In a recent release, German hacker association Chaos Computer Club (CCC) claimed that the PC-Wahl version 10 software, used in Germany during elections to count and distribute voting results, contains serious vulnerabilities. The group said that the attackers can secretly modify vote totals before they are reported to electoral officers. The CCC said, “The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake.” Germany is due for its parliamentary elections on September 24.
According to the press release, CCC found that the PC-Wahl software does not adhere to even basic principles of IT security. The entire voting system can be compromised in a single click due to a broken software update mechanism. Also, insufficient security measures on the update server allow the hackers to gain control over the attacked server and distribute harmful updates to its users. CCC published proof-of-concept attack tools including source code on GitHub to support their claim.
The CCC spokesperson Linus Neumann, said, “The amount of vulnerabilities and their severity exceeded our worst expectations. A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one.”
Reportedly, some of the vulnerabilities are being fixed after the CCC’s report.
