 between English and German. Do this very quickly. My best friend, Hazelban, is gonna talk about the sweetest, most awesome thing since sliced bread. And that's what I think too. Lina's Torsten and Martin on the PC Election Act. So the title is Analysis of Some Election Software. Good evening everyone. We're glad for you to be here to listen to our talk. I am Linus. My hobbies are writing, swimming, reading, and hacking. I'm Torsten and I like breaking things. I'm Martin from Damstand today and I'm an interested citizen. Thanks. Thanks. Yeah, and that's your applause, Martin. We brought an election program along and we're going to show you some scenarios. We're going to show you some scenarios of attack. I'm going to try to show you how we fix them as well. So what do we need election electoral software for? Because you elect on piece of papers here in Germany, right? Well, you have to organize the elections. You have to register them and you have to also understand the final results. So 70,000 electoral offices are involved within the elections out of 16 counties in Germany. There is constituencies. There's electoral districts who are then distributing the votes to their district returning officer who then passes on the votes to the state election commissioner and all in all of these steps are being taken and then they finally reach the temporary election results. And that's a few hours after the voting booths are closed. Before the then final results are being drawn for the next day. So once elections are being counted and between if we would do all of these on paper through the whole entire time, we would take days and days and days, about 10 days. So that's why it makes sense to use software for this. And well, because we're in a federal state, every county has their preferred way of doing things. So what we did was we looked at one of these softwares, the software called PZVAL, which by the producer of the software is apparently being used in lots of many counties within Germany and is responsible for about 33 billion votes within the country. So there's also alternatives like EVU.Elect, which has been dissected by our colleagues from Netherlands and people like Vote Manager or OKElect, etc., etc. In quality land, everything is fine. We're hinting at the reading that we just listened to beforehand. So what is this kind of electoral software? There's computers doing results and then the results are being made public. So let's look at the software. So there was a young man who then went to the Supreme Court and here it's enough if the state commissioner is looking at it and no one understands it anyway. So why would anyone hack an election? So we got that software somehow. Those are screenshots from the vendor. Of course we could have made them ourselves but our first reaction was wow. The logo is actually not made by us. It was clear up front that is not going to be pleasant. We can give them that. The risk that it's going to get hacked is still a lot less than just misusing it or going mad over trying to use it. So here you can see how a county election is administered. Here you can see how the votes are getting counted. Don't miss the part of the uter face where it's coloring the districts that haven't been counted yet in red. And here's a check where it adds up some numbers and then tries to match them up. And if they don't match then it's giving you the chance to just correct it until it matches up. But there is a concept for running it securely. They're obviously interested in security of operation. Obviously we need it like gloves and hard hats and the vendor is actually advertising its database free concept. What does that mean? Yeah they actually write files into a file system and what they do is they write them redundantly and it's written redundantly in the way that it just writes them in two different formats in two different folders and that's called redundant. And you can actually synchronize it via the synchronization feature. You can actually sync them between a remote location and here and that's going to be interesting. So in the end they're all just writing their files into an SMB share and then they just go. So let's look at Fred's scenarios here. So evil tongues claim that we only looked at this because it was bothering us and that we'd think that Russia would hack our elections. So then we were like well let's look at how they could do this. So there's two modes. There's a temporary results and then there is the actual official results that are being publicized 10 days later. What we're looking at is the preliminary results. The official results for the elections, the governmental elections in Germany this year came in 18 days later. So how does a hacker think about looking at this? And Martin preferably likes to explain this our interested citizen. Well I was interested in this. Well I mean obviously you have to like have the right circumstances. This year we had the governmental elections and the apparent existent problems with the electoral software itself. All right so this election electoral data is being transferred in a chain from county to district to county. So what happens in a district on the night of election? The returning district official gets all the votes from the electoral districts and an SMB share is started and then all of them type in the results from the electoral offices from the voting booths. So those are then being uploaded into the internet onto an FTP server. There's an FTP server and that collects all the results from the districts. And that is located in the internet in the federal state of Hessen. It's being made available by Ecom 21 and Ecom 21 is like a local system administration office and they provide basically and how to upload the data onto the FTP server. And they were like alongside these instructions were the login data to like understand how to then upload providing all security credentials decrypted no no encrypted but providing the decryption within the same upload. So what do you need to execute this attack? You need Google because you need to Google for Hessen and then you need the text editor and a debugger is quite helpful if you want to get in to the nitty gritty into the depth of things. And all of this basically gives you the possibility to access the FTP server and we looked at this FTP server and there's elections that go back many many years like smaller elections communal elections other governmental elections from the past years and the login data are located on the server. You just need the local IP address you just you can see on the slides the login data as well as the password and all you basically then need to then access is well let's call it a VPN. The beautiful thing about this is that the electoral elections at the governmental elections 2017 were obviously only a test. All right and this is how we had the federal state of hess everything was done well not really. What's missing? So there's some other attack scenarios they give you opportunities to get access to the FTP server configuration data to get access to them. For instance this update mechanism how does the system distribute the updates to the various electoral districts where the software is being used and we learned that this is quite an exciting field with these updates and in the big bad internet we've found this server were all the updates and everything are on it and after looking at this stuff we found it at least for vulnerabilities that have allowed us to modify files on the server and that means that we were able to overwrite update files or delete them. So the advantage of distributing updates is that you don't have to rely on people having passwords on the internet but you can do this essentially for all states. It's a lot easier but Mr. Berninger the developer of the software who started back in the 90s who started developing this back in the 80s sorry he corrected himself the 80s and he said you need lots of brain power to crack this all this encryption and compression stuff that he figured out because of course he made sure that you couldn't just replace stuff so that means that this file pcw10dat1.010 is an encrypted file and this encrypted file is in a zip archive and this zip archive there's another file in it or something like that you know so these russian doll it takes lots of brain power you know so we figure that out you can see an excerpt of a little code that we we throw this thing at a disassembler and stuff and you know got to all this delphi code and found a key and an encryption method decryption method and so we build our own tool that could decompress these files and build in our own files into it so that we could our own updates that with the decrypt tool we can like this studio point x the kind of core of this software platform the wonderful UI we were just seeing you can patch it so that you can exchange election results or other naughty things like that and the other tool that we built a new update file builder just with another command line switch it's not working dash c create new update package and so we could put that on the on the big bad internet on this server that we found and so that was uploaded and and distributed onto all these servers and we uploaded it to get hubs whoever could use it and the most awesome thing about this the genius thing about this so and so on the other side they have to decrypt the files how much brain power do we need 300 grams of brain power maybe I don't know could have been 180 grams so what are we going to do after we patch patch these files because the communication channels are encrypted the cryptography makes it complicated and so we put we put all the the nasty stuff in the source telecommunications manipulation before the encryption happens and so it passes it on to the next level and there are these party IDs and the format we'll get to later and then we put this is a proof of concept we just swap out party one and two exchanging the votes that was one aspect in the threat scenarios there's a few further ones like data format so config files that are being used by the software config files that are being supplied before every election they're being put out and machines are being then updated and these data is obviously online available as well and they're part of the regular update package having all the update files with all the login data and they also use pgp and because they obviously don't make it stuff easy for hackers they obviously encrypted things but we obviously also hack that yeah there's different formats they haven't just relied on one type of encryption they used various forms of description encryption makes sense or maybe it doesn't there's one version that was part of the encryption number one which means we're just basically not using a secret key at all I mean you can do that but you gotta have a risk taker um all right so that's the code that's basically got kicked out of the disassembler that wasn't a lot of fun and then there's obviously a second form this is what they use for passwords and usernames for gpg passphrases there's a byte of key a whole byte at least and uh that's being used to then uh decrypt the config data and we just did that and put that on github as well so you can check that out and try it and just you know give it a shot and now Linus is gonna continue on the formats because all of these are not not unimportant if we want to show how we then in practice use this to hack as Martin has said and pointed out he had access to the fdp server at least in essence so we can manipulate the binaries to have different results and export those differently but if you have access to the fdp server you can also write your own files and we were like we're looking at the xml format that were showing the preliminary results and marking them that was highly complex in naming the data files these index free database means that files have clear names and at the end there's a server that counts these and this is what you basically file looks like containing um an xml file uh containing the preliminary results from the electoral districts so if you look at these xml files so what's missing and what i was looking and searching for was like some sort of form of like signature that says who counted these like you know on the paper you always have kind of written thing on the bottom this is the person that counted it on the xml file that's lacking in nonexistent so another feather in the crown of the democracy so i mean it was clear we publicized this before elections with like giving them a good like three two three weeks to address these issues and we're like you're gonna be able to like fix that right so we publicize a report we only took some of the cream of the crop stuff that we actually did the actual report is about 24 25 pages long and we publicized that and we told the government like look software isn't safe and there's obviously a long long passage result outlining basically a plan of what to do and we sat there and we publicized that and then in the evening we looked at the news report and we were i mean we're interested citizens and we looked at the news and to our surprise we saw um we're watching the news report now and the guys just reporting on um basically he's rehashing what we just heard the uh the federal election commissioner spoke of a serious problem but there's nothing to be worried about so i was thinking wow that was fast well let's see so let's look at the updated page that was from the date when we published we took the latest version from the fifth of september and that was the um the target of our investigation and how would that happen so now that we thought about it maybe they they were thinking that the the pre-publicated stuff that we gave the vendor was used for the fixes and that this was the fix that they were talking about so there was now implemented as an md5 self-check that as you all know is very secure also the word self-check is is great because i mean if you have a manipulated file how is it going to check itself so at the fifth of september they added a signature of the program and the gpt signature of the payload and every time we saw it we we basically thought finally they oh wow they fixed it and then minutes later we're like oh no why would you do that the answer always seems to be yolo so but we basically demanded two things signed updates and signed results so a lot of the the more tricky problems would be really simple to fix if we have a secure version of the software that's deployed on the update page and then we basically have a good starting point that we can start off with but what we saw was that they implemented the self-test in the executable and this is part of our patch program now we can see what we have to do before we can manipulate the election data so now we have to change two bytes in the self-check and we have to have another function that swaps the data for two parties and then we already passed the self-test or removed it whichever way you want to think about it so later when they were basically firefighting and being in headless chicken mode with the last patch but we were thinking oh finally maybe they got it they they fail so many times now they must have gotten it so we were on the road and then later in the hotel at night we looked at it and oh yeah it only took us a short time again and then i then twitter a proof of concept that showed that it was vulnerable again and so let's make it prettier again this is what the software updater of the software pc val looks like now that i look at it again update systems from 13th and 9th there is the update from the 13th of september and we have fully signature fully signed update packages which is still just used and didn't bar fun yeah max could always give us trouble wouldn't have happened windows so here you can see how we use this election studio or vall studio it asks you do you want to check the signature of pc val so i have to be a little faster now so here there's a program update and there's a manual now or an information how to verify the signet the the integrity of the update so let's have a very close look too fast so this is already our modified binary and let's pause this so we can see what it showed this is their their method for signing their their update packages they want you to open to look at the properties of the the studio executable there you double click on the name of the company and then you have to have a look if it says this signature is valid what's then what happens then is the idea alone the idea by itself yeah we will just have signed updates but the user still has to verify manually so what happens is the executable of pc val it's not an installer it's more of a hello world program it opens up a window and it says the signature of this executable has to be valid because they have used an executable file format as a container and in the resources they added a pc val 10 as a string in there and resources then the executable itself installs itself so all right you can see they did a great job at worse bettering this okay we're clicking on digital signature this looks great doesn't it i mean it's a perfect signature great just valid great let's yeah that's good great approved and now you have to say yes signature was valid and you click okay great and now um you have of course to demonstrate our proof of concept that we included our own software we let a red pop-up window come into and yeah so obviously this was our inception of our manipulative software oh you have to press one more time all right the signed results dot like data results is another aspect that we demanded as a fix they decided to sign the xml result files that we looked at before so what do they do somebody told them just use pgp nobody told them that you have to manage the keys so it's completely unclear how they will pass around the keys so it's their key that's being shared amongst all the counties we don't know we never found out just to like kind of show the um extent this is like 70 000 so um who maintains all these public keys if they all generate themselves um i mean at least in the instructions it says like install cleopatra but you know you still have to decide if you use pgp or gnu pg if you use um e or if you use an external program they decided for what oh they'll use an external program so they'll generate as part of the studio axa execute the file uh some of you might laugh already um there is this uh gpg uh command line minus minus batch minus minus passphrase um this is then followed by the passphrase don't laugh too early it's going to get better all right so uh you can see if the if the gpg if you then enter the passphrase and command line within the user you like you obviously see uh the passphrase and it's even better it gets better they don't just create a new process with gpg 2.x execution they want to know what key do we want to use to sign this file so you've got to have like a drop down election selection menu basically so they generate a batch file where they then have the gpg parameters that then open all the secret keys that then are being written into a text file and this text file is being accessed by the program itself and it then checks for the private keys and after that they create a new batch file with uh what we just saw now they then write the passphrase and the whole command line of how to sign stuff into the batch file they don't just create a new process they also write it in clear writing into the system itself so that everybody in the future can possibly access this and this file is obviously saved you remember yeah you remember the binaries and all of these are in the file share yeah on the file share you can then find all the pgp keys in a text file crazy isn't it it's it's a lot more easy to then like continue having like an overview so besides that we've already showed that these passphrases are in the itty files and as awesome how awesome that has been encrypted we've also seen so yeah yeah just so that you can appreciate that of course all of this is on github there's nothing to hide we have nothing to hide all right not not just us who figure this uh figured out that this was uh or determined that it was broken beyond repair um the state election officials have decided that it was broken beyond repair and so um what do you do if you if it doesn't it doesn't work um printed out um and it's not public okay so if the results were uploaded to the fdp server and then passed on and so on and so on what do you do then please go on to the internet go on to the um website of the um official offices uh please compare it to your results uh stamp it and put it printed out put it in a folder and that's that's how you test on on yourself everything's been done manually and it goes back to the stone age basically but you could nuke a bit more obviously i mean we we wanted to help that was our main objective so we thought about this and we're like are there multiple updates and everyone's like oh we're fixing things and then torsten really wanted to do something else but then he had to go back like do like another half hour of tweeting and reverse engineering and we're like oh let's just like let's just stop this we want to have an election all right we'll just fix it ourselves and then donate that donate the fix for the updater to the producer as an open source package just to show it's possible a round of applause and i mean we just wanted to kind of like i mean it's just like a standard installer it's not like rocket science like to have an installer that then checks if the update package is signed i mean the installer itself knows and it checks the certificate and then it checks whether or not the certificate is valid and where the source is from i mean there's not really that much to do is there i mean it's a little donation a small donation a small step for the ccc a big step for pc val but i mean it was clear from the gecko that they would not really welcome this donation i mean fair fair enough it's not a piece of software that they could just put into their program and implement it i mean they're using this super modern um program languages i mean i wrote that down in c sharp because i like to use this as a prototype i mean i wanted to just demonstrate that with very simple means and crypto libraries you can very quickly implement a routine that is a lot safer um to fend off very brute forced attacks and i mean the the the producer um realized that they think they weren't really getting anywhere with their own updates and they couldn't take our donation so they were like um how are we gonna end this i will just not give any more updates so the most recent update for pc val uh is not being released to the website anymore it's only being made accessible by the producer itself if you want to have it please um please get in touch with uh the supervisor that is actually the term they use or the counselor at pizzi vas if you uh want to update now you have to get in touch with a producer producer of the software itself i mean they knew that whatever they bring out we're gonna break it i mean they could have they could have they could have taken the alternation and then we would have like welcomed that but i mean in what kind of circumstance i mean we're very shortly before a governmental election like a week roughly a week before the elections so the old versions are out there remaining week with older vulnerabilities i mean it's very clear that most of these uh district offices are not going to get in touch with their pizzi vals supervisor and they're not getting any more patches they're not getting more updates so the way of the path for updating is being further complicated and so then now all of the sudden we're getting calls from these offices and they were like so what kind of one did you hack and then they would be like which version and then we'd be like well the most recent one and they were like well what is the most recent one and then they will be like uh third of august 2013 is that fine is that good and they were like no that's obviously not like don't i mean i can't honestly like it's so responsible so let's talk about the results the conclusions of this rob gong reib and alex heidermann said in the past i mean it's kind of a coincidence that the only known concepts are the only ones remaining that we haven't really looked at i mean we've looked at electronic processes of election but there's another aspect in this kind of technical construct that we're looking at it's the encryption aspect of it you should you should look at not violating carecraft's principles i mean that shouldn't be something that should be set out loud it should be something that you understand and know if you develop an encryption process that you do not develop it yourself but that you rely on established and well-rounded processes of encryption and that are not then being insecure just because they get thrown into the wrong hands a round of applause from the audience for this what we now saw was the reactions of the producer of the software but i mean the consumer the client of the software in this case is obviously the electoral officers the state election commissioners and what we saw on their end was just as appalling and alarming i mean we're part of a community so we try to address the people in the community so we just try to address this issue on a communal level and here we have the district returning officer of this voting district electoral district in hesson well and he said well manipulation is obviously possible you showed this and you demonstrated this this is upsetting but it doesn't really bother us it leaves me cold and i mean this is honestly what we could have used is like a claim put on this kind of lecture and that's really what i find concerning and that was really surprising to me to be honest i didn't really see that coming i mean yeah there's obviously better passwords than tests that is one thing that he he gave us he said that manipulation of software is at least disturbing they admitted that but um from the developer of the software he said that yeah it was it was bothering and it was confusing but it doesn't really have any relevance and i'm sorry but we have to disagree on this on every level possible that is just not true i'm honestly so surprised what kind of and i thought if this were my job i thought i would be more interested in that stuff you know interested that like there's a result that we can rely on and this anger and confusion that however had no um relevance and we checked how long did it take of this problems and confusion deal we call some people and asked do y'all remember this uh parliamentary election this is um disturbing but not that bad after 18 days um we have a little depiction of how long all that tough that stuff came and after 18 days the the discussions of the um coalition making coalitions um and how all of this was i mean we showed the risk basically of what happened in between the 18 days between the preliminary results and the actual results i mean we had coalition talks already like coalition talks not having any success so imagine the kind of damage to democracy could have been done within those 18 days but i mean it goes beyond that um the official office for information in germany we're asked and we're like well what's this like what's this about and then um the head of the information security officers stands in front of the president says it's great that you're pointing that out again we would like for the next election to have completely electronic uh processes because that is a very safe way of electing and that's that was the second that i thought like are you are you being like i honestly there's nothing i could think of anymore you've really asked yourself why why because they have years of experience with elections and i mean the threat is still there for years in years voting machines voting software are being hacked and there's always problems with electronic software and then there's a lobbying party that has the goal to actively involve themselves within the process of our election laws well now there's ambition there you know those are exactly the people who actually are responsible for this kind of software and those people are now in charge so we're currently debating where we're gonna also narrate this one but yeah i think we just gotta tell you so we noticed that the website seemed to the website seemed to exist being made by one company and the actual software is being made by the other one and if you now start googling i think one is called vote it and vote it actually bought it's it's um competitor benninga benninga is the developer who was uttering those uh great statements about needing a lot of brainpower to crack this and that guy 2016 two years before we started uh attacking the software he basically sold his own company for a seven figure number and still continued as a cio kind of figure or cto kind of figure for his for the new company so i i kind of have the impression that he probably doesn't get a lot of sleep at night mainly because he's laughing at it that's how you do it so obviously uh the buyer has the complete damage so let's get to our demand as computer a case computer club whenever we break something we always demand things and obviously this is another here so if you want to look at the speed up of the processes this should never ever um impact the security and the accountability during the election process but this is what we always saw we didn't even have to hack it it was basically broken from the start there's nothing to do there transparency is definitely nothing you can just exhibit by this program basically they just killed their own update process and then just gave you um account representative that you could call that's just not an update process so no software component that is involved in the election process and in the transmission of the voting results should ever be kept secret we should always be able to inspect it and it should be public it is of course completely coincidental that in september there's uh there has been a campaign by the free software foundation that was saying public if there's public money that's involved then the code should always be open and should be available to us this should also get programmers of uh current open source software and motivation to actually use modern crypto software and modern libraries and modern programming languages mainly because there's always going to be the review process and there's um there's a way to tell the vendor to say you know this this hashing algorithm that you're using is crap just can we just do it away or this this review process definitely has to undergo a process of verification and review just any not to so the the software developer actually puts in some effort in order to uh make it secure if um there are audit results then those results should also be public they should be publicized with the software source code can't be that hard i mean to think about it how many billion euros or those were the the banding a software was bought you will find a lot of software developers with modern languages that can do a lot better job than that there was somebody yelling from the audience i'm sorry we couldn't over we couldn't hear that through the microphones here so everything open signed a lot of verification x509 certificate by the central office of information security there's no reason why any part of the selection process should not be verifiable by us so we only looked at the security of this single piece of software and we didn't even look at if the results that it produces are correct we only looked at the security aspect so we we thought that the the time we allotted for apart from time after work that we want to spend on this voluntarily is over for this year maybe later so in any case an open source software project if we initiated or someone else or the fsf will be a good example that we germans or whoever who who always think that we're a good democracy a functioning democracy we could show them or we can we could show our neighbors a lot less money than us that we can actually produce something sensible in this space in the in that we have a reasonable election process and modern technology involved but then look at the fdp that's the liberal party of germany it means think first digital second there's also stickers around if you want to have a look so this is our end you can find all of our attacking tools on get up there's the report on ccd and our press release there's also our email addresses here but we wouldn't want to let you go without a firework of good humor this is a feature of the software itself they basically gave it to us on a platter it's the most buck-free feature of the software the only works with a decent hardware thanks a lot guys you can applaud more in the end but first we want to get to the questions anybody's got questions get to the microphones as quick as you can because we're already over time but we have 10 minutes all right microphone number three uh hello i would like to know what the software costs the commune the too much is the answer i assume they pay for all this using contracts that includes all these files that are passed around and so you can google these these purchase results needed to be checked using cartel law so monopoly law all right a question from the internet all right hello um all right the internet would like to know if anything has changed after the elections are there fundamental consequences anything that happened there was a delay in the assessment of the results of the election i think brennenberg is still relying on pc wall in a change version berlin brennenberg there were delays but the reason for that was never published but nobody has addressed on how can we get this better or how can we like resolve the issues question on mic two have you ever tried to call a district and say that you were gonna be giving advice and give them be their consultant and supply them with new updates no that's not allowed we'd use our time we'd prefer to use that time to look at the other parts is just 33 million vote votes just a few of those left on mic three did i understand this correct that there's people that they that they have their software being complied with that difficult with the software it really the software just really looks like backward compatible or backwards maybe i mean it seems possible that there's clients from different versions who can work on the same data i would say it's more about forward compatibility is the the word and one final question from the internet yes the internet would like to know if you looked at vote manager from the same software house we had a look after the first cross-site scripting of vulnerability we we stopped looking all right and that was it for the talk you listened to the pc wall hack done by linus