rC3 preroll music Herald: Now, our next talk is Hacking German elections, insecure electronic voting count, vote counting, how it returned and why you don't even know about it. For the Germans listening here, did you noticed that in Germany, voting became more electronic recently? In case you're out of Germany. I do live in Germany and I did not notice that myself. However, both of our speakers volunteered as election workers in Germany and research on the topic of security for elections. And they promised to tell us how this can be, how elections can be made more secure again. Our speakers are Tobias, he is an IT- Security researcher focusing on offensive security, automotive security and capture the flag challenges. And Johannes. He's a post-doctoral IT-Security researcher and both work together at the Fraunhofer AISEC Institute. Enjoy the talk. Stille Johannes: Hello and welcome to our presentation on Hacking German Elections. Insecure electronic vote counting, how it returned and why you don't even know about it. My name is Johannes Obermaier Tobias: and I am Tobias Madl. We are both very much involved in elections in Bavaria because we're election workers and offer support here in Germany. J: And we are offensive IT-Security researchers. T: First of all, we want to talk about the scope we are presenting today. We got our information and the software from today, from the municipal elections in Bavaria happening in the early 2020. And it was a computer based vote counting technology. So we were very concerned, when we interacted with it. And in the end, we featured the questions, are elections still secure? Next, I presented the outline we are talking about today, and first of all, we are looking at the electronic vote counting system. And next, we identified some conceptual and practical issues with this technology. Afterwards, we also inspected the software and found some insecurities. And in the end, we have summary and conclude our presentation. J: To understand why we need electronic vote counting, let's just have a look at the voting ballot. This voting ballot is in its paper form about one meter wide and 50 centimeters high. So, that's a quite a large ballot, that's a lot of candidates. Let's just sum up the facts. So, we have a total of 599 candidates that are spread out over nine parties. Each citizen is allowed to cast up to 70 votes in this election. So, that sounds simple, but it gets even more complicated now, because you can cast up to three votes per candidate and you can even choose multiple candidates of different parties up to your 70 votes. And even if you decide yourself to vote for a single party, you can still strike out candidate that you personally don't like. And so they don't get any votes from your ballot. That means, this voting system gives a lot of power to the citizens and voting is fun. However, counting out those ballots is very difficult because you need to know a lot of special rules in this voting system to really count each ballot correctly. That's the reason that a software such as OK.VOTE has been developed. OK.VOTE is a typical software for elections that's also used in the polling stations for vote counting. So, OK.VOTE has a quite large market share. They say they have a like 75% in Germany. So that software is used in several states. OK. VOTE has several different modules for organizing elections, for example. But what we know have a look at in this talk is only the vote counting module of OK.VOTE Where the election voters insert each paper ballot and manually type it in all the votes in each ballot and then they are stored in the computer system. So, and the task of OK.VOTE is to process each ballot to count the votes, to find out if the ballot is correct, then it stores all the ballots into its database and finally it does some magic and computes the final result. So, this sounds quite similar to what a voting machine does. But wait a moment. Voting machines, in my Germany? T: Wait, that's illegal. J: Is it really illegal? Let's have a look at the legal regulations about it. So, yes, in 2009, there was an important decision by the German federal constitutional court and they said, that the use of voting computers in the 2005 Bundestag election was unconstitutional. Because, for example, the voting computers were not transparently enough. So, that is very similar to that what we have also found for the municipal elections. But wait, we are here talking about the Bundestag election. But this is the municipal election and we have different rules for the municipal elections. For example, there is the GLKrWO, that's the Gemeinde- und Landkreiswahlordnung Bayern, which basically translates to the Bavarian municipal election rules. And those rules say, that we are indeed not allowed to use a computer for voting, but computers can be used for vote counting. So, and in this situation, I would expect, that we have some sort of security requirements there in those regulations. But I try to find them. And I was really surprised. There are exactly zero. T: So, if there are no legal requirements, are there at least any software side requirements or certifications for OK.VOTE which promise some security? J: Yes, there are. So, I had a look at the website and I saw this nice little paragraph here. And it says, Elections with security and during the development of OK.VOTE, they put the highest emphasis on the topic security. They follow the BSI and OWASP recommendations on security, and they have a certified data center with very high security standards T: And how does this look like in practice? J: Oh, I rather would not show you this here. It's it's really scary. This is what I have seen here, when I walked in the election room. This is not a stock photo. I took this photo myself and this is the reality. So, I walked up to the guys and said, well, shall we really use these computers to count out the elections and they said, yes, that are the computers that are available here. So, and I pray to God that for some reason does not work out. And Windows XP did not disappoint me because when I tried to start the software, it failed because that are 32 bit systems and OK.VOTE needs 64 bits. So, yeah, that was great. So, we did not use that Windows XP machine. So, instead we had to search for another machine and came across this one here. That's a Windows 10 machine. That's fine. However, it has an outdated virus scanner. So, well, it it's better than nothing. So, this machine was used instead then. So, but just let's keep in mind what they are promising us: election security. We really doubt that. Let's now look at the IT environment and why it came to that situation. So, first of all, this is not fully the fault of OK.VOTE, because it's the task for the local administration to provide hardware for vote counting and AKDB, the vendors of OK.VOTE say, that they recommend to use secure administration computers. That's fine so far, but we simply don't have enough secure administration computers for that purpose. So, for example, in the town where I'm from, we needed around 8 computers to count out this election and we simply did not have enough in the town hall. And whats even more, the election room, it was in a school and there are already school PCs available there. So, they were just using the school PCs. So, and those were even elementary school computers. So, I'm not really sure about, if all the pupils know, which link they are allowed to click and which one they should rather not click on. So, this systems might be insecure, there might be malware within, and even if it's possible that someone had manipulated them in advance, we cannot really exclude that. However, I don't want to blame the administration here because they did a great job in organizing this election. It's really much to do for them and it did really well. So, everything worked out well at the end. However, they are no IT- Security specialists and we cannot demand from them, that they know each detail on how to set up a system correctly and what are the risks that are associated with insecure computer systems in elections? That's just not their job. So, however, we still ended up with untrustworthy systems here. Because, as we have seen before, there are no legal regulations against it. Now, let's see how we create a digital result. T: Exactly. So, we went to our voting places. We were presented with each one got a PC and we got the ballot stack we had to count and then enter the results. So, Johannes is Team 2 and I was Team 1 and we started entering the ballots in the PC. And from this on, they were digitized Team 1 in green and Team 2 in blue. J: As soon as I was finished entering my ballots, I put them on a USB drive and handed them over to Team 1. T: Exactly. I imported these votes, because I was the master machine at this time, and the OK.VOTE software then finalised these voting elections and exported their results finally again on an USB stick. And these were then delivered on for further processing. J: What is the problem with that all? First of all, there's a lot of intransparency. So, for example, the software that is being used for vote counting, OK.VOTE, it's not an open source software. It's closed source and nobody was able to analyze this yet. So, and since this is closed source software, it is also very hard to understand how the software works and if it really counts correctly, Because we have, in the end, we have hundreds of ballots there and it's really difficult to tell, if they have, indeed, been counted correctly. So, and although we have seen this before, there is no basis for a secure vote counting, if we have possibly rigged computer system. So, we cannot exclude that someone has manipulated them pre-election wise. So, if there is some manipulation, this would hardly be detectable by a standard election worker. So, this means that the entire election process becomes very intransparent and hard to understand for a person who just wants to observe the election. So, that is strictly against the idea of a public counting of votes. T: So, now let's talk about the step that happens after we finish counting in each of the teams. J: So, what do you do after you have exported the final election results? How do they come to the central administration? T: Yeah, I've just entered my vehicle and took the USB sticks in my pocket and drove to the master PC. But, as you maybe know, Election Day is always very busy day and might some teams are slower at counting. Some teams are faster. So, the master team doesn't know when these USB sticks arrive. If they take two or three hours or half an hour, they don't know really. So, I could just go and grab something to eat on my way. Or I can manipulate the vote. I mean, deliver the votes. And yeah, in the end, one day, when I arrive at the master PC, I just give them my USB stick, they enter it and they take the data that is stored on there and nothing else. And afterwards, they just uploaded the final results on the page. J: Now you might think, why is it possible for him to manipulate election results? Because there's no authenticity. There's only integrity protection of the file that he is transporting. So some CRC32 and a SHA hash, but nothing like a cryptographic signature. So, even if he alters the data, he can just regenerate all the integrity protection data and the data will just be accepted. So, the main issue here is also, that this is one of the few spots where only a single person has unsupervised access to the data during transport of the voting data at all. And that makes manipulations possible and easily feasible in this case. And that should not be the case, especially in an electronically supported election. Now, let's have a look at the vote counting software itself, because there we found even more interesting results. T: Exactly. Let's begin with the system architecture. First of all, this is the local or decentralized version of the software system. So all this is taking place on the local host, on the machine we encountered in the lecture rooms and on these machines, where it was an Apache Tomcat Web server running, which was connected to a MariaDB, and the user was interacting with the voting system via a portable Firefox and as AKDB said in before they were very concerned with security. So, let's think about what attackers are they had in mind when they designed the system and from which the system is to protect from. Is it the user that maybe attacks the system, the vote count system, which is normally just election workers that are on their free time there to help executing the election, or are they having the network attackers in minds that come from completely different places and try to manipulate the network from outside? First of all, we took the user as one of the possible attackers. And even in this environment, we found some really broken stuff. First of all a broken access control. But how it's how it's all about. Well, that's the log in page when we just logged in our voting system and clicked on administration page where we can change our password and edit our profile. These are the buttons on the left. And as you can see, we are clearly logged in as the user42. And there is no more things to do than select which counting part we want to do, the general regional vote or the municipal votes. And that's all we can do on this page. Now let's switch to the system administrator. There we have the admin account, as you can see on the left upper side, where we can now do very much more than the normal user. We are again on the administration page, but now we have the user administration where we can create or delete users. We have the reopen or close voting mechanisms. We have imports, we have exports and also what's not included in the screenshots submenus like deleting finalized results or and so on. So, we picked out two very interesting URLs for you. First of all, we are taking the "Bezirk wieder eröffnen" which is translated just to reopen the election after election as closed at normal. It's normally finalized, so no more votes can be entered in the system. And the other link is "Löschen". So that translates to delete data, which then in the end deletes all the data from from the machine. So, no more private or secure data is stored on there. And this is what they look like when we only open them on the left side. We see to reopen dialog. On the right side, we see the data delete. But wait, this is not the admin view, this is the user view. So, they did not check if this user is even allowed. And we also have to say, that this is not just the view of it, it is fully working and is completely functional, when you just go through the process of deleting or reopening as an election. Alarm sound J: What's the problem with that? T: Yeah, as you maybe already guessed, reopening elections could create a probability of sneaking in some additional votes for the candidate I favor and additionally, if I want to mess with all of the voting, I could just delete all the election data and we would have to start from the beginning and completely delay or deny the voting. J: But why is this even possible? T: Yeah, we found out that this is their access control check in their software this function is called getZugriffRollen, which translates to get access roles. So normally there will also be the software in place to check if this role is allowed to access this kind of site. But they just returned null and not implemented it. And that's also nice work to implement access control. However, I think we can propose some mechanisms that could have prevented this. First of all, hidden information is nothing you could rely on. If you just don't show where you can click to get to this url or to this page. That's not really secret because maybe you find some leaked source code or you make sure serving at an admin or you just by accident type in the wrong url and get to this hidden information. Or you, exactly, use software scanners to find something hidden. So hidden data is just not secure. And on the other hand, you should finalize your implementation of access control to have access control and even test it once to be sure that it works. So in the end we can conclude that hidden data is not protected data. T: Let's now come to another type of attacks. Cross-site attacks. A cross-site attack is some sort of interference between two websites. Where one website, for example, tries to do something on behalf of the other. The goal is often to deceit the user or to trigger the manipulations. First of all, we were quite sure that they have thought of cross-site attacks. Because doing our testing, we saw that they included some HTTP-Headers that target a wide range of attack vectors that use Cross-site scripting attacks. For example, here we have X-Frame-Options: same origin. That means that other pages can not include the voting software into their own frames and so on. And also cross-site scripting protection is enabled via X-XXS-Protection. So this looks quite good because this already excludes several attack vectors. But how about cross-site request forgery? When we first tested this, we found out that the vote counting system is not fully protected against it. What is cross-site request forgery? So in the first step, the election worker uses the integrated Firefox Browser to accept a malicious website. So the user is triggered to visit this website. For example, someone sent him a link triggered him to click on the link by the promise, for example, of a cute animal picture or some sort of that. And then the user visits this website. And this website contains form fields that resemble the form fields of the actual vote counting software. And the malicious website now triggers your browser to submit this form data, not to the original website, but rather to the vote counting software. And as soon as it reaches the Tomcat web server, the web server is confused. Because the web server cannot discern the input from the cross-site attack from the malicious website from original user input. And then the Apache Tomcat server just thinks that this is original user input and will process it. And that's called a cross-site request forgery attack. So we saw that there is sometimes a protection against this sort of attacks. But many pages are not protected against it. And that is very concerning because that's a 2001's vulnerability. It's almost 20 years old now and it's still present in such a software. So this is quite unsettling here. Now, let's sum this up. What we can do with it. So, first of all, the issue is that they have missing CSRF tokens or any other good countermeasure against cross site request forgery attacks. And the second point is here, that only minimal user interaction is required. The user often doesn't even see that a cross-site request forgery attack is currently being executed on his behalf. So it's almost undetectable by the user. And it's very simple to trick a user into clicking a link. So the impact is very devastating because we can now manipulate settings in the vote counting software. And we can even insert fake ballots here. Alarm sound T: So what's the result of this? What we can do with it? J: Well, we can manipulate the entire election with this. Let's just use a demo. How we do this. T: Nice. J: We are already logged in into the vote counting system. Our username is admin321934. Now let's count some votes. As we can see here, these are all the ballots that we can enter. They are still empty since we haven't entered any ballots yet. So let's start. For simplicity, we just have two parties here. On the left hand side we have the good party. Who wants the best for the people. On the right hand side we have the bad party who wants to take power and is willing to even commit election fraud. Let us begin and enter the first paper ballot. The person has voted for the good party. So we enter this into the software. Now we save the ballot and go to the next one. Again, it's a vote for the good party. Let's enter it and save it and go to the third ballot. And again, it's for the good party. Let's save our third ballot. Now we go to the ballot overview and we look what has happened. As you can see, we now have three ballots that have successfully been entered. At next, let's check the preliminary election results. As we can see here, we have a total of three ballots that have been entered into the system. That's correct. Three ballots contained votes for the good party. That's also correct. And zero votes have been given to the bad party. That's fine so far. Next, I will show you what happens if i open a malicious website. This website will execute a CSRF attack and manipulate the election results. Let's just assume we want to take a break and simply both twitter. OK, here we are. There's a cute cat picture and there's a link to even more of them. Let's just play along and get tricked into clicking that link. Oh, look at all those cute animal pictures, look a hungry rabbit, a monkey, a little hedgehog and two cute goats and so on, and when we are done browsing, we close those tabs again and return to our vote counting software. What we notice now is, that our username has been altered and we just got pwned. We were tricked into visiting this malicious website. The website executed a CSRF attack on the vote counting software and did some manipulations. Let's see what else has changed. However, all three ballots are still there, but now we take a look at the preliminary election results. What you can see here is that the number of ballots that are in the system has been increased to eight. We now have five additional ballots that were not entered by us. As you can see, the good party still has three votes. That is what we have entered. But now the bad party has taken the lead. They have five votes now. This attack has indeed manipulated the election results. This is really bad because we cannot even see those additional fake ballots that have been injected. However, we are lucky because we noticed it since we have expected this attack. But we won't notice it in every case. T: But what happens if we don't notice? J: Well, that happens. So, for this example, we just assume that team 1 had three ballots that they have entered into the computer system and team 2 has six ballots that have been entered into the computer system. Now team one visits a malicious website and five fake ballots are injected into the election results. In this case, the attacker is very smart and injects the ballots at the location where the team 2 ballots will be expected in the future. So what happens now is: team 2 exports their ballots and team 1 tries to import the ballots of team 2. And now the following thing happens: Because there are already ballots present at the location where the team 2 ballots should go to, the import process is not fully successful and only a subset of the ballots are imported so that the majority of the ballots into this case, five or six ballots are just discarded because they don't fit in the database anymore because that location is already taken by the fake ballots. So usually we would expect that this can generate an error message or at least a warning. But this does not happen. This is a silent failure of the software. And what's even worst is now that the sums finally are correct. So that means we now have nine ballots present in the system and nine paper ballots that were initially available. So this looks like we have entered all the ballots and everything seems to be fine. So we will now close the election and generate the final result. And that is what happens now. As you can see, we have only four votes for the good party, but five votes for the bad party. So the bad party has won the election by manipulating the voting system, using this CSRF attack. And that should never be possible because this is not what we expect for a voting software. And in this case, the result is rigged. So have we thought about network vulnerabilities? T: Yeah, sure, that's exactly the other side of the coin. First, we checked the election worker side for attacks, but now we checked the network side and scanned and analyzed the system at first. And then we looked like this: Open ports everywhere. And as you can see, they fully exposed the Apache Tomcat and the MariaDB to each available network on the system. And with this, we thought, well, let's maybe try some newly discovered vulnerability, which was recently found in 2020 called Ghostcat. And Ghostcat is an attack against AJP protocol from Apache. But let's check the Apache system and how it's built. First, Apache has a web root which serves static resources and HTML or JSP files. And additionally, it can include class files or class sublets which are combined with this JSPs or HTML files and then served to the user. So we prepared our ajpShooter with the URL of the application, the port and the file we want to read. In our case, it's a PrivateTest class file because, what we could leak about this, but we'll see. And then we said we only want to read it because there would even be the possibility to evaluate it and execute the code in it. So we've done this attack and TADA we've got a result. This is the byte code of the PrivateTest class. So let's just drop this byte code in our cup of coffee and maybe we can pull out some source code from it. And yeah that's what we've read out because why not. Just test your encryption mechanism with the string. But this is not a common string as you later found out. This is the real root productive password of the MariaDB. And this was like: Alarm sound So what's the problem? As you maybe clearly see with this attack, we could leak out the login of the MariaDB and probably even more logins or passwords. And additionally, we could leak the whole source code over the network without ever accessing the PC in the election room. And this was only possible because they completely exposed all machines and applications to the network and this should never be the case. So in result: How can this be prevented? First, you should never expose these unneeded ports to internet because they don't even use the AJP proxy in their application, but just left it on the 0.0.0.0 interface. Next is: You should keep your software up to date. That if some vulnerabilities were found. You should not be vulnerable to it. And last but not least: Never use productive passwords in your unit tests because that's not the best idea to do. In the end, to sum it up: Avoid at all costs any additional attack surface to prevent these kind of attacks, even if you don't know about them yet. J: So, after Tobi has shown us a lot of interesting and patchy stuff. I tested the database for its security. For the first analysis. I was just starting with the same PC, but also the software was installed and I tried to gain access to the database. So it was coming from the host localhost. I tried to use the username root and then I saw that I am asked for a password before I'm allowed to connect to the database. However, finding the password was quite trivial to do because all the stuff I needed to know for that was included in that last file and I was able to decrypt the password without any issue here. And that moment I realized that also the password that Tobi has shown us before, that he found with the Ghostcat vulnerability is indeed the MySQL root password here. So after I had access to the MySQL system, I tried to dump the user table to look which users are allowed to access the database. So and that is how the user table looks like. We have four times the user root and the user root requires a password if I'm coming from localhost. But wait a moment. Here we also have the host pci90309. And as you can see here, there is no MySQL password statement. That means that someone coming from host pci90309 is almost allowed to connect as root and does not even need to provide any password for that. And thats really strange. Alarm sound T: So what could happen from this? J: Well, now someone on the network can now just lump voting manipulation. That's quite trivial because as soon as I set my host to the correct hostname, I get full access to the database where all my local voting results are stored. And since I'm root, I can interfer with them. I can change them however I want to. And this vulnerability is so damn weird and trivial, it takes me no effort to do this at all. And so we won't even go into a demo here because it's so stupid simple in this case. Usually I would say that's enough for today because we already have full access to the voting system and can change whatever we want to. However, this time we decided to go deeper because we saw pci90309 is a real door opener. So we have access to the voting results. We can change them, but we still don't have access to the entire voting system. So what about the PC? Might it be possible, with that root access to the database server, to gain remote code execution at that machine? So for this experiment, I used the following setup. On the right hand side we have a voting system with the exposed MariaDB database server. On the left hand side that's my system. I named myself pci90309, just because i can do it, and I establish a connection to the MariaDB server. I use root as a username. I don't need any password. And it is immediately accepted. So now that I am connected, I'm allowed to issue commands. For example, I can now instruct MariaDB to enable one of its plugins. This plugin is called ha_connect. It's one of the plugins that usually come directly with MariaDB. And this is a very powerful MySQL storage driver. So now I will show you what I can do with that storage driver. So at next, I will now create a table that's called pwn. And I'm using the ha_connect storage driver and instruct the storage driver to create a file that's called pwn.dll and to place it right into that plugin folder. There is nothing that stops me from doing so. So that is one of the special features of the ha_connect storage driver, that I can just say, this table is mapped to that file in the file system. However, this file is still empty because the table is empty. But since this is a database, I can now just issue INSERT INTO statements and load whatever data I want to, for example, some malicious DLL. I can just load into the table, via that INSERT INTO a statement, and then it is directly written into our malicious DLL "pwn.dll". Ok, so at next, after I've finished writing, I will instruct MariaDB to enable this plugin that I have just uploaded. And enabling a plugin means that we are executing the code that is stored in this DLL file. So that means we have remote code execution. Alarm Sound T: I don't even ask what you can with remote code execution. J: Well, I can do anything. So that means I have no gate, full control over the entire vote counting system. So I'm not only talking about the data in the database, I'm talking about the entire computer that I can now fully control and manipulate however I want to. And that's possible, only by using the voting software and accessing it over the network interfaces that it had exposed. And now I'll show you how simple this is to execute an arbitrary program on the system. T: This is the vote counting computer system. To begin, let's start the vote counting software. Now, the Apache Tomcat Web server and the MariaDB database server are being launched. Finally, the Firefox portable is started. The system is now ready for operation. But beware, the attacker becomes active, his host name is the infamous pci90309, immediately it launches the python attack script "fun.py". It connects to the MariaDB server as root without a password and uploads a malicious DLL plugin. When the upload has been finished, the malicious plugin is executed. As we can see, the calculator was started thus remote code execution was successful. The vote counting computer system is now under control of the attacker. J: After we have found so devastating issues with the vote counting Software, we immediately notified the vendor AKDB T: And they were very professional about it and responded very quickly to our initial emails. So we really like working together with them and telling them our results and they were always positive about it. So they also recommended some fixes. J: So, for example, they told us, you should only use that voting software in a secure environment like in an administrational network. However, we don't really believe that this is a good solution. T: Exactly. And we are not very happy about this proposal, because we have two problems that still arise, even if it's in a secure environment. First of all, an administrative PC could still be infected with some malware or it could be manipulated before the election takes place. And in the second hand, we have this bug with the broken access control, you remember. And even if you would have been in the secure environment, this bug would have been totally worked and you could have completely deleted all data work or reopened elections or something like this. J: But we are still quite happy that they took us seriously, because they even have announced updates. So, for example, they wrote us that they are planning on adding XSRF tokens for the pages where we found cross-site vulnerabilities. So that's already a good step into the right direction. So now let's summarize what we have presented today. So first of all, we discovered several problematic aspects in the concept and its practical implementation. So, first of all, the entire voting system, it's running on untrustworthy computer systems. So it could have been manipulated beforehand. They could have malware on them or they just could not function correctly. So that's already very problematic from the beginning, because we have no underlying trust that we can put into those systems and we are using them to count out our votes, to count out the entire election. So what's even more is, that even if they use the software and the PC, that lies beyond it, is secure, it still has not enough transparency. It's very hard to understand what the software is exactly doing and how it is doing this. So, I cannot really understand how does it come to its result. Please keep in mind, that we have almost 600 candidates and several hundreds of ballots that have all to be input into that computer system and then some magic happens and it spits out its result. So, then we just have to take this result, because it's just impossible to check, if really each vote has been counted correctly or is there anything strange has happened or any manipulation took place. T: And this is also possible, because we found lots of vulnerable software and not just the system security was affected, but it was also absolutely possible to manipulate the whole election from very many parts in the network. And this leads us to conclude that these elections are at a high risk with this technology. J: So, and that is the reason that we want you as election worker. The more eyes are looking at the election, the more secure it becomes. And if you are interested in becoming an election worker, just get into contact with the local administration. They are always very happy to have volunteers, who want to take part as election workers. So and for my personal experience, I'm doing this for several years now. It's also a lot of fun. You get into contact with a lot of people. So I enjoyed this a lot and I can just recommended it and this is a good way, how everyone of us can support the democracy in their country. T: So, to conclude our talk, we found out that security in this technology is really bad and that's not all of it. J: So, this is just the tip of the iceberg, because we look only at one of the solutions that is available for vote counting. And this was also in a special configuration. So what is even more difficult to see is, what happens behind all the stuff we have seen today, because, when we export the data and bring it to the central administration and the data is imported and uploaded, so where does all this data go, where are all the results from all this data from all the polling stations are summarized? We don't know that yet, how this works. We don't have the software, that we can analyze. So there's still a lot of work that has to be done. Here to really check the entire system, we just took a look at a very small portion and that is just the vote counting software here. T: Next, we were very shocked that this information, that vote counting is already shifted to software, is not publicly known. And this is also why we we created this talk today as this is an information, that is crucial for the democracy, that there is already this software in use and it is not really secure. So this was a big thing for us to keep bringing it out to the people. J: So and one other thing is, everything that we have seen today is entirely legal, because at least in Bavaria, we don't have any rules or any laws against the use of unsecure computer systems, of unsecure vote counting software. So, as we've seen in the beginning, we only have very rough legal guidelines that says, well, you can just use computers for vote counting, but we need stricter guidelines here, because it cannot continue as we've seen it today and in other states in Germany there is sometimes something like, let's say, guidelines or even certification process for such digital software. But in most states that I had a look at, there are no rules at all and nothing that should continue in the next years that way. T: Additionally, in the end, before any of this software to electronically count the votes should go live, unbiased tests for everyone should be available to prove themselves, that this software is secure and this software is doing what it's promising to us. Because it is directly influencing our democracy. And if this software is manipulated, it manipulates our voting, our election and our democracy. So in the end, we can just leave you with two questions. T: How much digital support is required? J: And how much is tolerable? No Audio Herald: Thank you very much for the interesting talk, Johannes and Tobias. And thank you very much for your work on the topic. I hope you do have time for a little Q&A. We have quite a few questions, actually. J: Sure. M: All right. So the first question from the Internet is, is there any suspicion that these vulnerabilities have been actively used? J: Well, it's very hard to tell. So, at least for the town that I am from, I did not notice any special occurrences there. So, however, I don't have an overview of entire Bavaria, so, that's quite hard to tell. I think it's even impossible to tell, if there were any manipulation so far. So, unfortunately, we cannot say that. T: Additionally, we are just at one place in this whole system. So we don't have an overview, if there was any mismatching numbers or any other influences that happened, but that we didn't see at the moment, because we were just at one position in the system, at one station of the election. M: OK, thank you for the answer. Ah, do you believe that it is possible to have a digital ballot that is as secure and trustworthy as physical or paper based voting is? J: Well, in my opinion, that's not possible, if you want to have the same sort of transparency that we have in the paper based voting system, because, when we have paper based voting, we can just go into the voting room and watch what's going on there. We can see the ballots that are handed in, the ballots that come out of the box. Then, they are counted, are summed up. I can really try to find out what's going on there. I can have a look at that. Understand what people are doing there, but at the moment, that we have only a digital vote, I cannot really find out, if the computer is doing the right thing, if there were some manipulations. So, in terms of transparency, I don't think it is possible in the same. Yeah, in the same way as the paper based ballots, for example. T: I would have to add to this, if there would be the possibility to get the same traceability and visibility that you can always see which results came from, from which position. And if they are signed very transparent, then it may be possible in any future, but not with any kind of this software, we saw there. M: All right. Thank you. Do you, by any chance, know which states in Germany use these software OK.VOTE as far? T: We cannot directly say which states actively use them, because we only took place in elections here in Munich or Bavaria. But, we can tell, that we found very much hints in the source code that they were also used in, for example, Hamburg, Bremen, Hessen or Rheinland- Pfalz, but we don't know if they were already used there or if it's planned to be used there or did they already used them in the past elections and decided against them for future ones. We don't know about this, exactly. M: OK, maybe we can stay for a second on your job as an election worker. The process of manually entering data into the system, is there a process for this? Do you have an idea on the risk of this part here? J: Yes. So, it's basically the thing, that they are at least two or three people sitting in front of each computer and then they are entering each ballot. So people are really cross checking that the ballot has been entered correctly. So, it's like one person has the ballot in front of him or her and the other person reads the votes and the other person types it in and they are cross checking each other. So, that there isn't any error doing typing in those election results in the computer. M: All right. Thank you for the elaboration. Someone is asking, how the system's connected to the Internet or some other network of the understanding of the talk was correctly received by that person. The results are written to some physical medium which is turned into transmit the results. So you sense something physically. So, why care for the Windows version or the, what is running on these machines? Is that correct understanding? J: Well, the problem with that is, that it depends on the local administration, how they set up their computer systems. So, I also read this in a chat here. Someone has written, that they had their voting software in a, yeah, in a very limited network connectivity. So, the computer was not connected to the Internet. However, it depends very on the administration and on the computer network that is being used there. So, it is entirely possible that computers are connected to the Internet, because there are no guidelines on how these computers are allowed to be set up. So, I cannot fully exclude this. So, and if someone, for example, just enables the wireless network or connects to some unsecured hotspot, they are connected then. So, it's it's hard to tell here, but I would not exclude this possibility. T: To extend this answer. We even try to find out, if there's any software side protection that checks, if there is any internet connection is present and then would deny this voting system. But, there wasn't or at least we couldn't find one. So even if the administration was not advised, if these PCs should be disconnected from the network. There isn't even a security mechanism in place, that would check this and stop it or even show a warning, that this is connected and they should be disconnected from the Internet before the counting can begin. M: Interesting. All right. We have one message on the IRC, from someone who worked with this particular piece of software in demo mode by themselves, obviously. And the question they have, is: Did you notice the possibility to enter a negative votes for a candidate? So saying minus two votes, for instance. J: Well, that's difficult to tell. I thought about, if this is possible, so perhaps you might have to manipulate the database directly. So I'm not entirely sure. I'm not sure, if I tried this out this one. So, but however, as soon as I have a data, as I have database access, it's entirely possible to manipulate anything. So. Well, we could try this out again. However, I don't think that changes much in our result. So, yeah, that's interesting questions of I cannot answer this right now, so I'm not sure, you Tobi, have you tried out something like that? T: We've tried manipulating some already submitted votes, but I think, this was not really possible. However, as you showed, when you export the data and import into the main PC, the votes that were already in place, possibly by an attacker, would then discard the newly imported votes. So, this would probably replace this data and these votes, but via the Web interface, I think it was not possible. However, we found the enough vulnerabilities with database access that you could do it by this way, if you want to. M: All right. Thank you for your explanation. Out of pure curiosity, people ask, how did you get access to the software in the first place? To start your analysis? J: Well, that's a good question here, because, theres a nice story behind that. So, I was election worker and I was supporting setting up a system and doing some IT support in the evening. And at some point, we tried to merge our results. So we exported the results from one computer to move them to the other one. However, the import failed, because, there is some artificial limitation in the software. So, as soon as your export files are larger than 10 megabytes, they cannot be imported anymore. So this happens quite quickly, when you have a few hundreds of votes, of few hundreds of ballots and then the import doesn't work anymore. And I had a look at this file, and that was just a JSON file with a lot of whitespace. So, I copied all this stuff to my computer to fix this. And there was also later on, a software fix that was published by the software vendor. However, then I had the software on my computer, just because I wanted to fix this election. And it was very late at night. And I returned home and I noticed, oh, I still have that software on my computer. Let's have a look at this. So, yeah, it was just by chance. So, I tried to fix something, got all the software on my PC and then I had it ready to analyze even with some data on that, so that I really knew how this works in practice. And yes, but if someone would try to gain access to that software, that's quite simple, because they could just restore the deleted data from one of the computers that are in the schools. Perhaps, someone doesn't even delete the election software from their computers, in your school, or some person could just steal one of the USB sticks, that have been used for installation. So, I don't even think, that would be noticed then. M: Interesting, indeed, you mentioned in your talk, that the software is certified by the BSI, that they claim to be certified by the Open Web Application Security project, but how could such a broken system can be certified by both parties in the first place? And what's wrong with the certification process? Yes, this obviously happened. I mean, like, why not use a certified. What do we do certified in the first place, if it gets certified, even if it's broken? T: I think the first point about this is, that we already mentioned in the talk, that there are no legal requirements. You don't need any certification, that this software can be used in our voting, in our elections here in Germany or in most parts of Germany. And additionally, this screenshot we show with OWASP and the BSI was just the promotion of the AKDB for their software, but I think there was no real certification attached. So, we don't know if we the BSI ever saw this software for real or if they just put it on there and said, yeah, BSI certificate certified or with the BSI standards in mind, like they already have already the IT Grundschutz and they maybe tried to implement, after this system architecture. But the BSI never checked on it. So, I don't think there's any real certification for the software. J: So, just to add a few details here, that's not really a certification, that they just said that they follow the BSI and OWASP guidelines. I think, that was also the wording that was used on the website. So, theres no real certification behind that, so far. M: Thank you for the answer. Do you know by chance, how the municipalities published the election results? J: Well, I don't know in detail how it works. So, when we handed in our election results, they got uploaded onto some other software. And that's also the end that I've seen. So end up in the computer system and they are electronically transmitted. And that, first of all, it generates a preliminary file. And finally, that's a final result generated by it. However, I don't really know how this works, but the election results that were generated, with OK.VOTE are definitely going into the final result. So, perhaps there's also some paper based protocol between them. I don't really know if they're using the data that's in the computer or the data that is on the paper. But, however, it doesn't change very much here. M: OK, on. Coming over here a bit, the last question would be: What, in your experience, how practical and expensive are hand recounts here and did you observe these? T: I think, this is very different from election to election and from city to city, if this is a rather small town, you could probably easily reelect all this or all the votes and recount the votes. But, if this is a big city like Munich, for example, with millions of votes, and you would have to recount this, this would particularly delay the voting or the results pretty much. And this could have really bad influences, if this would happen. That software has shown that kind of manipulation has happened and they had to recount all the stuff by hand again. J: So, counting this by hand is, indeed, very, very effortful, because they have like 70 votes per ballot. And even summing up all that is still error prone, if it's done by hand. So, it's difficult to do that. And up to my knowledge, it's not generally recounted after the election. So, I try to find something in the Internet regarding that. And I just found some PDF, that they said, well, it's not feasible to recount all the election results and all the ballots. So, that's just rather do a meter level check on: is the protocol complete? How about the special ballots, that were not really clear and so on? But it's not like, every ballot will be recounted, as far as I understand. M: OK. Oh, thank you very much Tobias an Johannes for answering all the questions. Thank you again for your talk. J: Thank you. M: Thank you. rC3 postroll music Subtitles created by c3subtitles.de in the year 2020. Join, and help us!