A German hackers’ collective has warned that software used to record and transmit voting tallies in many German states has “serious flaws” and is vulnerable to external attack just weeks before voters cast their ballots in federal elections.
Hackers from the Chaos Computer Club published an analysis of the PC-Wahl software package Thursday in which they reported finding a “host of problems and security holes” that even a moderately skilled hacker – let alone a state-sponsored team – could exploit.
“The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries,” a CCC statement said.
The software in question has been used in Germany’s national, state and municipal elections for decades, it added.
Linus Neumann, a CCC spokesman who was involved in the analysis, told CNN that “elementary principles” of IT security were ignored. “The amount of vulnerabilities and their severity exceeded our worst expectations,” he said.
“A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one.”
Germans head to the polls on September 24 to vote in a federal election. Chancellor Angela Merkel is running for her fourth term in office and polls show her Christian Democratic Union Party, or CDU, as the clear front-runner. Her chief rival is Martin Schulz, leader of the Social Democratic Party, or SPD.
The election is being closely watched after a series of upset results in votes last year.
Vote-IT, which provides the PC-Wahl software, hasn’t yet responded to CNN’s request for comment, but the government cybersecurity agency said the company is implementing some recommendations on improving the package.
Software ‘possibly the worst’
Germany, a European powerhouse and one of America’s staunchest allies, does not use voting machines, meaning all votes are cast on paper.
But PC-Wahl is one of a half-dozen software packages used countrywide to tally, aggregate and transmit the votes higher up the chain, another CCC spokesman, Frank Rieger, told CNN.
“From what we’ve seen, none of them is really great but the one that we analyzed is possibly the worst,” he said of PC-Wahl. Hackers from CCC were able to take over a machine using the PC-Wahl software while vote tallying was taking place, he said.
Adding to the problem, Rieger said, is that Germany’s localized electoral system means that it’s almost impossible to know what software is used across each polling station, municipality, precinct and state.
Allegations of Russian interference in the US presidential election last year have stoked concerns in Germany over election security and voting technology, Rieger added.
The CCC undertook its analysis – carried out by a group of three hackers because they had limited time – after it was contacted by a newspaper looking to verify claims by a security researcher about problems with PC-Wahl, Rieger said.
Over the course of eight weeks, the CCC group found a series of flaws, reported them to the authorities and the manufacturer, and then were able to hack the software again after attempted patches by its maker failed, he said.
The CCC has called on the government to “promote and use software in the election process that has publicly readable source code,” so that security flaws can be found and resolved more quickly, and to support the development of new, state-of-the-art election software.
Government working on security
Germany’s cybersecurity agency, the Federal Office for Information Security (BSI), said Thursday that the maker of PC-Wahl was working with the authorities to improve security.
“In close cooperation with the responsible federal and regional election managers and the PC-Wahl software producer, the BSI has issued recommendations for improving the security level in the transmission of preliminary election results with the software mentioned,” it said in a statement.
The manufacturer is putting the BSI’s recommendations in place, the agency said.
The BSI has been carrying out its own tests to uncover potential weaknesses in election processes and has been advising the German Parliament and parties on cybersecurity, it added.
A spokesman for the BSI told CNN that the affected software evaluates only a preliminary election result.
The official election results can always be double-checked since the election offices have them on paper, he said.
The BSI will do whatever is necessary to prevent any manipulation of preliminary results and the discussion and insecurity this could cause, he added.
The agency has been in contact with the software producer since the beginning of the year to work on securing the preliminary election result process, he said, including by talking to the heads of election offices.
CNN’s Manisha Ganguly, Diana Macumba and Laura Goehler contributed to this report.