back to article Achtung! German election tabulation software 'insecure'

Software used in Germany for vote counting is insecure, according to research by the Chaos Computer Club (CCC). The white-hat hackers found multiple vulnerabilities and security holes in German national voting software. The findings were released by the group on Thursday, just weeks before the upcoming vote on September 24 to …

  1. Christian Berger

    It's actually very incompetently made

    Including a Logo that's clearly Word-Art, and claims like having a "non-indexed database".

    It uses HTTP to upload the data to a central server... where there's a PHP script taking the data. It uses password protection, but those credentials are test/test or gast/test, or test2/test2...

    This is the homepage, BTW

    https://www.wahlinfo.de/

    1. Anonymous Coward
      Anonymous Coward

      Re: It's actually very incompetently made

      What I'd like to know is how this came to be accepted for public use. I mean, this is from the same government that once sponsored the development of GPG, so what went wrong?

      I suspect that someone's nuts will be on the line for this, and rightly so.

      1. Christian Berger

        Re: It's actually very incompetently made

        They gave _lots_ of money to very incompetent people. This was of course made by a private company.

  2. Anonymous Coward
    Anonymous Coward

    I love CCC

    They're good at what they do, and are generally very competent in conveying the detail of what they found as well.

    The best part is that they've been this good for years. Hurray!

    1. Christian Berger

      Re: I love CCC

      Decades actually. Here's a report of a hack on the German "Prestel" called "Bildschirmtext" or BTX.

      https://www.youtube.com/watch?v=TOflxejp4Z4

      Essentially they got the login of a bank, and set up a relay to call their donation page over and over again.

  3. Pascal Monett Silver badge
    Thumb Down

    Just a sec

    "Software used in Germany for vote counting is insecure"

    There, that's better.

    Show me one product that has been independently verified as secure, contains Open Source code that has been vetted and is regularly pitted against white hats to ensure safety, and I might eventually come around to thinking that it could be used.

    Until that day, I will remain steadfast in my belief that paper ballots and a time-tested procedure will beat a frakkin' database any day. As far as voters are concerned, that is. For scumbags, multinational corporations and corrupt officials, the database is clearly a better bet.

    1. Flakk

      Re: Just a sec

      This.

      It's not Ludditism to acknowledge that technology isn't always the answer. There's no hackable network stack on an electro-mechanical optical scanner, no program logic to exploit and corrupt, and it's easy to verify the correct operation of the machine. It will absolutely take longer to tally votes, but that's part of the trade-off. Security is pain, and sometimes it's worth it.

    2. Stork Silver badge

      Re: Just a sec

      I may well be repeating myself, but the system used decades back in Denmark (at least):

      - Paper ballots are counted at the polling stations, just after polling closes, with members of the parties present and participating.

      - The results from every polling station is published in national newspapers + ministry of interior homepage.

      Simple and difficult to hack. No SW needed (but you can use Excel (or LibreOffice) if you fancy.)

      1. Lars Silver badge
        Coat

        Re: Just a sec

        @Stork, same in Finland, but sounds a bit the same in Germany too as this story claims "For what it's worth, Germany still relies on manual counting for final tallies: electronic systems, for now, are used mainly for predictions and exit polls.".

        As for decades, a century by now in Finland and for longer in Denmark I would think, that must go for the UK too.

        Quite frankly I know too much about programming to let it anywhere near our voting systems.

      2. Puuru

        Re: Just a sec

        We have a general election in New Zealand on 23rd September. It's all paper ballots stuffed into ballot-boxes the old-fashioned way. No buggy software. There are suggestions that we should go electronic to rope in those potential voters who can't move more than their thumbs. However, there's a lot of resistance on the grounds that electronic voting is insecure/hackable etc etc. I'll put my by now geriatric hand up to join the resistance.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just a sec

      Show me one product that has been independently verified as secure, contains Open Source code that has been vetted and is regularly pitted against white hats to ensure safety, and I might eventually come around to thinking that it could be used.

      For a start you need an assurance process in place that combines transparency with accountability all the way down the delivery chain, and there are simply too many politicians in that mix for that to ever work.

      I've been following the work of Rebecca Mercuri for years (I reckon for more than a decade by now) and yes, voting software is still the final frontier because of a number of conflicting demands and the profound allergy of suppliers of transparency..

  4. Anonymous Coward
    Anonymous Coward

    It has to be said

    My country is a freaking Clown Show.

  5. John Smith 19 Gold badge
    WTF?

    I think the key question is how this PoS S/W got accepted for this task.

    It's specialized and I'll bet not cheap so how was it purchased?

    Was there a competitive tender, released through the EUJ?

    Was security even an issue?

    Was this the best of the offered alternatives? IOW were the competitors even more s**t?

    Because if this is the bar to exceed it does not look too high to do so.

    Wheather or not that makes any competitor good enough to do the job (not just better than this) is another matter.

    1. GSTZ

      Re: how this PoS S/W got accepted

      That's an pretty old piece of software, lurking around since about 30 years, and never certified by anybody. Many of those local public servants down at individual county level supposed to have the voting offices under their control just didn't care about replacing it, rather they kept it running time over time. No central rule from the BSI (Germany's IT security agency) or any other top level government organization, probably that could have been seen as interfering with local government's freedom to do their own thing. By the way, a good number of local governments did upgrade to something more recent and supposedly better, but Wahl-PC is still the most used software for uploading voting results in Germany.

  6. Agent Tick

    Software works perfectly....

    .. as intended coz the voting backdoor(s) is the only way for some unloved German pollies to get re-elected ever again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022