Hacking Germany's Vote Counting Software Was ‘Trivial,’ Researchers Warn
A group of researchers found that the software to count votes was a “total disaster.“
Hackers could have manipulated the results of the upcoming election in Germany by using "trivial" attacks against a program used to count and transmit voting results, researchers warned on Thursday.
White hat hackers from the Chaos Computer Club (CCC), a well-known hacking organization in Germany, claim to have found a series of serious vulnerabilities in PC-Wahl 10, software used by German authorities to count and transmit voting results. The researchers said their attacks show the software is in a "sad state" and that malicious hackers could have compromised it with "one click."
Read more: Online Voting Is a Terrible Idea
"The amount of vulnerabilities and their severity exceeded our worst expectations," Linus Neumann, one of the researchers who conducted the study, said in a press release.
The good news, however, is that the researchers believe it would have been hard for malicious hackers to get away with such attacks during the upcoming German election on September 24 without anyone noticing.
"Technically, manipulation would be possible in several ways, but it is unlikely that manipulation would remain undetected," Thorsten Schröder, another researcher involved in the study, wrote in an op-ed for the magazine Der Spiegel.
"The amount of vulnerabilities and their severity exceeded our worst expectations."
In theory, hackers could have hacked the servers used to transmit updates to PC-Wahl, pushing malware and changing vote results, as the researchers explain in a 20-page paper—a "total disaster," as Schröder put it on Twitter.
Among the vulnerabilities found: The software wasn't programmed to verify the integrity of the updates received from the servers, the voting data wasn't transmitted over secure connections, and some servers were programmed with default or easy-to-guess credentials such as "guest" and "test," allowing anyone to upload files to them, according to the researchers.
After researchers shared their findings, the makers of PC-Wahl have fixed some of these vulnerabilities, according to the researchers. Vote IT GmbH, the company that produces PC-Wahl, did not immediately respond to a request for comment.
"A brute manipulation of election results should be harder now," the researchers concluded.
Some problems, however, aren't fixed yet, Schröder told Motherboard.
"The past days, they rolled out a number of attempted, but ineffective fixes" he said in an online chat. "They built updates, we broke that, they built new updates, we did not even need to change anything, and so on."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.