BERLIN—When it comes to the growing specter of election hacking, there is one form of attack that causes far more concern that the rest: Could hackers access the ballot count itself and directly manipulate the number of votes cast in favor of one candidate?
Security researchers in Germany have found that it’s possible to do exactly that.
The hacking collective Chaos Computer Club (CCC) has uncovered a selection of serious vulnerabilities in some of Germany’s voting software.
“By infecting large-scale, we could have changed every single submitted result,” Linus Neumann, a CCC spokesperson told The Daily Beast. This software is not the same as that used in U.S. elections, but the discovery highlights the serious risk hackers can pose to voting infrastructure as U.S. authorities try to assess the exact damage hackers caused during the 2016 election.
The issues revolve around a piece of software called “PC-Wahl,” which the researchers say Germany has used in national, state, and municipal elections for decades.
PC-Wahl is used for the “recording, calculation, graphical presentation, reporting and statistical follow-up of election results,” according to a Google translated version of the product’s website.
Neumann explained that the researchers were able to take over the server that provides software updates to PC-Wahl and insert a malicious program that manipulates the votes.
“Neither the software itself, nor any of the transmitted results are authenticated properly,” he said. Updating the software is also a mandatory process before each use, Neumann added, meaning that if a hacker surreptitiously inserted a piece of malware, it could rapidly spread to target machines.
Targeting a piece of software’s update mechanism is a novel, but fairly established way of attacking systems. Earlier this year, hackers attatched their own ransomware, which locks down victim’s computers, to an update of Ukrainian financial software. Victims included shipping giant Maersk.
Germany has faced suspected Russian hackers in the past. In 2015, hackers targeted the country’s Bundestag, or parliament. Germany’s domestic security agency said Russian military intelligence was responsible for the attack. Judging by forensic evidence, the hackers behind the Bundestag breach were the same as those responsible for attacking the Democratic National Committee’s servers in 2016. WikiLeaks went on to distribute a cache of stolen emails and documents from the DNC.
In the U.S., likely Russian hackers have also targeted companies and organizations within the election supply chain. In June, The Intercept reported that hackers sent spoofed emails to VR Systems, a Florida-based provider of voting services and equipment, days before the election. Last week, a New York Times report revealed hackers breached at least two other providers of critical election services. During a hearing earlier this year, former FBI Director James Comey said Russian hackers targeted “hundreds” of entities.
There is no convincing evidence that hackers directly manipulated U.S. votes by targeting voting software or machines themselves during the 2016 election. Previous academic research has found some voting machines are vulnerable to malware that could manipulate votes.
During the annual DEF CON hacking conference this year, researchers were given free-rein to dig through and probe a variety of voting machines used in U.S. elections. One hacker successfully compromised a machine in a matter of hours.
CCC hackers who worked on the German software released a selection of tools so others may be able to replicate or build on their results. One tool can be used to swap votes for one party to another.
Security researchers often publish tools, exploits, or proof-of-concepts in an attempt to make those responsible for the affected products issue fixes.
“Given the trivial nature of the attacks, it would be prudent to assume that not only the CCC is aware of these vulnerabilities,” the CCC’s announcement reads.
Neumann said VOTE-IT, the maintainers of PC-Wahl, has denied that the issues exist while quietly plugging the vulnerabilities. VOTE-IT did not respond to a request for comment from The Daily Beast.