environment. First of all, an
423
00:40:44,645 --> 00:40:50,325
administrative PC could still be infected
with some malware or it could be
424
00:40:50,325 --> 00:40:55,583
manipulated before the election takes
place. And in the second hand, we have
425
00:40:55,583 --> 00:40:59,988
this bug with the broken access control,
you remember. And even if you would have
426
00:40:59,988 --> 00:41:05,130
been in the secure environment, this bug
would have been totally worked and you
427
00:41:05,130 --> 00:41:09,303
could have completely deleted all data
work or reopened elections or something
428
00:41:09,303 --> 00:41:12,260
like this.
J: But we are still quite happy that they
429
00:41:12,260 --> 00:41:17,833
took us seriously, because they even have
announced updates. So, for example, they
430
00:41:17,833 --> 00:41:23,090
wrote us that they are planning on adding
XSRF tokens for the pages where we found
431
00:41:23,090 --> 00:41:28,302
cross-site vulnerabilities. So that's
already a good step into the right
432
00:41:28,302 --> 00:41:35,020
direction. So now let's summarize what we
have presented today. So first of all, we
433
00:41:35,020 --> 00:41:40,408
discovered several problematic aspects
in the concept and its practical
434
00:41:40,408 --> 00:41:45,241
implementation. So, first of all, the
entire voting system, it's running on
435
00:41:45,241 --> 00:41:50,384
untrustworthy computer systems. So it
could have been manipulated beforehand.
436
00:41:50,384 --> 00:41:56,055
They could have malware on them or they
just could not function correctly. So
437
00:41:56,055 --> 00:42:00,638
that's already very problematic from the
beginning, because we have no underlying
438
00:42:00,638 --> 00:42:05,946
trust that we can put into those systems
and we are using them to count out our
439
00:42:05,946 --> 00:42:11,702
votes, to count out the entire election.
So what's even more is, that even if they
440
00:42:11,702 --> 00:42:19,430
use the software and the PC, that lies
beyond it, is secure, it still has not
441
00:42:19,430 --> 00:42:25,326
enough transparency. It's very hard to
understand what the software is exactly
442
00:42:25,326 --> 00:42:31,001
doing and how it is doing this. So, I
cannot really understand how does it come
443
00:42:31,001 --> 00:42:36,034
to its result. Please keep in mind, that
we have almost 600 candidates and several
444
00:42:36,034 --> 00:42:42,445
hundreds of ballots that have all to be
input into that computer system and then
445
00:42:42,445 --> 00:42:47,504
some magic happens and it spits out its
result. So, then we just have to take this
446
00:42:47,504 --> 00:42:53,417
result, because it's just impossible to
check, if really each vote has been
447
00:42:53,417 --> 00:42:57,822
counted correctly or is there anything
strange has happened or any manipulation
448
00:42:57,822 --> 00:43:00,619
took place.
T: And this is also possible, because we
449
00:43:00,619 --> 00:43:07,262
found lots of vulnerable software and not
just the system security was affected, but
450
00:43:07,262 --> 00:43:12,208
it was also absolutely possible to
manipulate the whole election from very
451
00:43:12,208 --> 00:43:19,954
many parts in the network. And this leads
us to conclude that these elections are at
452
00:43:19,954 --> 00:43:24,900
a high risk with this technology.
J: So, and that is the reason that we want
453
00:43:24,900 --> 00:43:31,125
you as election worker. The more eyes are
looking at the election, the more secure
454
00:43:31,125 --> 00:43:35,539
it becomes. And if you are interested in
becoming an election worker, just get into
455
00:43:35,539 --> 00:43:40,212
contact with the local administration.
They are always very happy to have
456
00:43:40,212 --> 00:43:45,222
volunteers, who want to take part as
election workers. So and for my personal
457
00:43:45,222 --> 00:43:49,961
experience, I'm doing this for several
years now. It's also a lot of fun. You get
458
00:43:49,961 --> 00:43:54,727
into contact with a lot of people. So I
enjoyed this a lot and I can just
459
00:43:54,727 --> 00:44:00,790
recommended it and this is a good way, how
everyone of us can support the democracy
460
00:44:00,790 --> 00:44:05,273
in their country.
T: So, to conclude our talk, we found out
461
00:44:05,273 --> 00:44:11,593
that security in this technology is really
bad and that's not all of it.
462
00:44:11,593 --> 00:44:16,986
J: So, this is just the tip of the
iceberg, because we look only at one of
463
00:44:16,986 --> 00:44:21,965
the solutions that is available for vote
counting. And this was also in a special
464
00:44:21,965 --> 00:44:28,086
configuration. So what is even more
difficult to see is, what happens behind
465
00:44:28,086 --> 00:44:34,597
all the stuff we have seen today, because,
when we export the data and bring it to
466
00:44:34,597 --> 00:44:40,264
the central administration and the data is
imported and uploaded, so where does all
467
00:44:40,264 --> 00:44:44,910
this data go, where are all the results
from all this data from all the polling
468
00:44:44,910 --> 00:44:49,603
stations are summarized? We don't know
that yet, how this works. We don't have
469
00:44:49,603 --> 00:44:53,868
the software, that we can analyze. So
there's still a lot of work that has to be
470
00:44:53,868 --> 00:44:59,355
done. Here to really check the entire
system, we just took a look at a very
471
00:44:59,355 --> 00:45:04,149
small portion and that is just the vote
counting software here.
472
00:45:04,149 --> 00:45:08,647
T: Next, we were very shocked that this
information, that vote counting is already
473
00:45:08,647 --> 00:45:14,458
shifted to software, is not publicly
known. And this is also why we we created
474
00:45:14,458 --> 00:45:19,947
this talk today as this is an information,
that is crucial for the democracy, that
475
00:45:19,947 --> 00:45:26,788
there is already this software in use and
it is not really secure. So this was a big
476
00:45:26,788 --> 00:45:33,530
thing for us to keep bringing it out to
the people.
477
00:45:33,530 --> 00:45:37,829
J: So and one other thing is, everything
that we have seen today is entirely legal,
478
00:45:37,829 --> 00:45:44,312
because at least in Bavaria, we don't have
any rules or any laws against the use of
479
00:45:44,312 --> 00:45:50,098
unsecure computer systems, of unsecure
vote counting software. So, as we've seen
480
00:45:50,098 --> 00:45:55,611
in the beginning, we only have very rough
legal guidelines that says, well, you can
481
00:45:55,611 --> 00:46:00,322
just use computers for vote counting, but
we need stricter guidelines here, because
482
00:46:00,322 --> 00:46:06,794
it cannot continue as we've seen it today
and in other states in Germany there is
483
00:46:06,794 --> 00:46:12,304
sometimes something like, let's say,
guidelines or even certification process
484
00:46:12,304 --> 00:46:18,347
for such digital software. But in most
states that I had a look at, there are no
485
00:46:18,347 --> 00:46:23,780
rules at all and nothing that should
continue in the next years that way.
486
00:46:23,780 --> 00:46:29,963
T: Additionally, in the end, before any of
this software to electronically count the
487
00:46:29,963 --> 00:46:36,671
votes should go live, unbiased tests for
everyone should be available to prove
488
00:46:36,671 --> 00:46:41,965
themselves, that this software is secure
and this software is doing what it's
489
00:46:41,965 --> 00:46:46,530
promising to us. Because it is directly
influencing our democracy. And if this
490
00:46:46,530 --> 00:46:52,002
software is manipulated, it manipulates
our voting, our election and our
491
00:46:52,002 --> 00:46:56,333
democracy. So in the end, we can just
leave you with two questions.
492
00:46:56,333 --> 00:47:01,158
T: How much digital support is required?
J: And how much is tolerable?
493
00:47:01,158 --> 00:47:18,528
No Audio
494
00:47:18,528 --> 00:47:25,709
Herald: Thank you very much for the
interesting talk, Johannes and Tobias. And
495
00:47:25,709 --> 00:47:30,136
thank you very much for your work on the
topic. I hope you do have time for a
496
00:47:30,136 --> 00:47:36,095
little Q&A. We have quite a few questions,
actually.
497
00:47:36,095 --> 00:47:39,244
J: Sure.
M: All right. So the first question from
498
00:47:39,244 --> 00:47:45,468
the Internet is, is there any suspicion
that these vulnerabilities have been
499
00:47:45,468 --> 00:47:49,404
actively used?
J: Well, it's very hard to tell. So, at
500
00:47:49,404 --> 00:47:57,617
least for the town that I am from, I did
not notice any special occurrences there.
501
00:47:57,617 --> 00:48:04,994
So, however, I don't have an overview of
entire Bavaria, so, that's quite hard to
502
00:48:04,994 --> 00:48:09,707
tell. I think it's even impossible to
tell, if there were any manipulation so
503
00:48:09,707 --> 00:48:15,395
far. So, unfortunately, we cannot say
that.
504
00:48:15,395 --> 00:48:20,292
T: Additionally, we are just at one place
in this whole system. So we don't have an
505
00:48:20,292 --> 00:48:25,328
overview, if there was any mismatching
numbers or any other influences that
506
00:48:25,328 --> 00:48:30,702
happened, but that we didn't see at the
moment, because we were just at one
507
00:48:30,702 --> 00:48:35,589
position in the system, at one station
of the election.
508
00:48:35,589 --> 00:48:41,470
M: OK, thank you for the answer. Ah, do
you believe that it is possible to have a
509
00:48:41,470 --> 00:48:46,300
digital ballot that is as secure and
trustworthy as physical or paper based
510
00:48:46,300 --> 00:48:51,560
voting is?
J: Well, in my opinion, that's not
511
00:48:51,560 --> 00:48:56,560
possible, if you want to have the same
sort of transparency that we have in the
512
00:48:56,560 --> 00:49:02,010
paper based voting system, because, when
we have paper based voting, we can just go
513
00:49:02,010 --> 00:49:07,470
into the voting room and watch what's
going on there. We can see the ballots
514
00:49:07,470 --> 00:49:12,690
that are handed in, the ballots that come
out of the box. Then, they are counted,
515
00:49:12,690 --> 00:49:17,990
are summed up. I can really try to find
out what's going on there. I can have a
516
00:49:17,990 --> 00:49:24,220
look at that. Understand what people are
doing there, but at the moment, that we
517
00:49:24,220 --> 00:49:29,840
have only a digital vote, I cannot really
find out, if the computer is doing the
518
00:49:29,840 --> 00:49:34,190
right thing, if there were some
manipulations. So, in terms of
519
00:49:34,190 --> 00:49:40,830
transparency, I don't think it is possible
in the same. Yeah, in the same way as the
520
00:49:40,830 --> 00:49:47,910
paper based ballots, for example.
T: I would have to add to this, if there
521
00:49:47,910 --> 00:49:53,750
would be the possibility to get the same
traceability and visibility that you can
522
00:49:53,750 --> 00:50:00,240
always see which results came from, from
which position. And if they are signed
523
00:50:00,240 --> 00:50:07,260
very transparent, then it may be possible
in any future, but not with any kind of
524
00:50:07,260 --> 00:50:16,299
this software, we saw there.
M: All right. Thank you. Do you, by any
525
00:50:16,299 --> 00:50:21,552
chance, know which states in Germany use
these software OK.VOTE as far?
526
00:50:21,552 --> 00:50:29,257
T: We cannot directly say which states
actively use them, because we only took
527
00:50:29,257 --> 00:50:34,249
place in elections here in Munich or
Bavaria. But, we can tell, that we found
528
00:50:34,249 --> 00:50:40,130
very much hints in the source code that
they were also used in, for example,
529
00:50:40,130 --> 00:50:47,481
Hamburg, Bremen, Hessen or Rheinland-
Pfalz, but we don't know if they were
530
00:50:47,481 --> 00:50:54,180
already used there or if it's planned to
be used there or did they already used
531
00:50:54,180 --> 00:50:59,010
them in the past elections and decided
against them for future ones. We don't
532
00:50:59,010 --> 00:51:03,330
know about this, exactly.
M: OK, maybe we can stay for a second on
533
00:51:03,330 --> 00:51:11,190
your job as an election worker. The
process of manually entering data into the
534
00:51:11,190 --> 00:51:16,610
system, is there a process for this? Do
you have an idea on the risk of this part
535
00:51:16,610 --> 00:51:21,069
here?
J: Yes. So, it's basically the thing, that
536
00:51:21,069 --> 00:51:26,401
they are at least two or three people
sitting in front of each computer and then
537
00:51:26,401 --> 00:51:30,930
they are entering each ballot. So people
are really cross checking that the ballot
538
00:51:30,930 --> 00:51:36,180
has been entered correctly. So, it's like
one person has the ballot in front of him
539
00:51:36,180 --> 00:51:42,290
or her and the other person reads the
votes and the other person types it in and
540
00:51:42,290 --> 00:51:47,645
they are cross checking each other. So,
that there isn't any error doing typing in
541
00:51:47,645 --> 00:51:54,250
those election results in the computer.
M: All right. Thank you for the
542
00:51:54,250 --> 00:52:00,300
elaboration. Someone is asking, how the
system's connected to the Internet or some
543
00:52:00,300 --> 00:52:05,870
other network of the understanding of the
talk was correctly received by that
544
00:52:05,870 --> 00:52:09,740
person. The results are written to some
physical medium which is turned into
545
00:52:09,740 --> 00:52:15,560
transmit the results. So you sense
something physically. So, why care for the
546
00:52:15,560 --> 00:52:20,305
Windows version or the, what is running on
these machines? Is that correct
547
00:52:20,305 --> 00:52:24,941
understanding?
J: Well, the problem with that is, that it
548
00:52:24,941 --> 00:52:30,011
depends on the local administration, how
they set up their computer systems. So, I
549
00:52:30,011 --> 00:52:36,242
also read this in a chat here. Someone has
written, that they had their voting
550
00:52:36,242 --> 00:52:44,530
software in a, yeah, in a very limited
network connectivity. So, the computer was
551
00:52:44,530 --> 00:52:49,960
not connected to the Internet. However, it
depends very on the administration and on
552
00:52:49,960 --> 00:52:54,666
the computer network that is being used
there. So, it is entirely possible that
553
00:52:54,666 --> 00:52:59,902
computers are connected to the Internet,
because there are no guidelines on how
554
00:52:59,902 --> 00:53:06,480
these computers are allowed to be set up.
So, I cannot fully exclude this. So, and
555
00:53:06,480 --> 00:53:11,370
if someone, for example, just enables the
wireless network or connects to some
556
00:53:11,370 --> 00:53:16,834
unsecured hotspot, they are connected
then. So, it's it's hard to tell here, but
557
00:53:16,834 --> 00:53:22,640
I would not exclude this possibility.
T: To extend this answer. We even try to
558
00:53:22,640 --> 00:53:27,490
find out, if there's any software side
protection that checks, if there is any
559
00:53:27,490 --> 00:53:31,189
internet connection is present and then
would deny this voting system. But, there
560
00:53:31,189 --> 00:53:36,480
wasn't or at least we couldn't find one.
So even if the administration was not
561
00:53:36,480 --> 00:53:44,020
advised, if these PCs should be
disconnected from the network. There isn't
562
00:53:44,020 --> 00:53:47,914
even a security mechanism in place, that
would check this and stop it or even show
563
00:53:47,914 --> 00:53:51,860
a warning, that this is connected and they
should be disconnected from the Internet
564
00:53:51,860 --> 00:53:59,700
before the counting can begin.
M: Interesting. All right. We have one
565
00:53:59,700 --> 00:54:03,780
message on the IRC, from someone who
worked with this particular piece of
566
00:54:03,780 --> 00:54:09,540
software in demo mode by themselves,
obviously. And the question they have, is:
567
00:54:09,540 --> 00:54:17,890
Did you notice the possibility to enter a
negative votes for a candidate? So saying
568
00:54:17,890 --> 00:54:25,760
minus two votes, for instance.
J: Well, that's difficult to tell. I
569
00:54:25,760 --> 00:54:31,200
thought about, if this is possible, so
perhaps you might have to manipulate the
570
00:54:31,200 --> 00:54:37,360
database directly. So I'm not entirely
sure. I'm not sure, if I tried this out
571
00:54:37,360 --> 00:54:43,600
this one. So, but however, as soon as I
have a data, as I have database access,
572
00:54:43,600 --> 00:54:49,920
it's entirely possible to manipulate
anything. So. Well, we could try this out
573
00:54:49,920 --> 00:54:57,520
again. However, I don't think that changes
much in our result. So, yeah, that's
574
00:54:57,520 --> 00:55:03,040
interesting questions of I cannot answer
this right now, so I'm not sure, you Tobi,
575
00:55:03,040 --> 00:55:10,080
have you tried out something like that?
T: We've tried manipulating some already
576
00:55:10,080 --> 00:55:17,040
submitted votes, but I think, this was not
really possible. However, as you showed,
577
00:55:17,040 --> 00:55:22,640
when you export the data and import into
the main PC, the votes that were already
578
00:55:22,640 --> 00:55:28,080
in place, possibly by an attacker, would
then discard the newly imported votes. So,
579
00:55:28,080 --> 00:55:34,238
this would probably replace this data and
these votes, but via the Web interface, I
580
00:55:34,238 --> 00:55:38,988
think it was not possible. However, we
found the enough vulnerabilities with
581
00:55:38,988 --> 00:55:43,512
database access that you could do it by
this way, if you want to.
582
00:55:43,512 --> 00:55:50,524
M: All right. Thank you for your
explanation. Out of pure curiosity, people
583
00:55:50,524 --> 00:55:55,984
ask, how did you get access to the software
in the first place? To start your analysis?
584
00:55:55,984 --> 00:56:00,514
J: Well, that's a good question here,
because, theres a nice story behind that.
585
00:56:00,514 --> 00:56:06,304
So, I was election worker and I was
supporting setting up a system and doing
586
00:56:06,304 --> 00:56:12,470
some IT support in the evening. And at
some point, we tried to merge our results.
587
00:56:12,470 --> 00:56:17,297
So we exported the results from one
computer to move them to the other one.
588
00:56:17,297 --> 00:56:22,377
However, the import failed, because, there
is some artificial limitation in the
589
00:56:22,377 --> 00:56:27,616
software. So, as soon as your export files
are larger than 10 megabytes, they cannot
590
00:56:27,616 --> 00:56:33,667
be imported anymore. So this happens quite
quickly, when you have a few hundreds of
591
00:56:33,667 --> 00:56:38,479
votes, of few hundreds of ballots and then
the import doesn't work anymore. And I had
592
00:56:38,479 --> 00:56:42,106
a look at this file, and that was just a
JSON file with a lot of whitespace. So, I
593
00:56:42,106 --> 00:56:46,750
copied all this stuff to my computer to
fix this. And there was also later on, a
594
00:56:46,750 --> 00:56:51,251
software fix that was published by the
software vendor. However, then I had the
595
00:56:51,251 --> 00:56:56,466
software on my computer, just because I
wanted to fix this election. And it was
596
00:56:56,466 --> 00:57:00,328
very late at night. And I returned home
and I noticed, oh, I still have that
597
00:57:00,328 --> 00:57:06,867
software on my computer. Let's have a look
at this. So, yeah, it was just by chance.
598
00:57:06,867 --> 00:57:11,943
So, I tried to fix something, got all the
software on my PC and then I had it ready
599
00:57:11,943 --> 00:57:18,028
to analyze even with some data on that, so
that I really knew how this works in
600
00:57:18,028 --> 00:57:23,840
practice. And yes, but if someone would
try to gain access to that software,
601
00:57:23,840 --> 00:57:28,945
that's quite simple, because they could
just restore the deleted data from one of
602
00:57:28,945 --> 00:57:33,268
the computers that are in the schools.
Perhaps, someone doesn't even delete the
603
00:57:33,268 --> 00:57:38,382
election software from their computers, in
your school, or some person could just
604
00:57:38,382 --> 00:57:43,292
steal one of the USB sticks, that have
been used for installation. So, I don't
605
00:57:43,292 --> 00:57:53,591
even think, that would be noticed then.
M: Interesting, indeed, you mentioned in
606
00:57:53,591 --> 00:57:58,920
your talk, that the software is certified
by the BSI, that they claim to be
607
00:57:58,920 --> 00:58:02,673
certified by the Open Web Application
Security project, but how could such a
608
00:58:02,673 --> 00:58:07,901
broken system can be certified by both
parties in the first place? And what's
609
00:58:07,901 --> 00:58:12,119
wrong with the certification process? Yes,
this obviously happened. I mean, like, why
610
00:58:12,119 --> 00:58:19,219
not use a certified. What do we do
certified in the first place, if it gets
611
00:58:19,219 --> 00:58:24,377
certified, even if it's broken?
T: I think the first point about this is,
612
00:58:24,377 --> 00:58:28,158
that we already mentioned in the talk,
that there are no legal requirements. You
613
00:58:28,158 --> 00:58:32,700
don't need any certification, that this
software can be used in our voting, in our
614
00:58:32,700 --> 00:58:38,233
elections here in Germany or in most parts
of Germany. And additionally, this
615
00:58:38,233 --> 00:58:46,323
screenshot we show with OWASP and the BSI
was just the promotion of the AKDB for
616
00:58:46,323 --> 00:58:52,179
their software, but I think there was no
real certification attached. So, we don't
617
00:58:52,179 --> 00:58:57,930
know if we the BSI ever saw this software for
real or if they just put it on there and said,
618
00:58:57,930 --> 00:59:02,728
yeah, BSI certificate certified or with
the BSI standards in mind, like they
619
00:59:02,728 --> 00:59:07,234
already have already the IT Grundschutz
and they maybe tried to implement, after
620
00:59:07,234 --> 00:59:15,093
this system architecture. But the BSI
never checked on it. So, I don't think
621
00:59:15,093 --> 00:59:18,818
there's any real certification for the
software.
622
00:59:18,818 --> 00:59:23,035
J: So, just to add a few details here,
that's not really a certification, that
623
00:59:23,035 --> 00:59:28,555
they just said that they follow the BSI
and OWASP guidelines. I think, that was
624
00:59:28,555 --> 00:59:32,653
also the wording that was used on the
website. So, theres no real certification
625
00:59:32,653 --> 00:59:39,494
behind that, so far.
M: Thank you for the answer. Do you know
626
00:59:39,494 --> 00:59:46,197
by chance, how the municipalities
published the election results?
627
00:59:46,197 --> 00:59:53,581
J: Well, I don't know in detail how it
works. So, when we handed in our election
628
00:59:53,581 --> 00:59:59,802
results, they got uploaded onto some other
software. And that's also the end that
629
00:59:59,802 --> 01:00:05,692
I've seen. So end up in the computer
system and they are electronically
630
01:00:05,692 --> 01:00:10,348
transmitted. And that, first of all, it
generates a preliminary file. And finally,
631
01:00:10,348 --> 01:00:15,767
that's a final result generated by it.
However, I don't really know how this
632
01:00:15,767 --> 01:00:20,243
works, but the election results that were
generated, with OK.VOTE are definitely
633
01:00:20,243 --> 01:00:28,562
going into the final result. So, perhaps
there's also some paper based protocol
634
01:00:28,562 --> 01:00:33,330
between them. I don't really know if
they're using the data that's in the
635
01:00:33,330 --> 01:00:38,126
computer or the data that is on the paper.
But, however, it doesn't change very much
636
01:00:38,126 --> 01:00:46,112
here.
M: OK, on. Coming over here a bit, the
637
01:00:46,112 --> 01:00:50,830
last question would be: What, in your
experience, how practical and expensive
638
01:00:50,830 --> 01:00:55,964
are hand recounts here and did you observe
these?
639
01:00:55,964 --> 01:01:01,039
T: I think, this is very different from
election to election and from city to
640
01:01:01,039 --> 01:01:07,167
city, if this is a rather small town, you
could probably easily reelect all this or
641
01:01:07,167 --> 01:01:13,473
all the votes and recount the votes. But,
if this is a big city like Munich, for
642
01:01:13,473 --> 01:01:20,911
example, with millions of votes, and you
would have to recount this, this would
643
01:01:20,911 --> 01:01:26,076
particularly delay the voting or the
results pretty much. And this could have
644
01:01:26,076 --> 01:01:31,071
really bad influences, if this would
happen. That software has shown that kind
645
01:01:31,071 --> 01:01:36,890
of manipulation has happened and they had
to recount all the stuff by hand again.
646
01:01:36,890 --> 01:01:42,242
J: So, counting this by hand is, indeed,
very, very effortful, because they have
647
01:01:42,242 --> 01:01:48,703
like 70 votes per ballot. And even summing
up all that is still error prone, if it's
648
01:01:48,703 --> 01:01:54,660
done by hand. So, it's difficult to do
that. And up to my knowledge, it's not
649
01:01:54,660 --> 01:02:00,854
generally recounted after the election.
So, I try to find something in the
650
01:02:00,854 --> 01:02:07,384
Internet regarding that. And I just found
some PDF, that they said, well, it's not
651
01:02:07,384 --> 01:02:15,467
feasible to recount all the election
results and all the ballots. So, that's
652
01:02:15,467 --> 01:02:21,781
just rather do a meter level check on: is
the protocol complete? How about the
653
01:02:21,781 --> 01:02:26,894
special ballots, that were not really
clear and so on? But it's not like, every
654
01:02:26,894 --> 01:02:31,733
ballot will be recounted, as far as I
understand.
655
01:02:31,733 --> 01:02:37,880
M: OK. Oh, thank you very much Tobias an
Johannes for answering all the questions.
656
01:02:37,880 --> 01:02:41,683
Thank you again for your talk.
J: Thank you.
657
01:02:41,683 --> 01:02:42,403
M: Thank you.
658
01:02:42,403 --> 01:03:10,210
rC3 postroll music
659
01:03:10,210 --> 01:03:22,140
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!