Hackers have disclosed how to hack the German voting software to tamper with votes and alter the outcome of an election.
Yes, election hacking is no theory—it is happening.
A team of researchers from German hacking group Chaos Computer Club (CCC) has discovered several critical vulnerabilities in PC-Wahl—software used to capture, tabulate and transfer the votes from local polling centres to the state level during all parliamentary elections for decades.
According to the CCC analysis, vulnerabilities could lead to multiple practicable attack scenarios that eventually allow malicious agents in the electoral office to change total vote counts.
Critical Flaws Found In German Voting-Software
The hacker collective found that the automatic software update module of PC-Wahl downloads packages over insecure HTTP connection and does not perform any integrity check using digital signatures.
Moreover, the software uses an older encryption method with a single secret key hard-coded in the software, rather than asymmetrical encryption that offers better security by design.
The Software includes an FTP module that sends the voting results to a central password-protected FTP server, but the researchers believe the password for data sharing has been shared among electoral staff.
"The same access data has always been used for various polling stations and constituencies in Hesse for many years so that an attacker has been able to manipulate the results of all municipalities simultaneously and centrally," the research paper [PDF] (translated) reads.The group has published the proof-of-concept attack tools against the PC-Wahl software with source codes on GitHub.
Software Company Denied Vulnerability Report
According to the German Spiegel magazine, the manufacturer of PC-Wahl had denied the allegations that its software was vulnerable to cyber attacks.
The CCC hacking collective has urged the German government and election commission to take necessary actions to tackle the issues in the election software in order to protect the September 24 election that the group fear could be subject to interference.
In response, German Federal Election Director Dieter Sarreither said he was familiar with the issues discovered by the CCC and had asked state officials and the software company to take necessary steps to address them, Reuters reported.
German federal cyber protection agency, BSI, said the agency had worked closely with election officials and the software manufacturer to improve the security of election results.
"In the future, only information technology based on BSI-certified software should be used for election processes," says BSI chief Arne Schoenbohm.Hacking voting machine is not a new thing. Two months ago, several hackers managed to hack into multiple US voting machines in a short period—in some cases, within minutes—at Def Con.
Election hacking has become a major debate following the 2016 US presidential election, where it was reported that Russian hackers managed to access United States voting machines in 39 states in the run-up to the election. However, there is no evidence yet to justify the claims.
