WEBVTT
00:00:00.000 --> 00:00:12.256
rC3 preroll music
00:00:12.256 --> 00:00:18.400
Herald: Now, our next talk is Hacking
German elections, insecure electronic
00:00:18.400 --> 00:00:23.600
voting count, vote counting, how it
returned and why you don't even know about
00:00:23.600 --> 00:00:32.330
it. For the Germans listening here, did
you noticed that in Germany, voting became
00:00:32.330 --> 00:00:37.647
more electronic recently? In case you're
out of Germany. I do live in Germany and I
00:00:37.647 --> 00:00:43.200
did not notice that myself. However, both
of our speakers volunteered as election
00:00:43.200 --> 00:00:50.080
workers in Germany and research on the
topic of security for elections. And they
00:00:50.080 --> 00:00:56.630
promised to tell us how this can be, how
elections can be made more secure again.
00:00:56.630 --> 00:01:01.680
Our speakers are Tobias, he is an IT-
Security researcher focusing on offensive
00:01:01.680 --> 00:01:07.120
security, automotive security and capture
the flag challenges. And Johannes. He's a
00:01:07.120 --> 00:01:11.960
post-doctoral IT-Security researcher and
both work together at the
00:01:11.960 --> 00:01:18.528
Fraunhofer AISEC Institute.
Enjoy the talk.
00:01:18.528 --> 00:01:24.722
Stille
00:01:24.722 --> 00:01:29.450
Johannes: Hello and welcome to our
presentation on Hacking German Elections.
00:01:29.450 --> 00:01:33.840
Insecure electronic vote counting, how it
returned and why you don't even know about
00:01:33.840 --> 00:01:39.840
it. My name is Johannes Obermaier
Tobias: and I am Tobias Madl. We are both
00:01:39.840 --> 00:01:44.720
very much involved in elections in Bavaria
because we're election workers and offer
00:01:44.720 --> 00:01:49.200
support here in Germany.
J: And we are offensive IT-Security
00:01:49.200 --> 00:01:52.778
researchers.
T: First of all, we want to talk about the
00:01:52.778 --> 00:01:59.554
scope we are presenting today. We got our
information and the software from today,
00:01:59.554 --> 00:02:06.048
from the municipal elections in Bavaria
happening in the early 2020. And it was a
00:02:06.048 --> 00:02:12.237
computer based vote counting technology.
So we were very concerned, when we
00:02:12.237 --> 00:02:16.620
interacted with it. And in the end, we
featured the questions, are elections
00:02:16.620 --> 00:02:24.025
still secure? Next, I presented the
outline we are talking about today, and
00:02:24.025 --> 00:02:28.862
first of all, we are looking at the
electronic vote counting system. And next,
00:02:28.862 --> 00:02:34.425
we identified some conceptual and
practical issues with this technology.
00:02:34.735 --> 00:02:40.626
Afterwards, we also inspected the software
and found some insecurities. And in the
00:02:40.626 --> 00:02:46.727
end, we have summary and conclude our
presentation.
00:02:46.727 --> 00:02:52.060
J: To understand why we need electronic
vote counting, let's just have a look at
00:02:52.060 --> 00:02:57.766
the voting ballot. This voting ballot is
in its paper form about one meter wide and
00:02:57.766 --> 00:03:03.466
50 centimeters high. So, that's a quite a
large ballot, that's a lot of candidates.
00:03:03.466 --> 00:03:11.091
Let's just sum up the facts. So, we have a
total of 599 candidates that are spread
00:03:11.091 --> 00:03:17.287
out over nine parties. Each citizen is
allowed to cast up to 70 votes in this
00:03:17.287 --> 00:03:23.150
election. So, that sounds simple, but it
gets even more complicated now, because
00:03:23.150 --> 00:03:28.616
you can cast up to three votes per
candidate and you can even choose multiple
00:03:28.616 --> 00:03:35.572
candidates of different parties up to your
70 votes. And even if you decide yourself
00:03:35.572 --> 00:03:40.771
to vote for a single party, you can still
strike out candidate that you personally
00:03:40.771 --> 00:03:46.142
don't like. And so they don't get any
votes from your ballot. That means, this
00:03:46.142 --> 00:03:51.984
voting system gives a lot of power to the
citizens and voting is fun.
00:03:51.984 --> 00:03:57.902
However, counting out those ballots is very
difficult because you need to know a lot
00:03:57.902 --> 00:04:03.986
of special rules in this voting system to
really count each ballot correctly. That's
00:04:03.986 --> 00:04:09.320
the reason that a software such as OK.VOTE
has been developed. OK.VOTE is a typical
00:04:09.320 --> 00:04:15.154
software for elections that's also used in
the polling stations for vote counting.
00:04:15.154 --> 00:04:20.478
So, OK.VOTE has a quite large market
share. They say they have a like 75% in
00:04:20.478 --> 00:04:26.112
Germany. So that software is used in
several states. OK. VOTE has several
00:04:26.112 --> 00:04:32.114
different modules for organizing
elections, for example. But what we know
00:04:32.114 --> 00:04:40.082
have a look at in this talk is only the
vote counting module of OK.VOTE Where the
00:04:40.082 --> 00:04:47.328
election voters insert each paper ballot
and manually type it in all the votes in
00:04:47.328 --> 00:04:52.928
each ballot and then they are stored in
the computer system. So, and the task of
00:04:52.928 --> 00:04:58.734
OK.VOTE is to process each ballot to count
the votes, to find out if the ballot is
00:04:58.734 --> 00:05:03.708
correct, then it stores all the ballots
into its database and finally it does some
00:05:03.708 --> 00:05:10.065
magic and computes the final result. So,
this sounds quite similar to what a voting
00:05:10.065 --> 00:05:17.592
machine does. But wait a moment. Voting
machines, in my Germany?
00:05:17.592 --> 00:05:22.585
T: Wait, that's illegal.
J: Is it really illegal? Let's have a look
00:05:22.585 --> 00:05:29.618
at the legal regulations about it. So,
yes, in 2009, there was an important
00:05:29.618 --> 00:05:35.258
decision by the German federal
constitutional court and they said, that
00:05:35.258 --> 00:05:40.474
the use of voting computers in the 2005
Bundestag election was unconstitutional.
00:05:40.474 --> 00:05:48.755
Because, for example, the voting computers were
not transparently enough. So, that is very
00:05:48.755 --> 00:05:54.393
similar to that what we have also found
for the municipal elections. But wait, we
00:05:54.393 --> 00:05:58.564
are here talking about the Bundestag
election. But this is the municipal
00:05:58.564 --> 00:06:03.430
election and we have different rules for
the municipal elections. For example,
00:06:03.430 --> 00:06:10.374
there is the GLKrWO, that's the Gemeinde-
und Landkreiswahlordnung Bayern,
00:06:10.374 --> 00:06:16.605
which basically translates to the Bavarian
municipal election rules. And those rules
00:06:16.605 --> 00:06:23.009
say, that we are indeed not allowed to use
a computer for voting, but computers can
00:06:23.009 --> 00:06:29.417
be used for vote counting. So, and in this
situation, I would expect, that we have
00:06:29.417 --> 00:06:35.686
some sort of security requirements there
in those regulations. But I try to find
00:06:35.686 --> 00:06:40.713
them. And I was really surprised. There
are exactly zero.
00:06:40.713 --> 00:06:45.370
T: So, if there are no legal requirements,
are there at least any software side
00:06:45.370 --> 00:06:50.590
requirements or certifications for
OK.VOTE which promise some security?
00:06:50.590 --> 00:06:55.813
J: Yes, there are. So, I had a look at the
website and I saw this nice little
00:06:55.813 --> 00:07:03.127
paragraph here. And it says, Elections
with security and during the development
00:07:03.127 --> 00:07:10.540
of OK.VOTE, they put the highest emphasis
on the topic security. They follow the BSI
00:07:10.540 --> 00:07:16.193
and OWASP recommendations on security, and
they have a certified data center with
00:07:16.193 --> 00:07:20.540
very high security standards
T: And how does this look like in
00:07:20.540 --> 00:07:23.507
practice?
J: Oh, I rather would not show you this
00:07:23.507 --> 00:07:29.597
here. It's it's really scary. This is what
I have seen here, when I walked in the
00:07:29.597 --> 00:07:33.909
election room. This is not a stock photo.
I took this photo myself and this is the
00:07:33.909 --> 00:07:40.187
reality. So, I walked up to the guys and
said, well, shall we really use these
00:07:40.187 --> 00:07:44.069
computers to count out the elections and
they said, yes, that are the computers
00:07:44.069 --> 00:07:50.037
that are available here. So, and I pray to
God that for some reason does not work
00:07:50.037 --> 00:07:55.102
out. And Windows XP did not disappoint me
because when I tried to start the
00:07:55.102 --> 00:08:02.812
software, it failed because that are 32
bit systems and OK.VOTE needs 64 bits. So,
00:08:02.812 --> 00:08:09.354
yeah, that was great. So, we did not use
that Windows XP machine. So, instead we
00:08:09.354 --> 00:08:14.331
had to search for another machine and came
across this one here. That's a Windows 10
00:08:14.331 --> 00:08:20.749
machine. That's fine. However, it has an
outdated virus scanner. So, well, it it's
00:08:20.749 --> 00:08:26.916
better than nothing. So, this machine was
used instead then. So, but just let's keep
00:08:26.916 --> 00:08:34.246
in mind what they are promising us:
election security. We really doubt that.
00:08:34.726 --> 00:08:39.503
Let's now look at the IT environment and
why it came to that situation. So, first
00:08:39.503 --> 00:08:46.211
of all, this is not fully the fault of
OK.VOTE, because it's the task for the
00:08:46.211 --> 00:08:53.682
local administration to provide hardware
for vote counting and AKDB, the vendors of
00:08:53.682 --> 00:08:59.771
OK.VOTE say, that they recommend to use
secure administration computers. That's
00:08:59.771 --> 00:09:05.515
fine so far, but we simply don't have
enough secure administration computers for
00:09:05.515 --> 00:09:10.845
that purpose. So, for example, in the town
where I'm from, we needed around 8
00:09:10.845 --> 00:09:16.571
computers to count out this election and
we simply did not have enough in the town
00:09:16.571 --> 00:09:23.211
hall. And whats even more, the election
room, it was in a school and there are
00:09:23.211 --> 00:09:27.923
already school PCs available there. So,
they were just using the school PCs. So,
00:09:27.923 --> 00:09:33.520
and those were even elementary school
computers. So, I'm not really sure about,
00:09:33.520 --> 00:09:38.466
if all the pupils know, which link they
are allowed to click and which one they
00:09:38.466 --> 00:09:43.991
should rather not click on. So, this
systems might be insecure, there might be
00:09:43.991 --> 00:09:49.038
malware within, and even if it's possible
that someone had manipulated them in
00:09:49.038 --> 00:09:55.854
advance, we cannot really exclude that.
However, I don't want to blame the
00:09:55.854 --> 00:10:00.058
administration here because they did a
great job in organizing this election.
00:10:00.058 --> 00:10:05.967
It's really much to do for them and it did
really well. So, everything worked out
00:10:05.967 --> 00:10:12.283
well at the end. However, they are no IT-
Security specialists and we cannot demand
00:10:12.283 --> 00:10:18.532
from them, that they know each detail on
how to set up a system correctly and what
00:10:18.532 --> 00:10:24.045
are the risks that are associated with
insecure computer systems in elections?
00:10:24.045 --> 00:10:29.890
That's just not their job. So, however, we
still ended up with untrustworthy systems
00:10:29.890 --> 00:10:36.069
here. Because, as we have seen before,
there are no legal regulations against it.
00:10:36.069 --> 00:10:40.108
Now, let's see how we create a digital
result.
00:10:40.108 --> 00:10:47.214
T: Exactly. So, we went to our voting
places. We were presented with each one
00:10:47.214 --> 00:10:52.811
got a PC and we got the ballot stack we
had to count and then enter the results.
00:10:52.811 --> 00:10:59.468
So, Johannes is Team 2 and I was Team 1
and we started entering the ballots in the
00:10:59.468 --> 00:11:06.232
PC. And from this on, they were digitized
Team 1 in green and Team 2 in blue.
00:11:06.232 --> 00:11:11.103
J: As soon as I was finished entering my
ballots, I put them on a USB drive and
00:11:11.103 --> 00:11:16.735
handed them over to Team 1.
T: Exactly. I imported these votes,
00:11:16.735 --> 00:11:22.094
because I was the master machine at this
time, and the OK.VOTE software then
00:11:22.094 --> 00:11:28.578
finalised these voting elections and
exported their results finally again on an
00:11:28.578 --> 00:11:34.055
USB stick. And these were then delivered
on for further processing.
00:11:34.055 --> 00:11:39.160
J: What is the problem with that all?
First of all, there's a lot of
00:11:39.160 --> 00:11:43.301
intransparency. So, for example, the
software that is being used for vote
00:11:43.301 --> 00:11:49.171
counting, OK.VOTE, it's not an open source
software. It's closed source and nobody
00:11:49.171 --> 00:11:55.572
was able to analyze this yet. So, and
since this is closed source software, it
00:11:55.572 --> 00:12:00.433
is also very hard to understand how the
software works and if it really counts
00:12:00.433 --> 00:12:05.192
correctly, Because we have, in the end, we
have hundreds of ballots there and it's
00:12:05.192 --> 00:12:10.217
really difficult to tell, if they have,
indeed, been counted correctly. So, and
00:12:10.217 --> 00:12:16.887
although we have seen this before, there
is no basis for a secure vote counting, if
00:12:16.887 --> 00:12:22.264
we have possibly rigged computer system.
So, we cannot exclude that someone has
00:12:22.264 --> 00:12:29.346
manipulated them pre-election wise. So, if
there is some manipulation, this would
00:12:29.346 --> 00:12:34.988
hardly be detectable by a standard
election worker. So, this means that the
00:12:34.988 --> 00:12:40.947
entire election process becomes very
intransparent and hard to understand for a
00:12:40.947 --> 00:12:46.460
person who just wants to observe the
election. So, that is strictly against the
00:12:46.460 --> 00:12:52.953
idea of a public counting of votes.
T: So, now let's talk about the step that
00:12:52.953 --> 00:12:58.323
happens after we finish counting
in each of the teams.
00:12:58.323 --> 00:13:02.038
J: So, what do you do after you have
exported the final election results?
00:13:02.038 --> 00:13:04.581
How do they come to the
central administration?
00:13:04.581 --> 00:13:10.666
T: Yeah, I've just entered my vehicle and
took the USB sticks in my pocket and drove
00:13:10.666 --> 00:13:17.868
to the master PC. But, as you maybe know,
Election Day is always very busy day and
00:13:17.868 --> 00:13:24.386
might some teams are slower at counting.
Some teams are faster. So, the master team
00:13:24.386 --> 00:13:29.052
doesn't know when these USB sticks arrive.
If they take two or three hours or half an
00:13:29.052 --> 00:13:33.191
hour, they don't know really. So, I could
just go and grab something to eat on my
00:13:33.191 --> 00:13:39.311
way. Or I can manipulate the vote. I mean,
deliver the votes. And yeah, in the end,
00:13:39.311 --> 00:13:44.307
one day, when I arrive at the master PC, I
just give them my USB stick, they enter it
00:13:44.307 --> 00:13:48.340
and they take the data that is stored on
there and nothing else. And afterwards,
00:13:48.340 --> 00:13:52.574
they just uploaded the final
results on the page.
00:13:52.574 --> 00:13:59.035
J: Now you might think, why is it possible
for him to manipulate election results?
00:13:59.035 --> 00:14:04.844
Because there's no authenticity. There's
only integrity protection of the file that
00:14:04.844 --> 00:14:10.388
he is transporting. So some CRC32 and a
SHA hash, but nothing like a cryptographic
00:14:10.388 --> 00:14:16.464
signature. So, even if he alters the data,
he can just regenerate all the integrity
00:14:16.464 --> 00:14:22.089
protection data and the data will just be
accepted. So, the main issue here is also,
00:14:22.089 --> 00:14:28.508
that this is one of the few spots where
only a single person has unsupervised
00:14:28.508 --> 00:14:34.268
access to the data during transport of the
voting data at all. And that makes
00:14:34.268 --> 00:14:39.255
manipulations possible and easily feasible
in this case. And that should not be the
00:14:39.255 --> 00:14:48.145
case, especially in an electronically
supported election. Now, let's have a look
00:14:48.145 --> 00:14:52.487
at the vote counting software itself,
because there we found even more
00:14:52.487 --> 00:14:55.962
interesting results.
T: Exactly. Let's begin with the system
00:14:55.962 --> 00:15:01.951
architecture. First of all, this is the
local or decentralized version of the
00:15:01.951 --> 00:15:08.008
software system. So all this is taking
place on the local host, on the machine we
00:15:08.008 --> 00:15:13.154
encountered in the lecture rooms and on
these machines, where it was an Apache Tomcat
00:15:13.154 --> 00:15:18.011
Web server running, which was connected to
a MariaDB, and the user was interacting
00:15:18.011 --> 00:15:25.414
with the voting system via a portable
Firefox and as AKDB said in before they
00:15:25.414 --> 00:15:33.166
were very concerned with security. So,
let's think about what attackers are they
00:15:33.166 --> 00:15:38.349
had in mind when they designed the system
and from which the system is to protect
00:15:38.349 --> 00:15:44.342
from. Is it the user that maybe attacks
the system, the vote count system, which
00:15:44.342 --> 00:15:51.336
is normally just election workers that are
on their free time there to help executing
00:15:51.336 --> 00:15:57.549
the election, or are they having the
network attackers in minds that come from
00:15:57.549 --> 00:16:03.077
completely different places and try to
manipulate the network from outside? First
00:16:03.077 --> 00:16:09.895
of all, we took the user as one of the
possible attackers. And even in this
00:16:09.895 --> 00:16:15.412
environment, we found some really broken
stuff. First of all a broken access
00:16:15.412 --> 00:16:20.525
control. But how it's how it's all about.
Well, that's the log in page when we just
00:16:20.525 --> 00:16:26.630
logged in our voting system and clicked on
administration page where we can change
00:16:26.630 --> 00:16:31.467
our password and edit our profile. These
are the buttons on the left. And as you
00:16:31.467 --> 00:16:36.585
can see, we are clearly logged in as the
user42. And there is no more things to do
00:16:36.585 --> 00:16:42.976
than select which counting part we want
to do, the general regional vote or the
00:16:42.976 --> 00:16:48.223
municipal votes. And that's all we can
do on this page. Now let's switch to the
00:16:48.223 --> 00:16:53.726
system administrator. There we have the
admin account, as you can see on the left
00:16:53.726 --> 00:17:00.193
upper side, where we can now do very much
more than the normal user. We are again on
00:17:00.193 --> 00:17:04.483
the administration page, but now we have
the user administration where we can
00:17:04.483 --> 00:17:12.495
create or delete users. We have the reopen
or close voting mechanisms. We have
00:17:12.495 --> 00:17:18.471
imports, we have exports and also what's
not included in the screenshots submenus
00:17:18.471 --> 00:17:25.003
like deleting finalized results or and so
on. So, we picked out two very interesting
00:17:25.003 --> 00:17:31.602
URLs for you. First of all, we are taking
the "Bezirk wieder eröffnen" which is
00:17:31.602 --> 00:17:36.360
translated just to reopen the election
after election as closed at normal. It's
00:17:36.360 --> 00:17:41.296
normally finalized, so no more votes can
be entered in the system. And the other
00:17:41.296 --> 00:17:46.709
link is "Löschen". So that translates to
delete data, which then in the end deletes
00:17:46.709 --> 00:17:53.156
all the data from from the machine. So, no
more private or secure data is stored on
00:17:53.156 --> 00:17:59.470
there. And this is what they look like
when we only open them on the left side.
00:17:59.470 --> 00:18:04.428
We see to reopen dialog. On the right
side, we see the data delete. But wait,
00:18:04.428 --> 00:18:12.609
this is not the admin view, this is the
user view. So, they did not check if this
00:18:12.609 --> 00:18:18.184
user is even allowed. And we also have to
say, that this is not just the view of it,
00:18:18.184 --> 00:18:22.008
it is fully working and is completely
functional, when you just go through the
00:18:22.008 --> 00:18:25.533
process of deleting or reopening as an
election.
00:18:25.533 --> 00:18:29.296
Alarm sound
J: What's the problem with that?
00:18:29.296 --> 00:18:33.754
T: Yeah, as you maybe already guessed,
reopening elections could create a
00:18:33.754 --> 00:18:38.529
probability of sneaking in some additional
votes for the candidate I favor and
00:18:38.529 --> 00:18:44.795
additionally, if I want to mess with all
of the voting, I could just delete all the
00:18:44.795 --> 00:18:50.043
election data and we would have to start
from the beginning and completely delay or
00:18:50.043 --> 00:18:53.422
deny the voting.
J: But why is this even possible?
00:18:53.422 --> 00:18:59.710
T: Yeah, we found out that this is their
access control check in their software
00:18:59.710 --> 00:19:05.694
this function is called getZugriffRollen,
which translates to get access roles. So
00:19:05.694 --> 00:19:10.859
normally there will also be the software
in place to check if this role is allowed
00:19:10.859 --> 00:19:15.304
to access this kind of site. But they just
returned null and not implemented it.
00:19:15.304 --> 00:19:21.863
And that's also nice work to implement
access control. However, I think we can
00:19:21.863 --> 00:19:27.422
propose some mechanisms that could have
prevented this. First of all, hidden
00:19:27.422 --> 00:19:33.174
information is nothing you could rely on.
If you just don't show where you can click
00:19:33.174 --> 00:19:38.835
to get to this url or to this page. That's
not really secret because maybe you find
00:19:38.835 --> 00:19:43.488
some leaked source code or you make sure
serving at an admin or you just by
00:19:43.488 --> 00:19:48.774
accident type in the wrong url and get to
this hidden information. Or you, exactly,
00:19:48.774 --> 00:19:54.505
use software scanners to find something
hidden. So hidden data is just not secure.
00:19:54.505 --> 00:19:59.009
And on the other hand, you should finalize
your implementation of access control to
00:19:59.009 --> 00:20:03.394
have access control and even test it
once to be sure that it works. So in the
00:20:03.394 --> 00:20:07.678
end we can conclude that hidden
data is not protected data.
00:20:07.678 --> 00:20:11.802
T: Let's now come to another type of
attacks. Cross-site attacks. A cross-site
00:20:11.802 --> 00:20:17.009
attack is some sort of interference
between two websites. Where one website,
00:20:17.009 --> 00:20:21.862
for example, tries to do something on
behalf of the other. The goal is often to
00:20:21.862 --> 00:20:27.052
deceit the user or to trigger the
manipulations. First of all, we were quite
00:20:27.052 --> 00:20:33.217
sure that they have thought of cross-site
attacks. Because doing our testing, we saw
00:20:33.217 --> 00:20:39.979
that they included some HTTP-Headers that
target a wide range of attack vectors that
00:20:39.979 --> 00:20:45.140
use Cross-site scripting attacks. For
example, here we have X-Frame-Options:
00:20:45.140 --> 00:20:52.179
same origin. That means that other pages
can not include the voting software into
00:20:52.179 --> 00:20:56.608
their own frames and so on. And also
cross-site scripting protection is enabled
00:20:56.608 --> 00:21:03.739
via X-XXS-Protection. So this looks quite
good because this already excludes several
00:21:03.739 --> 00:21:10.328
attack vectors. But how about cross-site
request forgery? When we first tested
00:21:10.328 --> 00:21:16.157
this, we found out that the vote counting
system is not fully protected against it.
00:21:16.157 --> 00:21:21.490
What is cross-site request forgery? So in
the first step, the election worker uses
00:21:21.490 --> 00:21:26.566
the integrated Firefox Browser to accept
a malicious website. So the user is
00:21:26.566 --> 00:21:31.965
triggered to visit this website. For
example, someone sent him a link triggered
00:21:31.965 --> 00:21:37.805
him to click on the link by the promise,
for example, of a cute animal picture or
00:21:37.805 --> 00:21:43.088
some sort of that. And then the user
visits this website. And this website
00:21:43.088 --> 00:21:47.972
contains form fields that resemble the
form fields of the actual vote counting
00:21:47.972 --> 00:21:53.890
software. And the malicious website now
triggers your browser to submit this form
00:21:53.890 --> 00:21:59.576
data, not to the original website, but
rather to the vote counting software. And
00:21:59.576 --> 00:22:04.489
as soon as it reaches the Tomcat web
server, the web server is confused.
00:22:04.489 --> 00:22:11.266
Because the web server cannot discern the
input from the cross-site attack from the
00:22:11.266 --> 00:22:15.432
malicious website from original user
input. And then the Apache Tomcat server
00:22:15.432 --> 00:22:20.482
just thinks that this is original user
input and will process it. And that's
00:22:20.482 --> 00:22:25.550
called a cross-site request forgery
attack. So we saw that there is sometimes
00:22:25.550 --> 00:22:31.360
a protection against this sort of attacks.
But many pages are not protected against
00:22:31.360 --> 00:22:37.647
it. And that is very concerning because
that's a 2001's vulnerability. It's almost
00:22:37.647 --> 00:22:43.873
20 years old now and it's still present in
such a software. So this is quite
00:22:43.873 --> 00:22:49.950
unsettling here. Now, let's sum this up.
What we can do with it. So, first of all,
00:22:49.950 --> 00:22:55.508
the issue is that they have missing CSRF
tokens or any other good countermeasure
00:22:55.508 --> 00:23:00.456
against cross site request forgery
attacks. And the second point is here,
00:23:00.456 --> 00:23:05.161
that only minimal user interaction is
required. The user often doesn't even see
00:23:05.161 --> 00:23:11.233
that a cross-site request forgery attack
is currently being executed on his behalf.
00:23:11.233 --> 00:23:15.695
So it's almost undetectable by the user.
And it's very simple to trick a user into
00:23:15.695 --> 00:23:22.824
clicking a link. So the impact is very
devastating because we can now manipulate
00:23:22.824 --> 00:23:29.414
settings in the vote counting software.
And we can even insert fake ballots here.
00:23:29.414 --> 00:23:33.604
Alarm sound
T: So what's the result of this?
00:23:33.604 --> 00:23:37.899
What we can do with it?
J: Well, we can manipulate the entire
00:23:37.899 --> 00:23:42.534
election with this. Let's just use a demo.
How we do this.
00:23:42.534 --> 00:23:45.009
T: Nice.
J: We are already logged in into the vote
00:23:45.009 --> 00:23:54.763
counting system. Our username is
admin321934. Now let's count some votes.
00:23:54.763 --> 00:23:59.625
As we can see here, these are all the
ballots that we can enter. They are still
00:23:59.625 --> 00:24:07.226
empty since we haven't entered any ballots
yet. So let's start. For simplicity, we
00:24:07.226 --> 00:24:12.337
just have two parties here. On the left
hand side we have the good party. Who
00:24:12.337 --> 00:24:16.812
wants the best for the people. On the
right hand side we have the bad party
00:24:16.812 --> 00:24:22.339
who wants to take power and is willing to
even commit election fraud. Let us begin
00:24:22.339 --> 00:24:27.957
and enter the first paper ballot. The
person has voted for the good party. So we
00:24:27.957 --> 00:24:37.867
enter this into the software. Now we save
the ballot and go to the next one. Again,
00:24:37.867 --> 00:24:44.743
it's a vote for the good party. Let's
enter it and save it and go to the third
00:24:44.743 --> 00:24:52.906
ballot. And again, it's for the good
party. Let's save our third ballot. Now we
00:24:52.906 --> 00:24:59.870
go to the ballot overview and we look what
has happened. As you can see, we now have
00:24:59.870 --> 00:25:05.244
three ballots that have successfully been
entered. At next, let's check the
00:25:05.244 --> 00:25:11.353
preliminary election results. As we can
see here, we have a total of three ballots
00:25:11.353 --> 00:25:15.983
that have been entered into the system.
That's correct. Three ballots contained
00:25:15.983 --> 00:25:21.764
votes for the good party. That's also
correct. And zero votes have been given to
00:25:21.764 --> 00:25:28.235
the bad party. That's fine so far. Next, I
will show you what happens if i open a
00:25:28.235 --> 00:25:32.616
malicious website. This website will
execute a CSRF attack and manipulate the
00:25:32.616 --> 00:25:38.335
election results. Let's just assume we
want to take a break and simply both
00:25:38.335 --> 00:25:54.058
twitter. OK, here we are. There's a cute
cat picture and there's a link to even
00:25:54.058 --> 00:26:02.388
more of them. Let's just play along and
get tricked into clicking that link. Oh,
00:26:02.388 --> 00:26:08.001
look at all those cute animal pictures,
look a hungry rabbit, a monkey, a little
00:26:08.001 --> 00:26:14.318
hedgehog and two cute goats and so on, and
when we are done browsing, we close those
00:26:14.318 --> 00:26:23.343
tabs again and return to our vote counting
software. What we notice now is, that our
00:26:23.343 --> 00:26:29.460
username has been altered and we just got
pwned. We were tricked into visiting this
00:26:29.460 --> 00:26:34.599
malicious website. The website executed a
CSRF attack on the vote counting software
00:26:34.599 --> 00:26:42.758
and did some manipulations. Let's see what
else has changed. However, all three
00:26:42.758 --> 00:26:48.426
ballots are still there, but now we take a
look at the preliminary election results.
00:26:48.426 --> 00:26:53.792
What you can see here is that the number
of ballots that are in the system has been
00:26:53.792 --> 00:26:58.190
increased to eight. We now have five
additional ballots that were not entered
00:26:58.190 --> 00:27:03.728
by us. As you can see, the good party
still has three votes. That is what we
00:27:03.728 --> 00:27:09.531
have entered. But now the bad party has
taken the lead. They have five votes now.
00:27:09.531 --> 00:27:15.648
This attack has indeed manipulated the
election results. This is really bad
00:27:15.648 --> 00:27:21.111
because we cannot even see those
additional fake ballots that have been
00:27:21.111 --> 00:27:26.789
injected. However, we are lucky because we
noticed it since we have expected this
00:27:26.789 --> 00:27:32.288
attack. But we won't notice
it in every case.
00:27:33.563 --> 00:27:39.124
T: But what happens if we don't notice?
J: Well, that happens. So, for this
00:27:39.124 --> 00:27:44.213
example, we just assume that team 1 had
three ballots that they have entered into
00:27:44.213 --> 00:27:48.247
the computer system and team 2 has six
ballots that have been entered into the
00:27:48.247 --> 00:27:55.038
computer system. Now team one visits a
malicious website and five fake ballots
00:27:55.038 --> 00:28:01.085
are injected into the election results. In
this case, the attacker is very smart and
00:28:01.085 --> 00:28:06.498
injects the ballots at the location where
the team 2 ballots will be expected in the
00:28:06.498 --> 00:28:14.209
future. So what happens now is: team 2
exports their ballots and team 1 tries to
00:28:14.209 --> 00:28:20.736
import the ballots of team 2. And now the
following thing happens: Because there are
00:28:20.736 --> 00:28:26.460
already ballots present at the location
where the team 2 ballots should go to, the
00:28:26.460 --> 00:28:32.353
import process is not fully successful and
only a subset of the ballots are imported
00:28:32.353 --> 00:28:37.955
so that the majority of the ballots into
this case, five or six ballots are just
00:28:37.955 --> 00:28:42.483
discarded because they don't fit in the
database anymore because that location is
00:28:42.483 --> 00:28:48.120
already taken by the fake ballots. So
usually we would expect that this can
00:28:48.120 --> 00:28:52.786
generate an error message or at least a
warning. But this does not happen. This is
00:28:52.786 --> 00:28:59.567
a silent failure of the software. And
what's even worst is now that the sums
00:28:59.567 --> 00:29:04.639
finally are correct. So that means we now
have nine ballots present in the system
00:29:04.639 --> 00:29:09.926
and nine paper ballots that were initially
available. So this looks like we have
00:29:09.926 --> 00:29:14.250
entered all the ballots and everything
seems to be fine. So we will now close the
00:29:14.250 --> 00:29:19.486
election and generate the final result.
And that is what happens now. As you can
00:29:19.486 --> 00:29:25.624
see, we have only four votes for the good
party, but five votes for the bad party.
00:29:25.624 --> 00:29:31.747
So the bad party has won the election by
manipulating the voting system, using this
00:29:31.747 --> 00:29:38.272
CSRF attack. And that should never be
possible because this is not what we
00:29:38.272 --> 00:29:45.812
expect for a voting software. And in this
case, the result is rigged. So have we
00:29:45.812 --> 00:29:50.570
thought about network vulnerabilities?
T: Yeah, sure, that's exactly the other
00:29:50.570 --> 00:29:55.010
side of the coin. First, we checked the
election worker side for attacks, but now
00:29:55.010 --> 00:30:00.345
we checked the network side and scanned
and analyzed the system at first. And then
00:30:00.345 --> 00:30:07.530
we looked like this: Open ports
everywhere. And as you can see, they fully
00:30:07.530 --> 00:30:13.729
exposed the Apache Tomcat and the MariaDB
to each available network on the system.
00:30:13.729 --> 00:30:19.010
And with this, we thought, well, let's maybe
try some newly discovered vulnerability,
00:30:19.010 --> 00:30:25.090
which was recently found in 2020 called
Ghostcat. And Ghostcat is an attack
00:30:25.090 --> 00:30:31.290
against AJP protocol from Apache. But
let's check the Apache system and how it's
00:30:31.290 --> 00:30:37.780
built. First, Apache has a web root which
serves static resources and HTML or JSP
00:30:37.780 --> 00:30:43.270
files. And additionally, it can include
class files or class sublets which are
00:30:43.270 --> 00:30:48.979
combined with this JSPs or HTML files and
then served to the user. So we prepared
00:30:48.979 --> 00:30:56.503
our ajpShooter with the URL of the
application, the port and the file we want
00:30:56.503 --> 00:31:01.980
to read. In our case, it's a PrivateTest
class file because, what we
00:31:01.980 --> 00:31:07.250
could leak about this, but we'll see. And
then we said we only want to read it
00:31:07.250 --> 00:31:10.750
because there would even be the
possibility to evaluate it and execute the
00:31:10.750 --> 00:31:17.600
code in it. So we've done this attack and
TADA we've got a result. This is the byte
00:31:17.600 --> 00:31:22.510
code of the PrivateTest class. So let's
just drop this byte code in our cup of
00:31:22.510 --> 00:31:29.132
coffee and maybe we can pull out some
source code from it. And yeah that's what
00:31:29.132 --> 00:31:36.700
we've read out because why not. Just test
your encryption mechanism with the string.
00:31:36.700 --> 00:31:42.020
But this is not a common string as you
later found out. This is the real root
00:31:42.020 --> 00:31:45.661
productive password of the MariaDB. And
this was like:
00:31:45.661 --> 00:31:51.775
Alarm sound
So what's the problem? As you maybe
00:31:51.775 --> 00:31:56.850
clearly see with this attack, we could
leak out the login of the MariaDB and
00:31:56.850 --> 00:32:02.363
probably even more logins or passwords.
And additionally, we could leak the whole
00:32:02.363 --> 00:32:08.392
source code over the network without ever
accessing the PC in the election room. And
00:32:08.392 --> 00:32:15.533
this was only possible because they
completely exposed all machines and
00:32:15.533 --> 00:32:22.285
applications to the network and this
should never be the case. So in result:
00:32:22.285 --> 00:32:26.902
How can this be prevented? First, you
should never expose these unneeded ports
00:32:26.902 --> 00:32:31.445
to internet because they don't even use
the AJP proxy in their application, but
00:32:31.445 --> 00:32:38.185
just left it on the 0.0.0.0 interface.
Next is: You should keep your software up
00:32:38.185 --> 00:32:43.948
to date. That if some vulnerabilities were
found. You should not be vulnerable to it.
00:32:43.948 --> 00:32:49.771
And last but not least: Never use
productive passwords in your unit tests
00:32:49.771 --> 00:32:55.430
because that's not the best idea to do. In
the end, to sum it up: Avoid at all costs
00:32:55.430 --> 00:33:01.316
any additional attack surface to prevent
these kind of attacks, even if you don't
00:33:01.316 --> 00:33:04.671
know about them yet.
J: So, after Tobi has shown us a lot of
00:33:04.671 --> 00:33:09.759
interesting and patchy stuff. I tested the
database for its security. For the first
00:33:09.759 --> 00:33:14.918
analysis. I was just starting with the
same PC, but also the software was
00:33:14.918 --> 00:33:20.154
installed and I tried to gain access to
the database. So it was coming from the
00:33:20.154 --> 00:33:25.040
host localhost. I tried to use the
username root and then I saw that I am
00:33:25.040 --> 00:33:29.723
asked for a password before I'm allowed to
connect to the database. However, finding
00:33:29.723 --> 00:33:35.338
the password was quite trivial to do
because all the stuff I needed to know for
00:33:35.338 --> 00:33:40.744
that was included in that last file and I
was able to decrypt the password without
00:33:40.744 --> 00:33:46.397
any issue here. And that moment I realized
that also the password that Tobi has shown
00:33:46.397 --> 00:33:51.313
us before, that he found with the Ghostcat
vulnerability is indeed the MySQL root
00:33:51.313 --> 00:33:58.846
password here. So after I had access to
the MySQL system, I tried to dump the user
00:33:58.846 --> 00:34:05.507
table to look which users are allowed to
access the database. So and that is how
00:34:05.507 --> 00:34:11.357
the user table looks like. We have four
times the user root and the user root
00:34:11.357 --> 00:34:16.576
requires a password if I'm coming from
localhost. But wait a moment. Here we also
00:34:16.576 --> 00:34:23.840
have the host pci90309. And as you can see
here, there is no MySQL password
00:34:23.840 --> 00:34:29.687
statement. That means that someone coming
from host pci90309 is almost allowed to
00:34:29.687 --> 00:34:37.518
connect as root and does not even need to
provide any password for that. And thats
00:34:37.518 --> 00:34:42.104
really strange.
Alarm sound
00:34:42.104 --> 00:34:50.530
T: So what could happen from this?
J: Well, now someone on the network can
00:34:50.530 --> 00:34:56.310
now just lump voting manipulation. That's
quite trivial because as soon as I set my
00:34:56.310 --> 00:35:01.250
host to the correct hostname, I get full
access to the database where all my local
00:35:01.250 --> 00:35:05.750
voting results are stored. And since I'm
root, I can interfer with them. I can
00:35:05.750 --> 00:35:09.943
change them however I want to. And this
vulnerability is so damn weird and
00:35:09.943 --> 00:35:16.850
trivial, it takes me no effort to do this
at all. And so we won't even go into a
00:35:16.850 --> 00:35:22.770
demo here because it's so stupid simple in
this case. Usually I would say that's
00:35:22.770 --> 00:35:28.370
enough for today because we already have
full access to the voting system and can
00:35:28.370 --> 00:35:33.620
change whatever we want to. However, this
time we decided to go deeper because we
00:35:33.620 --> 00:35:42.290
saw pci90309 is a real door opener. So we
have access to the voting results. We can
00:35:42.290 --> 00:35:47.630
change them, but we still don't have
access to the entire voting system. So
00:35:47.630 --> 00:35:52.186
what about the PC? Might it be possible,
with that root access to the database
00:35:52.186 --> 00:35:59.840
server, to gain remote code execution at
that machine? So for this experiment, I
00:35:59.840 --> 00:36:04.740
used the following setup. On the right hand
side we have a voting system with the
00:36:04.740 --> 00:36:10.620
exposed MariaDB database server. On the
left hand side that's my system. I named
00:36:10.620 --> 00:36:16.480
myself pci90309, just because i can do it,
and I establish a connection to the
00:36:16.480 --> 00:36:23.927
MariaDB server. I use root as a username.
I don't need any password. And it is
00:36:23.927 --> 00:36:30.119
immediately accepted. So now that I am
connected, I'm allowed to issue commands.
00:36:30.119 --> 00:36:36.440
For example, I can now instruct MariaDB to
enable one of its plugins. This plugin is
00:36:36.440 --> 00:36:42.390
called ha_connect. It's one of the plugins
that usually come directly with MariaDB.
00:36:42.390 --> 00:36:49.980
And this is a very powerful MySQL storage
driver. So now I will show you what I can
00:36:49.980 --> 00:36:57.020
do with that storage driver. So at next, I
will now create a table that's called pwn.
00:36:57.020 --> 00:37:02.538
And I'm using the ha_connect storage
driver and instruct the storage driver to
00:37:02.538 --> 00:37:09.470
create a file that's called pwn.dll and to
place it right into that plugin folder.
00:37:09.470 --> 00:37:14.270
There is nothing that stops me from doing
so. So that is one of the special features
00:37:14.270 --> 00:37:20.289
of the ha_connect storage driver, that I
can just say, this table is mapped to that
00:37:20.289 --> 00:37:25.180
file in the file system. However, this
file is still empty because the table is
00:37:25.180 --> 00:37:30.690
empty. But since this is a database, I can
now just issue INSERT INTO statements and
00:37:30.690 --> 00:37:36.430
load whatever data I want to, for example,
some malicious DLL. I can just load into
00:37:36.430 --> 00:37:41.270
the table, via that INSERT INTO a
statement, and then it is directly written
00:37:41.270 --> 00:37:49.470
into our malicious DLL "pwn.dll". Ok, so
at next, after I've finished writing, I
00:37:49.470 --> 00:37:55.060
will instruct MariaDB to enable this
plugin that I have just uploaded. And
00:37:55.060 --> 00:38:00.447
enabling a plugin means that we are
executing the code that is stored in this
00:38:00.447 --> 00:38:05.184
DLL file. So that means we have remote
code execution.
00:38:05.184 --> 00:38:09.960
Alarm Sound
T: I don't even ask what you can with
00:38:09.960 --> 00:38:14.410
remote code execution.
J: Well, I can do anything. So that means
00:38:14.410 --> 00:38:19.870
I have no gate, full control over the
entire vote counting system. So I'm not
00:38:19.870 --> 00:38:24.520
only talking about the data in the
database, I'm talking about the entire
00:38:24.520 --> 00:38:30.040
computer that I can now fully control and
manipulate however I want to. And that's
00:38:30.040 --> 00:38:35.580
possible, only by using the voting
software and accessing it over the network
00:38:35.580 --> 00:38:41.080
interfaces that it had exposed. And now
I'll show you how simple this is to
00:38:41.080 --> 00:38:49.720
execute an arbitrary program on the system.
T: This is the vote counting computer
00:38:49.720 --> 00:39:01.575
system. To begin, let's start the vote
counting software. Now, the Apache Tomcat
00:39:01.575 --> 00:39:07.733
Web server and the MariaDB database server
are being launched. Finally, the Firefox
00:39:07.733 --> 00:39:14.598
portable is started. The system is now
ready for operation. But beware, the
00:39:14.598 --> 00:39:21.954
attacker becomes active, his host name is
the infamous pci90309, immediately it
00:39:21.954 --> 00:39:28.738
launches the python attack script
"fun.py". It connects to the MariaDB
00:39:28.738 --> 00:39:34.845
server as root without a password and
uploads a malicious DLL plugin. When the
00:39:34.845 --> 00:39:41.512
upload has been finished, the malicious
plugin is executed. As we can see, the
00:39:41.512 --> 00:39:47.506
calculator was started thus remote code
execution was successful. The vote
00:39:47.506 --> 00:39:52.869
counting computer system is now under
control of the attacker.
00:39:52.869 --> 00:40:00.893
J: After we have found so devastating
issues with the vote counting Software, we
00:40:00.893 --> 00:40:06.156
immediately notified the vendor AKDB
T: And they were very professional about
00:40:06.156 --> 00:40:11.269
it and responded very quickly to our
initial emails. So we really like working
00:40:11.269 --> 00:40:18.114
together with them and telling them our
results and they were always
00:40:18.114 --> 00:40:23.340
positive about it. So they also
recommended some fixes.
00:40:23.340 --> 00:40:27.624
J: So, for example, they told us, you
should only use that voting software in a
00:40:27.624 --> 00:40:31.662
secure environment like in an
administrational network. However, we
00:40:31.662 --> 00:40:35.890
don't really believe that this is a good
solution.
00:40:35.890 --> 00:40:39.563
T: Exactly. And we are not very happy
about this proposal, because we have two
00:40:39.563 --> 00:40:44.645
problems that still arise, even if it's in
a secure environment. First of all, an
00:40:44.645 --> 00:40:50.325
administrative PC could still be infected
with some malware or it could be
00:40:50.325 --> 00:40:55.583
manipulated before the election takes
place. And in the second hand, we have
00:40:55.583 --> 00:40:59.988
this bug with the broken access control,
you remember. And even if you would have
00:40:59.988 --> 00:41:05.130
been in the secure environment, this bug
would have been totally worked and you
00:41:05.130 --> 00:41:09.303
could have completely deleted all data
work or reopened elections or something
00:41:09.303 --> 00:41:12.260
like this.
J: But we are still quite happy that they
00:41:12.260 --> 00:41:17.833
took us seriously, because they even have
announced updates. So, for example, they
00:41:17.833 --> 00:41:23.090
wrote us that they are planning on adding
XSRF tokens for the pages where we found
00:41:23.090 --> 00:41:28.302
cross-site vulnerabilities. So that's
already a good step into the right
00:41:28.302 --> 00:41:35.020
direction. So now let's summarize what we
have presented today. So first of all, we
00:41:35.020 --> 00:41:40.408
discovered several problematic aspects
in the concept and its practical
00:41:40.408 --> 00:41:45.241
implementation. So, first of all, the
entire voting system, it's running on
00:41:45.241 --> 00:41:50.384
untrustworthy computer systems. So it
could have been manipulated beforehand.
00:41:50.384 --> 00:41:56.055
They could have malware on them or they
just could not function correctly. So
00:41:56.055 --> 00:42:00.638
that's already very problematic from the
beginning, because we have no underlying
00:42:00.638 --> 00:42:05.946
trust that we can put into those systems
and we are using them to count out our
00:42:05.946 --> 00:42:11.702
votes, to count out the entire election.
So what's even more is, that even if they
00:42:11.702 --> 00:42:19.430
use the software and the PC, that lies
beyond it, is secure, it still has not
00:42:19.430 --> 00:42:25.326
enough transparency. It's very hard to
understand what the software is exactly
00:42:25.326 --> 00:42:31.001
doing and how it is doing this. So, I
cannot really understand how does it come
00:42:31.001 --> 00:42:36.034
to its result. Please keep in mind, that
we have almost 600 candidates and several
00:42:36.034 --> 00:42:42.445
hundreds of ballots that have all to be
input into that computer system and then
00:42:42.445 --> 00:42:47.504
some magic happens and it spits out its
result. So, then we just have to take this
00:42:47.504 --> 00:42:53.417
result, because it's just impossible to
check, if really each vote has been
00:42:53.417 --> 00:42:57.822
counted correctly or is there anything
strange has happened or any manipulation
00:42:57.822 --> 00:43:00.619
took place.
T: And this is also possible, because we
00:43:00.619 --> 00:43:07.262
found lots of vulnerable software and not
just the system security was affected, but
00:43:07.262 --> 00:43:12.208
it was also absolutely possible to
manipulate the whole election from very
00:43:12.208 --> 00:43:19.954
many parts in the network. And this leads
us to conclude that these elections are at
00:43:19.954 --> 00:43:24.900
a high risk with this technology.
J: So, and that is the reason that we want
00:43:24.900 --> 00:43:31.125
you as election worker. The more eyes are
looking at the election, the more secure
00:43:31.125 --> 00:43:35.539
it becomes. And if you are interested in
becoming an election worker, just get into
00:43:35.539 --> 00:43:40.212
contact with the local administration.
They are always very happy to have
00:43:40.212 --> 00:43:45.222
volunteers, who want to take part as
election workers. So and for my personal
00:43:45.222 --> 00:43:49.961
experience, I'm doing this for several
years now. It's also a lot of fun. You get
00:43:49.961 --> 00:43:54.727
into contact with a lot of people. So I
enjoyed this a lot and I can just
00:43:54.727 --> 00:44:00.790
recommended it and this is a good way, how
everyone of us can support the democracy
00:44:00.790 --> 00:44:05.273
in their country.
T: So, to conclude our talk, we found out
00:44:05.273 --> 00:44:11.593
that security in this technology is really
bad and that's not all of it.
00:44:11.593 --> 00:44:16.986
J: So, this is just the tip of the
iceberg, because we look only at one of
00:44:16.986 --> 00:44:21.965
the solutions that is available for vote
counting. And this was also in a special
00:44:21.965 --> 00:44:28.086
configuration. So what is even more
difficult to see is, what happens behind
00:44:28.086 --> 00:44:34.597
all the stuff we have seen today, because,
when we export the data and bring it to
00:44:34.597 --> 00:44:40.264
the central administration and the data is
imported and uploaded, so where does all
00:44:40.264 --> 00:44:44.910
this data go, where are all the results
from all this data from all the polling
00:44:44.910 --> 00:44:49.603
stations are summarized? We don't know
that yet, how this works. We don't have
00:44:49.603 --> 00:44:53.868
the software, that we can analyze. So
there's still a lot of work that has to be
00:44:53.868 --> 00:44:59.355
done. Here to really check the entire
system, we just took a look at a very
00:44:59.355 --> 00:45:04.149
small portion and that is just the vote
counting software here.
00:45:04.149 --> 00:45:08.647
T: Next, we were very shocked that this
information, that vote counting is already
00:45:08.647 --> 00:45:14.458
shifted to software, is not publicly
known. And this is also why we we created
00:45:14.458 --> 00:45:19.947
this talk today as this is an information,
that is crucial for the democracy, that
00:45:19.947 --> 00:45:26.788
there is already this software in use and
it is not really secure. So this was a big
00:45:26.788 --> 00:45:33.530
thing for us to keep bringing it out to
the people.
00:45:33.530 --> 00:45:37.829
J: So and one other thing is, everything
that we have seen today is entirely legal,
00:45:37.829 --> 00:45:44.312
because at least in Bavaria, we don't have
any rules or any laws against the use of
00:45:44.312 --> 00:45:50.098
unsecure computer systems, of unsecure
vote counting software. So, as we've seen
00:45:50.098 --> 00:45:55.611
in the beginning, we only have very rough
legal guidelines that says, well, you can
00:45:55.611 --> 00:46:00.322
just use computers for vote counting, but
we need stricter guidelines here, because
00:46:00.322 --> 00:46:06.794
it cannot continue as we've seen it today
and in other states in Germany there is
00:46:06.794 --> 00:46:12.304
sometimes something like, let's say,
guidelines or even certification process
00:46:12.304 --> 00:46:18.347
for such digital software. But in most
states that I had a look at, there are no
00:46:18.347 --> 00:46:23.780
rules at all and nothing that should
continue in the next years that way.
00:46:23.780 --> 00:46:29.963
T: Additionally, in the end, before any of
this software to electronically count the
00:46:29.963 --> 00:46:36.671
votes should go live, unbiased tests for
everyone should be available to prove
00:46:36.671 --> 00:46:41.965
themselves, that this software is secure
and this software is doing what it's
00:46:41.965 --> 00:46:46.530
promising to us. Because it is directly
influencing our democracy. And if this
00:46:46.530 --> 00:46:52.002
software is manipulated, it manipulates
our voting, our election and our
00:46:52.002 --> 00:46:56.333
democracy. So in the end, we can just
leave you with two questions.
00:46:56.333 --> 00:47:01.158
T: How much digital support is required?
J: And how much is tolerable?
00:47:01.158 --> 00:47:18.528
No Audio
00:47:18.528 --> 00:47:25.709
Herald: Thank you very much for the
interesting talk, Johannes and Tobias. And
00:47:25.709 --> 00:47:30.136
thank you very much for your work on the
topic. I hope you do have time for a
00:47:30.136 --> 00:47:36.095
little Q&A. We have quite a few questions,
actually.
00:47:36.095 --> 00:47:39.244
J: Sure.
M: All right. So the first question from
00:47:39.244 --> 00:47:45.468
the Internet is, is there any suspicion
that these vulnerabilities have been
00:47:45.468 --> 00:47:49.404
actively used?
J: Well, it's very hard to tell. So, at
00:47:49.404 --> 00:47:57.617
least for the town that I am from, I did
not notice any special occurrences there.
00:47:57.617 --> 00:48:04.994
So, however, I don't have an overview of
entire Bavaria, so, that's quite hard to
00:48:04.994 --> 00:48:09.707
tell. I think it's even impossible to
tell, if there were any manipulation so
00:48:09.707 --> 00:48:15.395
far. So, unfortunately, we cannot say
that.
00:48:15.395 --> 00:48:20.292
T: Additionally, we are just at one place
in this whole system. So we don't have an
00:48:20.292 --> 00:48:25.328
overview, if there was any mismatching
numbers or any other influences that
00:48:25.328 --> 00:48:30.702
happened, but that we didn't see at the
moment, because we were just at one
00:48:30.702 --> 00:48:35.589
position in the system, at one station
of the election.
00:48:35.589 --> 00:48:41.470
M: OK, thank you for the answer. Ah, do
you believe that it is possible to have a
00:48:41.470 --> 00:48:46.300
digital ballot that is as secure and
trustworthy as physical or paper based
00:48:46.300 --> 00:48:51.560
voting is?
J: Well, in my opinion, that's not
00:48:51.560 --> 00:48:56.560
possible, if you want to have the same
sort of transparency that we have in the
00:48:56.560 --> 00:49:02.010
paper based voting system, because, when
we have paper based voting, we can just go
00:49:02.010 --> 00:49:07.470
into the voting room and watch what's
going on there. We can see the ballots
00:49:07.470 --> 00:49:12.690
that are handed in, the ballots that come
out of the box. Then, they are counted,
00:49:12.690 --> 00:49:17.990
are summed up. I can really try to find
out what's going on there. I can have a
00:49:17.990 --> 00:49:24.220
look at that. Understand what people are
doing there, but at the moment, that we
00:49:24.220 --> 00:49:29.840
have only a digital vote, I cannot really
find out, if the computer is doing the
00:49:29.840 --> 00:49:34.190
right thing, if there were some
manipulations. So, in terms of
00:49:34.190 --> 00:49:40.830
transparency, I don't think it is possible
in the same. Yeah, in the same way as the
00:49:40.830 --> 00:49:47.910
paper based ballots, for example.
T: I would have to add to this, if there
00:49:47.910 --> 00:49:53.750
would be the possibility to get the same
traceability and visibility that you can
00:49:53.750 --> 00:50:00.240
always see which results came from, from
which position. And if they are signed
00:50:00.240 --> 00:50:07.260
very transparent, then it may be possible
in any future, but not with any kind of
00:50:07.260 --> 00:50:16.299
this software, we saw there.
M: All right. Thank you. Do you, by any
00:50:16.299 --> 00:50:21.552
chance, know which states in Germany use
these software OK.VOTE as far?
00:50:21.552 --> 00:50:29.257
T: We cannot directly say which states
actively use them, because we only took
00:50:29.257 --> 00:50:34.249
place in elections here in Munich or
Bavaria. But, we can tell, that we found
00:50:34.249 --> 00:50:40.130
very much hints in the source code that
they were also used in, for example,
00:50:40.130 --> 00:50:47.481
Hamburg, Bremen, Hessen or Rheinland-
Pfalz, but we don't know if they were
00:50:47.481 --> 00:50:54.180
already used there or if it's planned to
be used there or did they already used
00:50:54.180 --> 00:50:59.010
them in the past elections and decided
against them for future ones. We don't
00:50:59.010 --> 00:51:03.330
know about this, exactly.
M: OK, maybe we can stay for a second on
00:51:03.330 --> 00:51:11.190
your job as an election worker. The
process of manually entering data into the
00:51:11.190 --> 00:51:16.610
system, is there a process for this? Do
you have an idea on the risk of this part
00:51:16.610 --> 00:51:21.069
here?
J: Yes. So, it's basically the thing, that
00:51:21.069 --> 00:51:26.401
they are at least two or three people
sitting in front of each computer and then
00:51:26.401 --> 00:51:30.930
they are entering each ballot. So people
are really cross checking that the ballot
00:51:30.930 --> 00:51:36.180
has been entered correctly. So, it's like
one person has the ballot in front of him
00:51:36.180 --> 00:51:42.290
or her and the other person reads the
votes and the other person types it in and
00:51:42.290 --> 00:51:47.645
they are cross checking each other. So,
that there isn't any error doing typing in
00:51:47.645 --> 00:51:54.250
those election results in the computer.
M: All right. Thank you for the
00:51:54.250 --> 00:52:00.300
elaboration. Someone is asking, how the
system's connected to the Internet or some
00:52:00.300 --> 00:52:05.870
other network of the understanding of the
talk was correctly received by that
00:52:05.870 --> 00:52:09.740
person. The results are written to some
physical medium which is turned into
00:52:09.740 --> 00:52:15.560
transmit the results. So you sense
something physically. So, why care for the
00:52:15.560 --> 00:52:20.305
Windows version or the, what is running on
these machines? Is that correct
00:52:20.305 --> 00:52:24.941
understanding?
J: Well, the problem with that is, that it
00:52:24.941 --> 00:52:30.011
depends on the local administration, how
they set up their computer systems. So, I
00:52:30.011 --> 00:52:36.242
also read this in a chat here. Someone has
written, that they had their voting
00:52:36.242 --> 00:52:44.530
software in a, yeah, in a very limited
network connectivity. So, the computer was
00:52:44.530 --> 00:52:49.960
not connected to the Internet. However, it
depends very on the administration and on
00:52:49.960 --> 00:52:54.666
the computer network that is being used
there. So, it is entirely possible that
00:52:54.666 --> 00:52:59.902
computers are connected to the Internet,
because there are no guidelines on how
00:52:59.902 --> 00:53:06.480
these computers are allowed to be set up.
So, I cannot fully exclude this. So, and
00:53:06.480 --> 00:53:11.370
if someone, for example, just enables the
wireless network or connects to some
00:53:11.370 --> 00:53:16.834
unsecured hotspot, they are connected
then. So, it's it's hard to tell here, but
00:53:16.834 --> 00:53:22.640
I would not exclude this possibility.
T: To extend this answer. We even try to
00:53:22.640 --> 00:53:27.490
find out, if there's any software side
protection that checks, if there is any
00:53:27.490 --> 00:53:31.189
internet connection is present and then
would deny this voting system. But, there
00:53:31.189 --> 00:53:36.480
wasn't or at least we couldn't find one.
So even if the administration was not
00:53:36.480 --> 00:53:44.020
advised, if these PCs should be
disconnected from the network. There isn't
00:53:44.020 --> 00:53:47.914
even a security mechanism in place, that
would check this and stop it or even show
00:53:47.914 --> 00:53:51.860
a warning, that this is connected and they
should be disconnected from the Internet
00:53:51.860 --> 00:53:59.700
before the counting can begin.
M: Interesting. All right. We have one
00:53:59.700 --> 00:54:03.780
message on the IRC, from someone who
worked with this particular piece of
00:54:03.780 --> 00:54:09.540
software in demo mode by themselves,
obviously. And the question they have, is:
00:54:09.540 --> 00:54:17.890
Did you notice the possibility to enter a
negative votes for a candidate? So saying
00:54:17.890 --> 00:54:25.760
minus two votes, for instance.
J: Well, that's difficult to tell. I
00:54:25.760 --> 00:54:31.200
thought about, if this is possible, so
perhaps you might have to manipulate the
00:54:31.200 --> 00:54:37.360
database directly. So I'm not entirely
sure. I'm not sure, if I tried this out
00:54:37.360 --> 00:54:43.600
this one. So, but however, as soon as I
have a data, as I have database access,
00:54:43.600 --> 00:54:49.920
it's entirely possible to manipulate
anything. So. Well, we could try this out
00:54:49.920 --> 00:54:57.520
again. However, I don't think that changes
much in our result. So, yeah, that's
00:54:57.520 --> 00:55:03.040
interesting questions of I cannot answer
this right now, so I'm not sure, you Tobi,
00:55:03.040 --> 00:55:10.080
have you tried out something like that?
T: We've tried manipulating some already
00:55:10.080 --> 00:55:17.040
submitted votes, but I think, this was not
really possible. However, as you showed,
00:55:17.040 --> 00:55:22.640
when you export the data and import into
the main PC, the votes that were already
00:55:22.640 --> 00:55:28.080
in place, possibly by an attacker, would
then discard the newly imported votes. So,
00:55:28.080 --> 00:55:34.238
this would probably replace this data and
these votes, but via the Web interface, I
00:55:34.238 --> 00:55:38.988
think it was not possible. However, we
found the enough vulnerabilities with
00:55:38.988 --> 00:55:43.512
database access that you could do it by
this way, if you want to.
00:55:43.512 --> 00:55:50.524
M: All right. Thank you for your
explanation. Out of pure curiosity, people
00:55:50.524 --> 00:55:55.984
ask, how did you get access to the software
in the first place? To start your analysis?
00:55:55.984 --> 00:56:00.514
J: Well, that's a good question here,
because, theres a nice story behind that.
00:56:00.514 --> 00:56:06.304
So, I was election worker and I was
supporting setting up a system and doing
00:56:06.304 --> 00:56:12.470
some IT support in the evening. And at
some point, we tried to merge our results.
00:56:12.470 --> 00:56:17.297
So we exported the results from one
computer to move them to the other one.
00:56:17.297 --> 00:56:22.377
However, the import failed, because, there
is some artificial limitation in the
00:56:22.377 --> 00:56:27.616
software. So, as soon as your export files
are larger than 10 megabytes, they cannot
00:56:27.616 --> 00:56:33.667
be imported anymore. So this happens quite
quickly, when you have a few hundreds of
00:56:33.667 --> 00:56:38.479
votes, of few hundreds of ballots and then
the import doesn't work anymore. And I had
00:56:38.479 --> 00:56:42.106
a look at this file, and that was just a
JSON file with a lot of whitespace. So, I
00:56:42.106 --> 00:56:46.750
copied all this stuff to my computer to
fix this. And there was also later on, a
00:56:46.750 --> 00:56:51.251
software fix that was published by the
software vendor. However, then I had the
00:56:51.251 --> 00:56:56.466
software on my computer, just because I
wanted to fix this election. And it was
00:56:56.466 --> 00:57:00.328
very late at night. And I returned home
and I noticed, oh, I still have that
00:57:00.328 --> 00:57:06.867
software on my computer. Let's have a look
at this. So, yeah, it was just by chance.
00:57:06.867 --> 00:57:11.943
So, I tried to fix something, got all the
software on my PC and then I had it ready
00:57:11.943 --> 00:57:18.028
to analyze even with some data on that, so
that I really knew how this works in
00:57:18.028 --> 00:57:23.840
practice. And yes, but if someone would
try to gain access to that software,
00:57:23.840 --> 00:57:28.945
that's quite simple, because they could
just restore the deleted data from one of
00:57:28.945 --> 00:57:33.268
the computers that are in the schools.
Perhaps, someone doesn't even delete the
00:57:33.268 --> 00:57:38.382
election software from their computers, in
your school, or some person could just
00:57:38.382 --> 00:57:43.292
steal one of the USB sticks, that have
been used for installation. So, I don't
00:57:43.292 --> 00:57:53.591
even think, that would be noticed then.
M: Interesting, indeed, you mentioned in
00:57:53.591 --> 00:57:58.920
your talk, that the software is certified
by the BSI, that they claim to be
00:57:58.920 --> 00:58:02.673
certified by the Open Web Application
Security project, but how could such a
00:58:02.673 --> 00:58:07.901
broken system can be certified by both
parties in the first place? And what's
00:58:07.901 --> 00:58:12.119
wrong with the certification process? Yes,
this obviously happened. I mean, like, why
00:58:12.119 --> 00:58:19.219
not use a certified. What do we do
certified in the first place, if it gets
00:58:19.219 --> 00:58:24.377
certified, even if it's broken?
T: I think the first point about this is,
00:58:24.377 --> 00:58:28.158
that we already mentioned in the talk,
that there are no legal requirements. You
00:58:28.158 --> 00:58:32.700
don't need any certification, that this
software can be used in our voting, in our
00:58:32.700 --> 00:58:38.233
elections here in Germany or in most parts
of Germany. And additionally, this
00:58:38.233 --> 00:58:46.323
screenshot we show with OWASP and the BSI
was just the promotion of the AKDB for
00:58:46.323 --> 00:58:52.179
their software, but I think there was no
real certification attached. So, we don't
00:58:52.179 --> 00:58:57.930
know if we the BSI ever saw this software for
real or if they just put it on there and said,
00:58:57.930 --> 00:59:02.728
yeah, BSI certificate certified or with
the BSI standards in mind, like they
00:59:02.728 --> 00:59:07.234
already have already the IT Grundschutz
and they maybe tried to implement, after
00:59:07.234 --> 00:59:15.093
this system architecture. But the BSI
never checked on it. So, I don't think
00:59:15.093 --> 00:59:18.818
there's any real certification for the
software.
00:59:18.818 --> 00:59:23.035
J: So, just to add a few details here,
that's not really a certification, that
00:59:23.035 --> 00:59:28.555
they just said that they follow the BSI
and OWASP guidelines. I think, that was
00:59:28.555 --> 00:59:32.653
also the wording that was used on the
website. So, theres no real certification
00:59:32.653 --> 00:59:39.494
behind that, so far.
M: Thank you for the answer. Do you know
00:59:39.494 --> 00:59:46.197
by chance, how the municipalities
published the election results?
00:59:46.197 --> 00:59:53.581
J: Well, I don't know in detail how it
works. So, when we handed in our election
00:59:53.581 --> 00:59:59.802
results, they got uploaded onto some other
software. And that's also the end that
00:59:59.802 --> 01:00:05.692
I've seen. So end up in the computer
system and they are electronically
01:00:05.692 --> 01:00:10.348
transmitted. And that, first of all, it
generates a preliminary file. And finally,
01:00:10.348 --> 01:00:15.767
that's a final result generated by it.
However, I don't really know how this
01:00:15.767 --> 01:00:20.243
works, but the election results that were
generated, with OK.VOTE are definitely
01:00:20.243 --> 01:00:28.562
going into the final result. So, perhaps
there's also some paper based protocol
01:00:28.562 --> 01:00:33.330
between them. I don't really know if
they're using the data that's in the
01:00:33.330 --> 01:00:38.126
computer or the data that is on the paper.
But, however, it doesn't change very much
01:00:38.126 --> 01:00:46.112
here.
M: OK, on. Coming over here a bit, the
01:00:46.112 --> 01:00:50.830
last question would be: What, in your
experience, how practical and expensive
01:00:50.830 --> 01:00:55.964
are hand recounts here and did you observe
these?
01:00:55.964 --> 01:01:01.039
T: I think, this is very different from
election to election and from city to
01:01:01.039 --> 01:01:07.167
city, if this is a rather small town, you
could probably easily reelect all this or
01:01:07.167 --> 01:01:13.473
all the votes and recount the votes. But,
if this is a big city like Munich, for
01:01:13.473 --> 01:01:20.911
example, with millions of votes, and you
would have to recount this, this would
01:01:20.911 --> 01:01:26.076
particularly delay the voting or the
results pretty much. And this could have
01:01:26.076 --> 01:01:31.071
really bad influences, if this would
happen. That software has shown that kind
01:01:31.071 --> 01:01:36.890
of manipulation has happened and they had
to recount all the stuff by hand again.
01:01:36.890 --> 01:01:42.242
J: So, counting this by hand is, indeed,
very, very effortful, because they have
01:01:42.242 --> 01:01:48.703
like 70 votes per ballot. And even summing
up all that is still error prone, if it's
01:01:48.703 --> 01:01:54.660
done by hand. So, it's difficult to do
that. And up to my knowledge, it's not
01:01:54.660 --> 01:02:00.854
generally recounted after the election.
So, I try to find something in the
01:02:00.854 --> 01:02:07.384
Internet regarding that. And I just found
some PDF, that they said, well, it's not
01:02:07.384 --> 01:02:15.467
feasible to recount all the election
results and all the ballots. So, that's
01:02:15.467 --> 01:02:21.781
just rather do a meter level check on: is
the protocol complete? How about the
01:02:21.781 --> 01:02:26.894
special ballots, that were not really
clear and so on? But it's not like, every
01:02:26.894 --> 01:02:31.733
ballot will be recounted, as far as I
understand.
01:02:31.733 --> 01:02:37.880
M: OK. Oh, thank you very much Tobias an
Johannes for answering all the questions.
01:02:37.880 --> 01:02:41.683
Thank you again for your talk.
J: Thank you.
01:02:41.683 --> 01:02:42.403
M: Thank you.
01:02:42.403 --> 01:03:10.210
rC3 postroll music
01:03:10.210 --> 01:03:22.140
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!