A trio from Chaos Computer Club, a German collective of hackers and security researchers has warned that software used to record and transmit voting tallies in many German states has “serious flaws” and is vulnerable to external attack just three weeks before voters cast their ballots in federal elections. Germany is scheduled to hold federal elections on September 24.
Hackers fear as Russian intervention appears to be exaggerated.
IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed the software PC-Wahl created by vote iT, a German company that claims the organizational software is used in “all the large German states for local district elections, state elections, Bundestag elections, European elections, and referendums.” This program is used for recording, counting, displaying, and analyzing votes in German elections. The hackers found they could corrupt the updates from the server controlling that software to re-tabulate votes at will, with potentially disastrous consequences for the country’s parliamentary election. The CCC says that VOTE-IT, the company behind the software, privately fixed the security flaws the group exposed while publicly refusing to acknowledge the vulnerabilities.
Hackers from the Chaos Computer Club published an analysis of the PC-Wahl software package on Thursday (September 7) in which they reported finding a “host of problems and security holes” that even a moderately skilled hacker — let alone a state-sponsored team — could exploit.
“The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries,” a CCC statement said.
The trio of analysts came to the conclusion that while the final election results could not be changed – since they are checked by hand – the on-the-night preliminary results that politicians first react to and are used in the media could easily be altered, potentially creating massive uncertainty in the country.