-
rC3 preroll music
-
Herald: Now, our next talk is Hacking
German elections, insecure electronic
-
voting count, vote counting, how it
returned and why you don't even know about
-
it. For the Germans listening here, did
you noticed that in Germany, voting became
-
more electronic recently? In case you're
out of Germany. I do live in Germany and I
-
did not notice that myself. However, both
of our speakers volunteered as election
-
workers in Germany and research on the
topic of security for elections. And they
-
promised to tell us how this can be, how
elections can be made more secure again.
-
Our speakers are Tobias, he is an IT-
Security researcher focusing on offensive
-
security, automotive security and capture
the flag challenges. And Johannes. He's a
-
post-doctoral IT-Security researcher and
both work together at the
-
Fraunhofer AISEC Institute.
Enjoy the talk.
-
Stille
-
Johannes: Hello and welcome to our
presentation on Hacking German Elections.
-
Insecure electronic vote counting, how it
returned and why you don't even know about
-
it. My name is Johannes Obermaier
Tobias: and I am Tobias Madl. We are both
-
very much involved in elections in Bavaria
because we're election workers and offer
-
support here in Germany.
J: And we are offensive IT-Security
-
researchers.
T: First of all, we want to talk about the
-
scope we are presenting today. We got our
information and the software from today,
-
from the municipal elections in Bavaria
happening in the early 2020. And it was a
-
computer based vote counting technology.
So we were very concerned, when we
-
interacted with it. And in the end, we
featured the questions, are elections
-
still secure? Next, I presented the
outline we are talking about today, and
-
first of all, we are looking at the
electronic vote counting system. And next,
-
we identified some conceptual and
practical issues with this technology.
-
Afterwards, we also inspected the software
and found some insecurities. And in the
-
end, we have summary and conclude our
presentation.
-
J: To understand why we need electronic
vote counting, let's just have a look at
-
the voting ballot. This voting ballot is
in its paper form about one meter wide and
-
50 centimeters high. So, that's a quite a
large ballot, that's a lot of candidates.
-
Let's just sum up the facts. So, we have a
total of 599 candidates that are spread
-
out over nine parties. Each citizen is
allowed to cast up to 70 votes in this
-
election. So, that sounds simple, but it
gets even more complicated now, because
-
you can cast up to three votes per
candidate and you can even choose multiple
-
candidates of different parties up to your
70 votes. And even if you decide yourself
-
to vote for a single party, you can still
strike out candidate that you personally
-
don't like. And so they don't get any
votes from your ballot. That means, this
-
voting system gives a lot of power to the
citizens and voting is fun.
-
However, counting out those ballots is very
difficult because you need to know a lot
-
of special rules in this voting system to
really count each ballot correctly. That's
-
the reason that a software such as OK.VOTE
has been developed. OK.VOTE is a typical
-
software for elections that's also used in
the polling stations for vote counting.
-
So, OK.VOTE has a quite large market
share. They say they have a like 75% in
-
Germany. So that software is used in
several states. OK. VOTE has several
-
different modules for organizing
elections, for example. But what we know
-
have a look at in this talk is only the
vote counting module of OK.VOTE Where the
-
election voters insert each paper ballot
and manually type it in all the votes in
-
each ballot and then they are stored in
the computer system. So, and the task of
-
OK.VOTE is to process each ballot to count
the votes, to find out if the ballot is
-
correct, then it stores all the ballots
into its database and finally it does some
-
magic and computes the final result. So,
this sounds quite similar to what a voting
-
machine does. But wait a moment. Voting
machines, in my Germany?
-
T: Wait, that's illegal.
J: Is it really illegal? Let's have a look
-
at the legal regulations about it. So,
yes, in 2009, there was an important
-
decision by the German federal
constitutional court and they said, that
-
the use of voting computers in the 2005
Bundestag election was unconstitutional.
-
Because, for example, the voting computers were
not transparently enough. So, that is very
-
similar to that what we have also found
for the municipal elections. But wait, we
-
are here talking about the Bundestag
election. But this is the municipal
-
election and we have different rules for
the municipal elections. For example,
-
there is the GLKrWO, that's the Gemeinde-
und Landkreiswahlordnung Bayern,
-
which basically translates to the Bavarian
municipal election rules. And those rules
-
say, that we are indeed not allowed to use
a computer for voting, but computers can
-
be used for vote counting. So, and in this
situation, I would expect, that we have
-
some sort of security requirements there
in those regulations. But I try to find
-
them. And I was really surprised. There
are exactly zero.
-
T: So, if there are no legal requirements,
are there at least any software side
-
requirements or certifications for
OK.VOTE which promise some security?
-
J: Yes, there are. So, I had a look at the
website and I saw this nice little
-
paragraph here. And it says, Elections
with security and during the development
-
of OK.VOTE, they put the highest emphasis
on the topic security. They follow the BSI
-
and OWASP recommendations on security, and
they have a certified data center with
-
very high security standards
T: And how does this look like in
-
practice?
J: Oh, I rather would not show you this
-
here. It's it's really scary. This is what
I have seen here, when I walked in the
-
election room. This is not a stock photo.
I took this photo myself and this is the
-
reality. So, I walked up to the guys and
said, well, shall we really use these
-
computers to count out the elections and
they said, yes, that are the computers
-
that are available here. So, and I pray to
God that for some reason does not work
-
out. And Windows XP did not disappoint me
because when I tried to start the
-
software, it failed because that are 32
bit systems and OK.VOTE needs 64 bits. So,
-
yeah, that was great. So, we did not use
that Windows XP machine. So, instead we
-
had to search for another machine and came
across this one here. That's a Windows 10
-
machine. That's fine. However, it has an
outdated virus scanner. So, well, it it's
-
better than nothing. So, this machine was
used instead then. So, but just let's keep
-
in mind what they are promising us:
election security. We really doubt that.
-
Let's now look at the IT environment and
why it came to that situation. So, first
-
of all, this is not fully the fault of
OK.VOTE, because it's the task for the
-
local administration to provide hardware
for vote counting and AKDB, the vendors of
-
OK.VOTE say, that they recommend to use
secure administration computers. That's
-
fine so far, but we simply don't have
enough secure administration computers for
-
that purpose. So, for example, in the town
where I'm from, we needed around 8
-
computers to count out this election and
we simply did not have enough in the town
-
hall. And whats even more, the election
room, it was in a school and there are
-
already school PCs available there. So,
they were just using the school PCs. So,
-
and those were even elementary school
computers. So, I'm not really sure about,
-
if all the pupils know, which link they
are allowed to click and which one they
-
should rather not click on. So, this
systems might be insecure, there might be
-
malware within, and even if it's possible
that someone had manipulated them in
-
advance, we cannot really exclude that.
However, I don't want to blame the
-
administration here because they did a
great job in organizing this election.
-
It's really much to do for them and it did
really well. So, everything worked out
-
well at the end. However, they are no IT-
Security specialists and we cannot demand
-
from them, that they know each detail on
how to set up a system correctly and what
-
are the risks that are associated with
insecure computer systems in elections?
-
That's just not their job. So, however, we
still ended up with untrustworthy systems
-
here. Because, as we have seen before,
there are no legal regulations against it.
-
Now, let's see how we create a digital
result.
-
T: Exactly. So, we went to our voting
places. We were presented with each one
-
got a PC and we got the ballot stack we
had to count and then enter the results.
-
So, Johannes is Team 2 and I was Team 1
and we started entering the ballots in the
-
PC. And from this on, they were digitized
Team 1 in green and Team 2 in blue.
-
J: As soon as I was finished entering my
ballots, I put them on a USB drive and
-
handed them over to Team 1.
T: Exactly. I imported these votes,
-
because I was the master machine at this
time, and the OK.VOTE software then
-
finalised these voting elections and
exported their results finally again on an
-
USB stick. And these were then delivered
on for further processing.
-
J: What is the problem with that all?
First of all, there's a lot of
-
intransparency. So, for example, the
software that is being used for vote
-
counting, OK.VOTE, it's not an open source
software. It's closed source and nobody
-
was able to analyze this yet. So, and
since this is closed source software, it
-
is also very hard to understand how the
software works and if it really counts
-
correctly, Because we have, in the end, we
have hundreds of ballots there and it's
-
really difficult to tell, if they have,
indeed, been counted correctly. So, and
-
although we have seen this before, there
is no basis for a secure vote counting, if
-
we have possibly rigged computer system.
So, we cannot exclude that someone has
-
manipulated them pre-election wise. So, if
there is some manipulation, this would
-
hardly be detectable by a standard
election worker. So, this means that the
-
entire election process becomes very
intransparent and hard to understand for a
-
person who just wants to observe the
election. So, that is strictly against the
-
idea of a public counting of votes.
T: So, now let's talk about the step that
-
happens after we finish counting
in each of the teams.
-
J: So, what do you do after you have
exported the final election results?
-
How do they come to the
central administration?
-
T: Yeah, I've just entered my vehicle and
took the USB sticks in my pocket and drove
-
to the master PC. But, as you maybe know,
Election Day is always very busy day and
-
might some teams are slower at counting.
Some teams are faster. So, the master team
-
doesn't know when these USB sticks arrive.
If they take two or three hours or half an
-
hour, they don't know really. So, I could
just go and grab something to eat on my
-
way. Or I can manipulate the vote. I mean,
deliver the votes. And yeah, in the end,
-
one day, when I arrive at the master PC, I
just give them my USB stick, they enter it
-
and they take the data that is stored on
there and nothing else. And afterwards,
-
they just uploaded the final
results on the page.
-
J: Now you might think, why is it possible
for him to manipulate election results?
-
Because there's no authenticity. There's
only integrity protection of the file that
-
he is transporting. So some CRC32 and a
SHA hash, but nothing like a cryptographic
-
signature. So, even if he alters the data,
he can just regenerate all the integrity
-
protection data and the data will just be
accepted. So, the main issue here is also,
-
that this is one of the few spots where
only a single person has unsupervised
-
access to the data during transport of the
voting data at all. And that makes
-
manipulations possible and easily feasible
in this case. And that should not be the
-
case, especially in an electronically
supported election. Now, let's have a look
-
at the vote counting software itself,
because there we found even more
-
interesting results.
T: Exactly. Let's begin with the system
-
architecture. First of all, this is the
local or decentralized version of the
-
software system. So all this is taking
place on the local host, on the machine we
-
encountered in the lecture rooms and on
these machines, where it was an Apache Tomcat
-
Web server running, which was connected to
a MariaDB, and the user was interacting
-
with the voting system via a portable
Firefox and as AKDB said in before they
-
were very concerned with security. So,
let's think about what attackers are they
-
had in mind when they designed the system
and from which the system is to protect
-
from. Is it the user that maybe attacks
the system, the vote count system, which
-
is normally just election workers that are
on their free time there to help executing
-
the election, or are they having the
network attackers in minds that come from
-
completely different places and try to
manipulate the network from outside? First
-
of all, we took the user as one of the
possible attackers. And even in this
-
environment, we found some really broken
stuff. First of all a broken access
-
control. But how it's how it's all about.
Well, that's the log in page when we just
-
logged in our voting system and clicked on
administration page where we can change
-
our password and edit our profile. These
are the buttons on the left. And as you
-
can see, we are clearly logged in as the
user42. And there is no more things to do
-
than select which counting part we want
to do, the general regional vote or the
-
municipal votes. And that's all we can
do on this page. Now let's switch to the
-
system administrator. There we have the
admin account, as you can see on the left
-
upper side, where we can now do very much
more than the normal user. We are again on
-
the administration page, but now we have
the user administration where we can
-
create or delete users. We have the reopen
or close voting mechanisms. We have
-
imports, we have exports and also what's
not included in the screenshots submenus
-
like deleting finalized results or and so
on. So, we picked out two very interesting
-
URLs for you. First of all, we are taking
the "Bezirk wieder eröffnen" which is
-
translated just to reopen the election
after election as closed at normal. It's
-
normally finalized, so no more votes can
be entered in the system. And the other
-
link is "Löschen". So that translates to
delete data, which then in the end deletes
-
all the data from from the machine. So, no
more private or secure data is stored on
-
there. And this is what they look like
when we only open them on the left side.
-
We see to reopen dialog. On the right
side, we see the data delete. But wait,
-
this is not the admin view, this is the
user view. So, they did not check if this
-
user is even allowed. And we also have to
say, that this is not just the view of it,
-
it is fully working and is completely
functional, when you just go through the
-
process of deleting or reopening as an
election.
-
Alarm sound
J: What's the problem with that?
-
T: Yeah, as you maybe already guessed,
reopening elections could create a
-
probability of sneaking in some additional
votes for the candidate I favor and
-
additionally, if I want to mess with all
of the voting, I could just delete all the
-
election data and we would have to start
from the beginning and completely delay or
-
deny the voting.
J: But why is this even possible?
-
T: Yeah, we found out that this is their
access control check in their software
-
this function is called getZugriffRollen,
which translates to get access roles. So
-
normally there will also be the software
in place to check if this role is allowed
-
to access this kind of site. But they just
returned null and not implemented it.
-
And that's also nice work to implement
access control. However, I think we can
-
propose some mechanisms that could have
prevented this. First of all, hidden
-
information is nothing you could rely on.
If you just don't show where you can click
-
to get to this url or to this page. That's
not really secret because maybe you find
-
some leaked source code or you make sure
serving at an admin or you just by
-
accident type in the wrong url and get to
this hidden information. Or you, exactly,
-
use software scanners to find something
hidden. So hidden data is just not secure.
-
And on the other hand, you should finalize
your implementation of access control to
-
have access control and even test it
once to be sure that it works. So in the
-
end we can conclude that hidden
data is not protected data.
-
T: Let's now come to another type of
attacks. Cross-site attacks. A cross-site
-
attack is some sort of interference
between two websites. Where one website,
-
for example, tries to do something on
behalf of the other. The goal is often to
-
deceit the user or to trigger the
manipulations. First of all, we were quite
-
sure that they have thought of cross-site
attacks. Because doing our testing, we saw
-
that they included some HTTP-Headers that
target a wide range of attack vectors that
-
use Cross-site scripting attacks. For
example, here we have X-Frame-Options:
-
same origin. That means that other pages
can not include the voting software into
-
their own frames and so on. And also
cross-site scripting protection is enabled
-
via X-XXS-Protection. So this looks quite
good because this already excludes several
-
attack vectors. But how about cross-site
request forgery? When we first tested
-
this, we found out that the vote counting
system is not fully protected against it.
-
What is cross-site request forgery? So in
the first step, the election worker uses
-
the integrated Firefox Browser to accept
a malicious website. So the user is
-
triggered to visit this website. For
example, someone sent him a link triggered
-
him to click on the link by the promise,
for example, of a cute animal picture or
-
some sort of that. And then the user
visits this website. And this website
-
contains form fields that resemble the
form fields of the actual vote counting
-
software. And the malicious website now
triggers your browser to submit this form
-
data, not to the original website, but
rather to the vote counting software. And
-
as soon as it reaches the Tomcat web
server, the web server is confused.
-
Because the web server cannot discern the
input from the cross-site attack from the
-
malicious website from original user
input. And then the Apache Tomcat server
-
just thinks that this is original user
input and will process it. And that's
-
called a cross-site request forgery
attack. So we saw that there is sometimes
-
a protection against this sort of attacks.
But many pages are not protected against
-
it. And that is very concerning because
that's a 2001's vulnerability. It's almost
-
20 years old now and it's still present in
such a software. So this is quite
-
unsettling here. Now, let's sum this up.
What we can do with it. So, first of all,
-
the issue is that they have missing CSRF
tokens or any other good countermeasure
-
against cross site request forgery
attacks. And the second point is here,
-
that only minimal user interaction is
required. The user often doesn't even see
-
that a cross-site request forgery attack
is currently being executed on his behalf.
-
So it's almost undetectable by the user.
And it's very simple to trick a user into
-
clicking a link. So the impact is very
devastating because we can now manipulate
-
settings in the vote counting software.
And we can even insert fake ballots here.
-
Alarm sound
T: So what's the result of this?
-
What we can do with it?
J: Well, we can manipulate the entire
-
election with this. Let's just use a demo.
How we do this.
-
T: Nice.
J: We are already logged in into the vote
-
counting system. Our username is
admin321934. Now let's count some votes.
-
As we can see here, these are all the
ballots that we can enter. They are still
-
empty since we haven't entered any ballots
yet. So let's start. For simplicity, we
-
just have two parties here. On the left
hand side we have the good party. Who
-
wants the best for the people. On the
right hand side we have the bad party
-
who wants to take power and is willing to
even commit election fraud. Let us begin
-
and enter the first paper ballot. The
person has voted for the good party. So we
-
enter this into the software. Now we save
the ballot and go to the next one. Again,
-
it's a vote for the good party. Let's
enter it and save it and go to the third
-
ballot. And again, it's for the good
party. Let's save our third ballot. Now we
-
go to the ballot overview and we look what
has happened. As you can see, we now have
-
three ballots that have successfully been
entered. At next, let's check the
-
preliminary election results. As we can
see here, we have a total of three ballots
-
that have been entered into the system.
That's correct. Three ballots contained
-
votes for the good party. That's also
correct. And zero votes have been given to
-
the bad party. That's fine so far. Next, I
will show you what happens if i open a
-
malicious website. This website will
execute a CSRF attack and manipulate the
-
election results. Let's just assume we
want to take a break and simply both
-
twitter. OK, here we are. There's a cute
cat picture and there's a link to even
-
more of them. Let's just play along and
get tricked into clicking that link. Oh,
-
look at all those cute animal pictures,
look a hungry rabbit, a monkey, a little
-
hedgehog and two cute goats and so on, and
when we are done browsing, we close those
-
tabs again and return to our vote counting
software. What we notice now is, that our
-
username has been altered and we just got
pwned. We were tricked into visiting this
-
malicious website. The website executed a
CSRF attack on the vote counting software
-
and did some manipulations. Let's see what
else has changed. However, all three
-
ballots are still there, but now we take a
look at the preliminary election results.
-
What you can see here is that the number
of ballots that are in the system has been
-
increased to eight. We now have five
additional ballots that were not entered
-
by us. As you can see, the good party
still has three votes. That is what we
-
have entered. But now the bad party has
taken the lead. They have five votes now.
-
This attack has indeed manipulated the
election results. This is really bad
-
because we cannot even see those
additional fake ballots that have been
-
injected. However, we are lucky because we
noticed it since we have expected this
-
attack. But we won't notice
it in every case.
-
T: But what happens if we don't notice?
J: Well, that happens. So, for this
-
example, we just assume that team 1 had
three ballots that they have entered into
-
the computer system and team 2 has six
ballots that have been entered into the
-
computer system. Now team one visits a
malicious website and five fake ballots
-
are injected into the election results. In
this case, the attacker is very smart and
-
injects the ballots at the location where
the team 2 ballots will be expected in the
-
future. So what happens now is: team 2
exports their ballots and team 1 tries to
-
import the ballots of team 2. And now the
following thing happens: Because there are
-
already ballots present at the location
where the team 2 ballots should go to, the
-
import process is not fully successful and
only a subset of the ballots are imported
-
so that the majority of the ballots into
this case, five or six ballots are just
-
discarded because they don't fit in the
database anymore because that location is
-
already taken by the fake ballots. So
usually we would expect that this can
-
generate an error message or at least a
warning. But this does not happen. This is
-
a silent failure of the software. And
what's even worst is now that the sums
-
finally are correct. So that means we now
have nine ballots present in the system
-
and nine paper ballots that were initially
available. So this looks like we have
-
entered all the ballots and everything
seems to be fine. So we will now close the
-
election and generate the final result.
And that is what happens now. As you can
-
see, we have only four votes for the good
party, but five votes for the bad party.
-
So the bad party has won the election by
manipulating the voting system, using this
-
CSRF attack. And that should never be
possible because this is not what we
-
expect for a voting software. And in this
case, the result is rigged. So have we
-
thought about network vulnerabilities?
T: Yeah, sure, that's exactly the other
-
side of the coin. First, we checked the
election worker side for attacks, but now
-
we checked the network side and scanned
and analyzed the system at first. And then
-
we looked like this: Open ports
everywhere. And as you can see, they fully
-
exposed the Apache Tomcat and the MariaDB
to each available network on the system.
-
And with this, we thought, well, let's maybe
try some newly discovered vulnerability,
-
which was recently found in 2020 called
Ghostcat. And Ghostcat is an attack
-
against AJP protocol from Apache. But
let's check the Apache system and how it's
-
built. First, Apache has a web root which
serves static resources and HTML or JSP
-
files. And additionally, it can include
class files or class sublets which are
-
combined with this JSPs or HTML files and
then served to the user. So we prepared
-
our ajpShooter with the URL of the
application, the port and the file we want
-
to read. In our case, it's a PrivateTest
class file because, what we
-
could leak about this, but we'll see. And
then we said we only want to read it
-
because there would even be the
possibility to evaluate it and execute the
-
code in it. So we've done this attack and
TADA we've got a result. This is the byte
-
code of the PrivateTest class. So let's
just drop this byte code in our cup of
-
coffee and maybe we can pull out some
source code from it. And yeah that's what
-
we've read out because why not. Just test
your encryption mechanism with the string.
-
But this is not a common string as you
later found out. This is the real root
-
productive password of the MariaDB. And
this was like:
-
Alarm sound
So what's the problem? As you maybe
-
clearly see with this attack, we could
leak out the login of the MariaDB and
-
probably even more logins or passwords.
And additionally, we could leak the whole
-
source code over the network without ever
accessing the PC in the election room. And
-
this was only possible because they
completely exposed all machines and
-
applications to the network and this
should never be the case. So in result:
-
How can this be prevented? First, you
should never expose these unneeded ports
-
to internet because they don't even use
the AJP proxy in their application, but
-
just left it on the 0.0.0.0 interface.
Next is: You should keep your software up
-
to date. That if some vulnerabilities were
found. You should not be vulnerable to it.
-
And last but not least: Never use
productive passwords in your unit tests
-
because that's not the best idea to do. In
the end, to sum it up: Avoid at all costs
-
any additional attack surface to prevent
these kind of attacks, even if you don't
-
know about them yet.
J: So, after Tobi has shown us a lot of
-
interesting and patchy stuff. I tested the
database for its security. For the first
-
analysis. I was just starting with the
same PC, but also the software was
-
installed and I tried to gain access to
the database. So it was coming from the
-
host localhost. I tried to use the
username root and then I saw that I am
-
asked for a password before I'm allowed to
connect to the database. However, finding
-
the password was quite trivial to do
because all the stuff I needed to know for
-
that was included in that last file and I
was able to decrypt the password without
-
any issue here. And that moment I realized
that also the password that Tobi has shown
-
us before, that he found with the Ghostcat
vulnerability is indeed the MySQL root
-
password here. So after I had access to
the MySQL system, I tried to dump the user
-
table to look which users are allowed to
access the database. So and that is how
-
the user table looks like. We have four
times the user root and the user root
-
requires a password if I'm coming from
localhost. But wait a moment. Here we also
-
have the host pci90309. And as you can see
here, there is no MySQL password
-
statement. That means that someone coming
from host pci90309 is almost allowed to
-
connect as root and does not even need to
provide any password for that. And thats
-
really strange.
Alarm sound
-
T: So what could happen from this?
J: Well, now someone on the network can
-
now just lump voting manipulation. That's
quite trivial because as soon as I set my
-
host to the correct hostname, I get full
access to the database where all my local
-
voting results are stored. And since I'm
root, I can interfer with them. I can
-
change them however I want to. And this
vulnerability is so damn weird and
-
trivial, it takes me no effort to do this
at all. And so we won't even go into a
-
demo here because it's so stupid simple in
this case. Usually I would say that's
-
enough for today because we already have
full access to the voting system and can
-
change whatever we want to. However, this
time we decided to go deeper because we
-
saw pci90309 is a real door opener. So we
have access to the voting results. We can
-
change them, but we still don't have
access to the entire voting system. So
-
what about the PC? Might it be possible,
with that root access to the database
-
server, to gain remote code execution at
that machine? So for this experiment, I
-
used the following setup. On the right hand
side we have a voting system with the
-
exposed MariaDB database server. On the
left hand side that's my system. I named
-
myself pci90309, just because i can do it,
and I establish a connection to the
-
MariaDB server. I use root as a username.
I don't need any password. And it is
-
immediately accepted. So now that I am
connected, I'm allowed to issue commands.
-
For example, I can now instruct MariaDB to
enable one of its plugins. This plugin is
-
called ha_connect. It's one of the plugins
that usually come directly with MariaDB.
-
And this is a very powerful MySQL storage
driver. So now I will show you what I can
-
do with that storage driver. So at next, I
will now create a table that's called pwn.
-
And I'm using the ha_connect storage
driver and instruct the storage driver to
-
create a file that's called pwn.dll and to
place it right into that plugin folder.
-
There is nothing that stops me from doing
so. So that is one of the special features
-
of the ha_connect storage driver, that I
can just say, this table is mapped to that
-
file in the file system. However, this
file is still empty because the table is
-
empty. But since this is a database, I can
now just issue INSERT INTO statements and
-
load whatever data I want to, for example,
some malicious DLL. I can just load into
-
the table, via that INSERT INTO a
statement, and then it is directly written
-
into our malicious DLL "pwn.dll". Ok, so
at next, after I've finished writing, I
-
will instruct MariaDB to enable this
plugin that I have just uploaded. And
-
enabling a plugin means that we are
executing the code that is stored in this
-
DLL file. So that means we have remote
code execution.
-
Alarm Sound
T: I don't even ask what you can with
-
remote code execution.
J: Well, I can do anything. So that means
-
I have no gate, full control over the
entire vote counting system. So I'm not
-
only talking about the data in the
database, I'm talking about the entire
-
computer that I can now fully control and
manipulate however I want to. And that's
-
possible, only by using the voting
software and accessing it over the network
-
interfaces that it had exposed. And now
I'll show you how simple this is to
-
execute an arbitrary program on the system.
T: This is the vote counting computer
-
system. To begin, let's start the vote
counting software. Now, the Apache Tomcat
-
Web server and the MariaDB database server
are being launched. Finally, the Firefox
-
portable is started. The system is now
ready for operation. But beware, the
-
attacker becomes active, his host name is
the infamous pci90309, immediately it
-
launches the python attack script
"fun.py". It connects to the MariaDB
-
server as root without a password and
uploads a malicious DLL plugin. When the
-
upload has been finished, the malicious
plugin is executed. As we can see, the
-
calculator was started thus remote code
execution was successful. The vote
-
counting computer system is now under
control of the attacker.
-
J: After we have found so devastating
issues with the vote counting Software, we
-
immediately notified the vendor AKDB
T: And they were very professional about
-
it and responded very quickly to our
initial emails. So we really like working
-
together with them and telling them our
results and they were always
-
positive about it. So they also
recommended some fixes.
-
J: So, for example, they told us, you
should only use that voting software in a
-
secure environment like in an
administrational network. However, we
-
don't really believe that this is a good
solution.
-
T: Exactly. And we are not very happy
about this proposal, because we have two
-
problems that still arise, even if it's in
a secure environment. First of all, an
-
administrative PC could still be infected
with some malware or it could be
-
manipulated before the election takes
place. And in the second hand, we have
-
this bug with the broken access control,
you remember. And even if you would have
-
been in the secure environment, this bug
would have been totally worked and you
-
could have completely deleted all data
work or reopened elections or something
-
like this.
J: But we are still quite happy that they
-
took us seriously, because they even have
announced updates. So, for example, they
-
wrote us that they are planning on adding
XSRF tokens for the pages where we found
-
cross-site vulnerabilities. So that's
already a good step into the right
-
direction. So now let's summarize what we
have presented today. So first of all, we
-
discovered several problematic aspects
in the concept and its practical
-
implementation. So, first of all, the
entire voting system, it's running on
-
untrustworthy computer systems. So it
could have been manipulated beforehand.
-
They could have malware on them or they
just could not function correctly. So
-
that's already very problematic from the
beginning, because we have no underlying
-
trust that we can put into those systems
and we are using them to count out our
-
votes, to count out the entire election.
So what's even more is, that even if they
-
use the software and the PC, that lies
beyond it, is secure, it still has not
-
enough transparency. It's very hard to
understand what the software is exactly
-
doing and how it is doing this. So, I
cannot really understand how does it come
-
to its result. Please keep in mind, that
we have almost 600 candidates and several
-
hundreds of ballots that have all to be
input into that computer system and then
-
some magic happens and it spits out its
result. So, then we just have to take this
-
result, because it's just impossible to
check, if really each vote has been
-
counted correctly or is there anything
strange has happened or any manipulation
-
took place.
T: And this is also possible, because we
-
found lots of vulnerable software and not
just the system security was affected, but
-
it was also absolutely possible to
manipulate the whole election from very
-
many parts in the network. And this leads
us to conclude that these elections are at
-
a high risk with this technology.
J: So, and that is the reason that we want
-
you as election worker. The more eyes are
looking at the election, the more secure
-
it becomes. And if you are interested in
becoming an election worker, just get into
-
contact with the local administration.
They are always very happy to have
-
volunteers, who want to take part as
election workers. So and for my personal
-
experience, I'm doing this for several
years now. It's also a lot of fun. You get
-
into contact with a lot of people. So I
enjoyed this a lot and I can just
-
recommended it and this is a good way, how
everyone of us can support the democracy
-
in their country.
T: So, to conclude our talk, we found out
-
that security in this technology is really
bad and that's not all of it.
-
J: So, this is just the tip of the
iceberg, because we look only at one of
-
the solutions that is available for vote
counting. And this was also in a special
-
configuration. So what is even more
difficult to see is, what happens behind
-
all the stuff we have seen today, because,
when we export the data and bring it to
-
the central administration and the data is
imported and uploaded, so where does all
-
this data go, where are all the results
from all this data from all the polling
-
stations are summarized? We don't know
that yet, how this works. We don't have
-
the software, that we can analyze. So
there's still a lot of work that has to be
-
done. Here to really check the entire
system, we just took a look at a very
-
small portion and that is just the vote
counting software here.
-
T: Next, we were very shocked that this
information, that vote counting is already
-
shifted to software, is not publicly
known. And this is also why we we created
-
this talk today as this is an information,
that is crucial for the democracy, that
-
there is already this software in use and
it is not really secure. So this was a big
-
thing for us to keep bringing it out to
the people.
-
J: So and one other thing is, everything
that we have seen today is entirely legal,
-
because at least in Bavaria, we don't have
any rules or any laws against the use of
-
unsecure computer systems, of unsecure
vote counting software. So, as we've seen
-
in the beginning, we only have very rough
legal guidelines that says, well, you can
-
just use computers for vote counting, but
we need stricter guidelines here, because
-
it cannot continue as we've seen it today
and in other states in Germany there is
-
sometimes something like, let's say,
guidelines or even certification process
-
for such digital software. But in most
states that I had a look at, there are no
-
rules at all and nothing that should
continue in the next years that way.
-
T: Additionally, in the end, before any of
this software to electronically count the
-
votes should go live, unbiased tests for
everyone should be available to prove
-
themselves, that this software is secure
and this software is doing what it's
-
promising to us. Because it is directly
influencing our democracy. And if this
-
software is manipulated, it manipulates
our voting, our election and our
-
democracy. So in the end, we can just
leave you with two questions.
-
T: How much digital support is required?
J: And how much is tolerable?
-
No Audio
-
Herald: Thank you very much for the
interesting talk, Johannes and Tobias. And
-
thank you very much for your work on the
topic. I hope you do have time for a
-
little Q&A. We have quite a few questions,
actually.
-
J: Sure.
M: All right. So the first question from
-
the Internet is, is there any suspicion
that these vulnerabilities have been
-
actively used?
J: Well, it's very hard to tell. So, at
-
least for the town that I am from, I did
not notice any special occurrences there.
-
So, however, I don't have an overview of
entire Bavaria, so, that's quite hard to
-
tell. I think it's even impossible to
tell, if there were any manipulation so
-
far. So, unfortunately, we cannot say
that.
-
T: Additionally, we are just at one place
in this whole system. So we don't have an
-
overview, if there was any mismatching
numbers or any other influences that
-
happened, but that we didn't see at the
moment, because we were just at one
-
position in the system, at one station
of the election.
-
M: OK, thank you for the answer. Ah, do
you believe that it is possible to have a
-
digital ballot that is as secure and
trustworthy as physical or paper based
-
voting is?
J: Well, in my opinion, that's not
-
possible, if you want to have the same
sort of transparency that we have in the
-
paper based voting system, because, when
we have paper based voting, we can just go
-
into the voting room and watch what's
going on there. We can see the ballots
-
that are handed in, the ballots that come
out of the box. Then, they are counted,
-
are summed up. I can really try to find
out what's going on there. I can have a
-
look at that. Understand what people are
doing there, but at the moment, that we
-
have only a digital vote, I cannot really
find out, if the computer is doing the
-
right thing, if there were some
manipulations. So, in terms of
-
transparency, I don't think it is possible
in the same. Yeah, in the same way as the
-
paper based ballots, for example.
T: I would have to add to this, if there
-
would be the possibility to get the same
traceability and visibility that you can
-
always see which results came from, from
which position. And if they are signed
-
very transparent, then it may be possible
in any future, but not with any kind of
-
this software, we saw there.
M: All right. Thank you. Do you, by any
-
chance, know which states in Germany use
these software OK.VOTE as far?
-
T: We cannot directly say which states
actively use them, because we only took
-
place in elections here in Munich or
Bavaria. But, we can tell, that we found
-
very much hints in the source code that
they were also used in, for example,
-
Hamburg, Bremen, Hessen or Rheinland-
Pfalz, but we don't know if they were
-
already used there or if it's planned to
be used there or did they already used
-
them in the past elections and decided
against them for future ones. We don't
-
know about this, exactly.
M: OK, maybe we can stay for a second on
-
your job as an election worker. The
process of manually entering data into the
-
system, is there a process for this? Do
you have an idea on the risk of this part
-
here?
J: Yes. So, it's basically the thing, that
-
they are at least two or three people
sitting in front of each computer and then
-
they are entering each ballot. So people
are really cross checking that the ballot
-
has been entered correctly. So, it's like
one person has the ballot in front of him
-
or her and the other person reads the
votes and the other person types it in and
-
they are cross checking each other. So,
that there isn't any error doing typing in
-
those election results in the computer.
M: All right. Thank you for the
-
elaboration. Someone is asking, how the
system's connected to the Internet or some
-
other network of the understanding of the
talk was correctly received by that
-
person. The results are written to some
physical medium which is turned into
-
transmit the results. So you sense
something physically. So, why care for the
-
Windows version or the, what is running on
these machines? Is that correct
-
understanding?
J: Well, the problem with that is, that it
-
depends on the local administration, how
they set up their computer systems. So, I
-
also read this in a chat here. Someone has
written, that they had their voting
-
software in a, yeah, in a very limited
network connectivity. So, the computer was
-
not connected to the Internet. However, it
depends very on the administration and on
-
the computer network that is being used
there. So, it is entirely possible that
-
computers are connected to the Internet,
because there are no guidelines on how
-
these computers are allowed to be set up.
So, I cannot fully exclude this. So, and
-
if someone, for example, just enables the
wireless network or connects to some
-
unsecured hotspot, they are connected
then. So, it's it's hard to tell here, but
-
I would not exclude this possibility.
T: To extend this answer. We even try to
-
find out, if there's any software side
protection that checks, if there is any
-
internet connection is present and then
would deny this voting system. But, there
-
wasn't or at least we couldn't find one.
So even if the administration was not
-
advised, if these PCs should be
disconnected from the network. There isn't
-
even a security mechanism in place, that
would check this and stop it or even show
-
a warning, that this is connected and they
should be disconnected from the Internet
-
before the counting can begin.
M: Interesting. All right. We have one
-
message on the IRC, from someone who
worked with this particular piece of
-
software in demo mode by themselves,
obviously. And the question they have, is:
-
Did you notice the possibility to enter a
negative votes for a candidate? So saying
-
minus two votes, for instance.
J: Well, that's difficult to tell. I
-
thought about, if this is possible, so
perhaps you might have to manipulate the
-
database directly. So I'm not entirely
sure. I'm not sure, if I tried this out
-
this one. So, but however, as soon as I
have a data, as I have database access,
-
it's entirely possible to manipulate
anything. So. Well, we could try this out
-
again. However, I don't think that changes
much in our result. So, yeah, that's
-
interesting questions of I cannot answer
this right now, so I'm not sure, you Tobi,
-
have you tried out something like that?
T: We've tried manipulating some already
-
submitted votes, but I think, this was not
really possible. However, as you showed,
-
when you export the data and import into
the main PC, the votes that were already
-
in place, possibly by an attacker, would
then discard the newly imported votes. So,
-
this would probably replace this data and
these votes, but via the Web interface, I
-
think it was not possible. However, we
found the enough vulnerabilities with
-
database access that you could do it by
this way, if you want to.
-
M: All right. Thank you for your
explanation. Out of pure curiosity, people
-
ask, how did you get access to the software
in the first place? To start your analysis?
-
J: Well, that's a good question here,
because, theres a nice story behind that.
-
So, I was election worker and I was
supporting setting up a system and doing
-
some IT support in the evening. And at
some point, we tried to merge our results.
-
So we exported the results from one
computer to move them to the other one.
-
However, the import failed, because, there
is some artificial limitation in the
-
software. So, as soon as your export files
are larger than 10 megabytes, they cannot
-
be imported anymore. So this happens quite
quickly, when you have a few hundreds of
-
votes, of few hundreds of ballots and then
the import doesn't work anymore. And I had
-
a look at this file, and that was just a
JSON file with a lot of whitespace. So, I
-
copied all this stuff to my computer to
fix this. And there was also later on, a
-
software fix that was published by the
software vendor. However, then I had the
-
software on my computer, just because I
wanted to fix this election. And it was
-
very late at night. And I returned home
and I noticed, oh, I still have that
-
software on my computer. Let's have a look
at this. So, yeah, it was just by chance.
-
So, I tried to fix something, got all the
software on my PC and then I had it ready
-
to analyze even with some data on that, so
that I really knew how this works in
-
practice. And yes, but if someone would
try to gain access to that software,
-
that's quite simple, because they could
just restore the deleted data from one of
-
the computers that are in the schools.
Perhaps, someone doesn't even delete the
-
election software from their computers, in
your school, or some person could just
-
steal one of the USB sticks, that have
been used for installation. So, I don't
-
even think, that would be noticed then.
M: Interesting, indeed, you mentioned in
-
your talk, that the software is certified
by the BSI, that they claim to be
-
certified by the Open Web Application
Security project, but how could such a
-
broken system can be certified by both
parties in the first place? And what's
-
wrong with the certification process? Yes,
this obviously happened. I mean, like, why
-
not use a certified. What do we do
certified in the first place, if it gets
-
certified, even if it's broken?
T: I think the first point about this is,
-
that we already mentioned in the talk,
that there are no legal requirements. You
-
don't need any certification, that this
software can be used in our voting, in our
-
elections here in Germany or in most parts
of Germany. And additionally, this
-
screenshot we show with OWASP and the BSI
was just the promotion of the AKDB for
-
their software, but I think there was no
real certification attached. So, we don't
-
know if we the BSI ever saw this software for
real or if they just put it on there and said,
-
yeah, BSI certificate certified or with
the BSI standards in mind, like they
-
already have already the IT Grundschutz
and they maybe tried to implement, after
-
this system architecture. But the BSI
never checked on it. So, I don't think
-
there's any real certification for the
software.
-
J: So, just to add a few details here,
that's not really a certification, that
-
they just said that they follow the BSI
and OWASP guidelines. I think, that was
-
also the wording that was used on the
website. So, theres no real certification
-
behind that, so far.
M: Thank you for the answer. Do you know
-
by chance, how the municipalities
published the election results?
-
J: Well, I don't know in detail how it
works. So, when we handed in our election
-
results, they got uploaded onto some other
software. And that's also the end that
-
I've seen. So end up in the computer
system and they are electronically
-
transmitted. And that, first of all, it
generates a preliminary file. And finally,
-
that's a final result generated by it.
However, I don't really know how this
-
works, but the election results that were
generated, with OK.VOTE are definitely
-
going into the final result. So, perhaps
there's also some paper based protocol
-
between them. I don't really know if
they're using the data that's in the
-
computer or the data that is on the paper.
But, however, it doesn't change very much
-
here.
M: OK, on. Coming over here a bit, the
-
last question would be: What, in your
experience, how practical and expensive
-
are hand recounts here and did you observe
these?
-
T: I think, this is very different from
election to election and from city to
-
city, if this is a rather small town, you
could probably easily reelect all this or
-
all the votes and recount the votes. But,
if this is a big city like Munich, for
-
example, with millions of votes, and you
would have to recount this, this would
-
particularly delay the voting or the
results pretty much. And this could have
-
really bad influences, if this would
happen. That software has shown that kind
-
of manipulation has happened and they had
to recount all the stuff by hand again.
-
J: So, counting this by hand is, indeed,
very, very effortful, because they have
-
like 70 votes per ballot. And even summing
up all that is still error prone, if it's
-
done by hand. So, it's difficult to do
that. And up to my knowledge, it's not
-
generally recounted after the election.
So, I try to find something in the
-
Internet regarding that. And I just found
some PDF, that they said, well, it's not
-
feasible to recount all the election
results and all the ballots. So, that's
-
just rather do a meter level check on: is
the protocol complete? How about the
-
special ballots, that were not really
clear and so on? But it's not like, every
-
ballot will be recounted, as far as I
understand.
-
M: OK. Oh, thank you very much Tobias an
Johannes for answering all the questions.
-
Thank you again for your talk.
J: Thank you.
-
M: Thank you.
-
rC3 postroll music
-
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
