Hackers warn of flaws in German election software weeks before vote

German Chancellor Angela Merkel gives a speech at the Bundestag in Berlin on September 5.

(CNN)A German hackers' collective has warned that software used to record and transmit voting tallies in many German states has "serious flaws" and is vulnerable to external attack just weeks before voters cast their ballots in federal elections.

Hackers from the Chaos Computer Club published an analysis of the PC-Wahl software package Thursday in which they reported finding a "host of problems and security holes" that even a moderately skilled hacker -- let alone a state-sponsored team -- could exploit.
"The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries," a CCC statement said.
    The software in question has been used in Germany's national, state and municipal elections for decades, it added.
    Linus Neumann, a CCC spokesman who was involved in the analysis, told CNN that "elementary principles" of IT security were ignored. "The amount of vulnerabilities and their severity exceeded our worst expectations," he said.
    "A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one."
    Germans head to the polls on September 24 to vote in a federal election. Chancellor Angela Merkel is running for her fourth term in office and polls show her Christian Democratic Union Party, or CDU, as the clear front-runner. Her chief rival is Martin Schulz, leader of the Social Democratic Party, or SPD.
    The election is being closely watched after a series of upset results in votes last year.
    Vote-IT, which provides the PC-Wahl software, hasn't yet responded to CNN's request for comment, but the government cybersecurity agency said the company is implementing some recommendations on improving the package.

    Software 'possibly the worst'

    Germany, a European powerhouse and one of America's staunchest allies, does not use voting machines, meaning all votes are cast on paper.
    But PC-Wahl is one of a half-dozen software packages used countrywide to tally, aggregate and transmit the votes higher up the chain, another CCC spokesman, Frank Rieger, told CNN.
    "From what we've seen, none of them is really great but the one that we analyzed is possibly the worst," he said of PC-Wahl. Hackers from CCC were able to take over a machine using the PC-Wahl software while vote tallying was taking place, he said.
    Adding to the problem, Rieger said, is that Germany's localized electoral system means that it's almost impossible to know what software is used across each polling station, municipality, precinct and state.