 Now, our next talk is hacking Germany elections, insecure electronic voting count, vote counting, how it returned and why you don't even know about it. For the Germans listening here, did you notice that in Germany voting became more electronic recently? In case you're from Germany, I do live in Germany and I did not notice that myself. However, both of our speakers volunteered as election workers in Germany and research on the topic of security for elections and they promised to tell us how elections can be made more secure again. Our speakers are Tobias, he's an IT security researcher focusing on offensive security, automotive security and capture flag challenges. And Johannes, he's a postdoctoral IT security researcher and both work together at the Fraunhofer A-Sec Institute. Enjoy the talk. Hello and welcome to our presentation on hacking German elections. Insecure electronic vote counting, how it returned and why you don't even know about it. My name is Johannes Uwe Meyer. And I'm Tobias Mabel. We are both very much involved in elections in Bavaria because we are election workers and often support here in Germany. And we are offensive IT security researchers. First of all, we want to talk about the scope we are presenting today. We got our information and the software from today from the municipal elections in Bavaria happening in the early 2020. And it was a computer-based vote counting technology. So we were very concerned when we interacted with it. And in the end, we featured the questions, are elections still secure? Next, I presented the outline we are talking about today. And first of all, we are looking at the electronic vote counting system. And next, we identified some conceptual and practical issues with this technology. Afterwards, we also inspected the software and found some insecurities. And in the end, we summary and conclude our presentation. To understand why we need electronic vote counting, let's just have a look at the voting ballot. This voting ballot is in its paper form about one meter wide and 50 centimeters high. So that's quite a large ballot with a lot of candidates. Let's just sum up the facts. So we have a total of 599 candidates that are spread out over nine parties. Each citizen is allowed to cast up to 70 votes in this election. So that sounds simple, but it gets even more complicated now because you can cast up to three votes per candidate and you can even choose multiple candidates of different parties up to your 70 votes. And even if you decide yourself to vote for a single party, you can still strike out candidates that you personally don't like and though they don't get any votes from your ballot. That means this voting system gives a lot of power to the citizens and voting is fun. However, counting out those ballots is very difficult because you need to know a lot of special rules in this voting system to really count each ballot correctly. That's the reason that a software such as OK Vote has been developed. OK Vote is a typical software for elections that's also used in the polling stations for vote counting. So OK Vote has a quite large market share. They say they have a like 75 percent in Germany. So that software is used in several states. OK Vote has several different modules for organizing elections, for example, but what we will have a look at in this talk is only the vote counting module of OK Vote where the election vote does insert each paper ballot and manually type it in all the votes in each ballot and then they are stored in the computer system. So a task of OK Vote is to process each ballot to count the votes to find out if the ballot is correct, then it stores all the ballots into its database and finally it does some magic and computes the final result. So this sounds quite similar to what a voting machine does. But wait a moment. Voting machines in my Germany? Wait, that's illegal. Is it really illegal? Let's have a look at the legal regulations about that. So yes, in 2009 there was an important decision by the German Federal Constitutional Court and they said that the use of voting computers in the 2005 Bundestag election was unconstitutional because, for example, the voting computers were not transparently enough. So that is very similar to that what we've also found for the municipal elections. But wait, we are here talking about the Bundestag election, but this is the municipal election and we have different rules for the municipal elections. For example, there is the GLK-RWO, that's the Gemeinde- und Langkreiswald-Watern Bayern, which basically translates to the Bavarian municipal election rules. And those rules say that we are indeed not allowed to use a computer for voting, but computers can be used for vote counting. So in this situation, I would expect that we have some sort of security requirements there in those regulations, but I try to find them and I was no surprise, they are exactly zero. So if there are no legal requirements, are there at least any software side requirements or certifications for okay vote, which promise some security? Yes, there are. So I had a look at the website and I saw this nice little paragraph here. And it says, elections with security, and during the development of okay vote, they put the highest emphasis on the topic security. They follow the BSI and OS recommendations on security and they have a certified data center with very high security standards. And how does it look in practice? Well, I rather would not show you this here, it's really scary. This was one I've seen here when I walked in the election room. This is not a stock photo. I took this photo myself and this is the reality. So I walked up to the guys and said, well, shall we really use these computers to counter the election and said yes, that are the computers that are available here. So I'm afraid to God that this for some reason does not work out and Windows XP did not disappoint me because when I tried to start the software it failed because that 32-bit system and okay vote needs 64 bits. So yeah, that was great. So we did not use that Windows XP machine. So instead we had to search for another machine and came across this one here. That's a Windows 10 machine. That's fine. However, it has an outdated virus scanner. So well, it's better than nothing. So this machine was used instead then. So but just let's keep in mind what they are promising us. Election for security, we really doubt that. Let's now look at the IT environment and why it came to that situation. So first of all, this is not fully the fault of okay vote, because it's the task for the local administration to provide hardware for vote counting. And the AKDB, so the vendors of okay vote say that they recommend to use secure administration computers. That's fine so far, but we simply don't have enough secure administration computers for that purpose. So for example, in the town where I'm from, we needed around eight computers to count out this election. And we simply did not have enough in the town hall. And what's even more, the election room, it was in a school and there are already school PCs available there. So they were just using the school PCs. So and those were even elementary school computers. So I'm not really sure about if all the pupils know which link they are allowed to click and which one they should rather not click on. So this systems might be insecure, there might be more written, and even if it's possible that someone had manipulated them in advance, we cannot really exclude that. However, I don't want to blame the administration here, because it did a great job in organizing this election. It's really much to do for them. And it did really well. So everything that worked out well at the end, however, they are no IT security specialists. And we cannot demand from them that they know each detail on how to set up a system correctly and what are the risks that are associated with insecure computer systems in elections. That's just not their job. So, however, we still ended up with unfair systems here, because as we have seen before, there are no legal regulations against that. Now let's see how we create a digital result. Exactly. So we went to our voting places. We were presented with each one got a PC, and we got the ballot stack we had to count and then enter the results. So Johannes is team two, and I was team one. And we started entering the ballots in the PC. And from this on, David digitalized team one in green and team two in blue. As soon as I was finished entering my ballots, I put them on a USB drive and handed them over to team one. Exactly. I imported these votes because I was the master machine at this time. And the OK vote software then finalized these voting elections and exported their results finally again on a USB stick. And these were then delivered on for further processing. What is the problem with that all? First of all, there's a lot of intransparency. So for example, the software that is being used for vote counting, OK vote, it's not an open source software. It's closed source, and nobody was able to analyze this yet. So and since this is closed source software, it is also very hard to understand how the software works. And if it really counts correctly, because we have in the end, we have hundreds of ballots there, and it's really difficult to tell if they have indeed been counted correctly. So and although we have seen this before, there is no basis for a secure vote counting if we have possibly rigged computer system. So we cannot exclude that someone has manipulated them to be election wise. So if there is some manipulation, this would hardly be detectable by a standard election worker. So this means that the entire election process becomes very intransparent and hard to understand for a person who just wants to observe the election. So that is strictly against the idea of a public counting of votes. So now let's talk about the steps that happens after we finish counting in each of the teams. So what do you do after you have exported the final election results? How do they come to the central administration? Yeah, I've just entered my vehicle and took the usbestics in my pocket and drove to the master PC. But as you maybe know, election day is always very busy day. And my some teams are slower at counting. Some teams are faster. So the master team doesn't know when these usbestics arrive. If they take two or three hours or half an hour, they don't know really. So I could just go and grab something to eat on their way, or I can manipulate the votes. I mean deliver the votes. And yeah, in the end, when they, when I arrive at the master PC, I just skip to my usbestics, they enter it and they take the data that is stored on there and nothing else. And afterwards they just uploaded the final results on the page. Now you might think why is it possible for him to manipulate election results because there's no authenticity. There's only integrity protection of the violence that he is transporting. So there's some CSD32 and a shah hash, but nothing like a cryptographic signature. So even if he offers the data, he can just regenerate all the integrity protection data and the data will just be accepted. So the main issue here is also that this is one of the few spots where only a single person has unsupervised access to the data during transport or to voting data at all. And that makes manipulations possible and easily feasible in this case. And that should not be the case, especially in an electronically supported election. Now let's have a look at the vote counting software itself because there we found even more interesting results. Exactly. Let's begin with the system architecture. First of all, this is the local or decentralized version of this software system. So all this is taking place on the local host and the machine we encountered in the lecture rooms. And on these machines where it was an Apache Tomcat web server running, which was connected to a Moriah DB and the user was interacting with the voting system via a portable Firefox. And as the AKADB said in before, they were very concerned with security. So let's think about what attackers are they had in mind when they designed the system and from which the system is to protect from. Is it the user that maybe attacks the system, the vote count system, which is normally just election workers that are on their free time there to help executing the election? Or are they having the network attackers in mind that come from completely different places and try to manipulate the network from outside? First of all, we took the user as one of the possible attackers. And even if in this environment we found some really broken stuff. First of all, broken access control. But how it's all about? Well, that's the login page when we just logged in our voting system and clicked on administration page, where we can change our password, edit our profile. These are the buttons on the left. And as you can see, we are clearly logged in as the user 42. And there is no more things to do than select which counting part we want to do, the general regional vote or the municipal votes. And that's all we can do on this page. Now let's switch to the system administrator. There we have the admin account, as you can see on the left upper side, where we can now do very much more than the normal user. We are again on the administration page. But now we have the user administration where we can create or delete users. We have the reopen or close voting mechanisms. We have imports, we have exports, and also what's not included in the screenshots, submenus like deleting finalized results or and so on. So we picked out two very interesting URLs for you. First of all, we are taking the bits here, which is translated just to reopen the election. After the election is closed, it's normally finalized, so no more votes can be entered in the system. And the other link is election, which translates to delete data, which then in the end will delete all the data from the machine. So no more private or secure data is stored on there. And this is what they look like when we open them on the left side. We see the reopen dialogue on the right side. We see the data delete. But wait, this is not the admin view. This is the user view. So they did not check if this user is even allowed. And we also have to say that this is not just the view of it. It is fully working. And this is completely functional when we just go through the process of deleting or reopening as election. What's the problem with that? Yeah, as you may be already guessed, reopening elections could create the probability of sneaking in some additional votes for the candidate. I favor and additionally, if I want to mess with all of the voting, I could just delete all election data and you would have started from the beginning and completely delay or deny the voting. But why is this even possible? Yeah, we found out that this is their access control check in their software. And this function is called get zu kurz freuen, which translates to get access roles. So normally, there will also be the software in place to check if this role is allowed to access this kind of site, but they just returned null and not implemented it. And that's also a nice work to implement access control. However, I think we can propose some mechanism that could have prevented this. First of all, hidden information is nothing you could rely on. If you just don't show where you can click to get to this URL or to this page, that's not really secret because maybe you find some leaked source code or you make sure serving at an admin or you just by accident type in the wrong URL and get to this hidden information or you exactly software is gonna find something hidden. So hidden data is just not secure. And on the other hand, you should finalize your implementation of access control to be to have access control and even test it once to be sure that it works. So in the end, we can conclude that hidden data is not protected data. Let's now come to another type of attacks, cross-site attacks. A cross-site attack is a sort of interference between two websites where one website, for example, tries to do something on behalf of the other. The goal is often to decept the user or to trigger the manipulations. First of all, we were quite sure that have thought of cross-site attacks because during our testing, we saw that they included on HTTP headers that target wide range of attack vectors that use cross-site scripting attacks. For example, here we have an X frame options, same origin. That means that other pages cannot include the voting software into own frames and so on. And also cross-site scripting protection is enabled via XSS protection. So this looks quite good because this already excludes several attack vectors. Well, but how about cross-site request forgery? When we first tested this, we found out that the vote counting system is not fully protected against it. What is cross-site request forgery? So in the first step, the election worker uses the integrated Firefox browser to access a malicious website. So the user is triggered to visit this website. For example, someone sent him a link, triggered him to click on a link by the promise, for example, of cute animal pictures or some sort of that. And then the user visits this website. And this website contains form fields that resemble the form fields of the actual vote counting software. And the malicious website now triggers the browser to submit this form data, not to the original website, but rather to the vote counting software. And as soon as it reaches the Tomcat web server, the web server is confused because the web server cannot discern the input from the cross-site attack from the malicious website from original user input. And then the attached Tomcat server just thinks that this is original user input and will process it. And that's called a cross-site request forgery attack. So we saw that there is sometimes a protection against this sort of attacks, but many pages are not protected against it. And that is very concerning because that's a 2001 vulnerability. It's almost 20 years old now. And it's still present in such a software. So this is quite unsettling here. Now let's sum this up, what we can do with it. So first of all, the issue is that they have missing CSRF tokens for any other good countermeasure against cross-site request forgery attacks. And the second point is here that only minimal user interactions required. The user often doesn't even see that a cross-site request forgery attack is currently being executed on his behalf. So it's almost undetectable by the user. And it's very simple to trick a user into clicking a link. So the impact is very devastating because we can now manipulate settings in the world counting software and we can even insert fake balance here. So what's the result of this? What we can do with it? Well, we can manipulate the entire election business. Let's just use a demo how we do this. Nice. We are already logged in into the vote counting system. Our username is admin 321934. Now let's count some votes. As we can see here, these are all the ballots that we can enter. They are still empty since we haven't entered any ballots yet. So let's start. For simplicity, we just have two parties here. On the left hand side, we have the good party who wants the best for their people. On the right hand side, we have the bad party who wants to take power and is willing to even commit election fraud. Let us begin and enter the first paper ballot. The person has voted for the good party. So we enter this into the software. Now we save the ballot and go to the next one. Again, it's a vote for the good party. Let's enter it and save it and go to the third ballot. And again, it's for the good party. Let's save our third ballot. Now we go to the ballot overview and we look what has happened. As you can see, we now have three ballots that have successfully been entered. At next, let's check the preliminary election results. As we can see here, we have a total of three ballots that have been entered into the system. That's correct. Three ballots contain votes for the good party. That's also correct and zero votes have been given to the bad party. That's fine so far. Next, I will show you what happens if I open a malicious website. This website will execute a CSRFR tag and manipulate the election results. Let's just assume we want to take a break and simply post Twitter. Okay, here we are. There's a cute cat picture and there's a link to even more of them. Let's just play along and get tricked into clicking that link. Oh, look at all those cute animal pictures. Look, a hungry rabbit, a monkey, a little hedgehog, and two cute goats and so on. And when we are done browsing, we close those tabs again and we turn to our word counting software. What we notice now is that our username has been altered and we just got primed. We were tricked into visiting this malicious website. The website executed a CSRFR tag on the word counting software and did some manipulations. Let's see what else has changed. However, our three ballots are still there, but now we take a look at the preliminary election results. What you can see here is that the number of ballots that are in the system has been increased to eight. We now have five additional ballots that were not entered by us. As you can see, the good party still has three votes. That is what we have entered, but now the bad party has taken the lead to have five votes now. This attack has indeed manipulated the election results. This is really bad because we cannot even see those additional fake ballots that have been injected. However, we are lucky because we noticed it since we have expected this attack, but we won't notice it in every case. But what happens if we don't notice? Well, that happens. So for this example, we just assume that team one has three ballots that they have entered into the computer system and team two has six ballots that have been entered into the computer system. Now team one visits their malicious websites and five fake ballots are injected into the election results. In this case, the attacker is very smart and injects the ballots at a location where the team two ballots will be expected in the future. So what happens now is team two exports their ballots and team one tries to import the ballots of team two. And now the following thing happens. Because there are already ballots present at the location where the team two ballots should go to, the import process is not fully successful and only a subset of the ballots are imported. So the majority of the ballots in this case, five of six ballots are just discarded because they don't fit in the database anymore because that location is already taken by the fake ballots. So usually we would expect that this can generate an error message or at least a warning, but this does not happen. This is a silent failure of the software. And what's even worth is now that the sums finally are correct. So that means we have now have nine ballots present in the system and nine paper ballots that were initially available. So this looks like we have entered all the ballots and everything seems to be fine. So we will now close the election and generate the final result. And that is what happens now. As you can see we have only four votes for the good party, but five votes for the bad party. So the bad party has won the election by manipulating the voting system using this CSRF attack. And that should never be possible because this is not what we expect from a voting software. And in this case, the result is rigged. So have you also thought about network vulnerabilities? Yeah, sure. That's exactly the other side of the coin. First, we checked the election worker site for attacks, but now we checked the network site and scanned and analyzed the system at first. And then we looked like this. Open ports everywhere. And as you can see, they fully exposed the Apache Homecat and the MariahDB to each available network on the system. With this, we thought, yeah, let's maybe try some newly discovered vulnerability, which was currently recently found in 2020 called Ghostcat. And Ghostcat is an attack against the AADP protocol from Apache. But let's check the Apache system and how it's built. First, the Apache has a web route which serves static resources and HTML or GSP files. And additionally, it can include class files or class surflets, which are combined with these JSPs or HTML files and then served to the user. So we prepared our AADP shooter with the well of the web publication and the port and the file we wanted to read. In our case, it's a private test class file because maybe what we could leak about this, but we'll see. And then we said we only want to read it because there would even be the possibility to evaluate it and execute the code in it. So we've done this attack and, ta-da, we got a result. And this is the bytecode of the private test class. So let's just drop this bytecode in our cup of coffee and maybe we can pull out some source code from it. And yeah, that's what we thread out because why not just test your encryption mechanism with the string, but this is not a common string. As we later found out, this is the real root productive possible of the MariaDB. And this was like, so what's the problem? As you maybe clearly see with this attack, we could leak out the login of the MariaDB and probably even more logins or passwords. And additionally, we could leak the whole source code over the network without ever accessing the PC in the election room. And this was only possible because they completely exposed all machines and applications to the network. And this should never be the case. So in result, how can this prevent it? First, you should never expose these unneeded ports to the internet because they don't even use the Azure P proxy in their application, but just left it on the 0000 interface. Next, you should keep your software up to date that if some trivialities were found, you should not be vulnerable to it. And last but not least, never use productive passwords as unit tests, because that's not the best idea to do. In the end, to sum it up, avoid at all costs any additional attack surface to prevent these kind of attacks, even if you don't know about them yet. After we have shown us a lot of interesting Apache stuff, I tested the database for its security. For the first analysis, I was just starting with the same PC where also the software was installed. And I tried to gain access to the database. So I was coming from the host localhost. I tried to use the username root. And then I thought that I must for password before I'm allowed to connect to the database. However, finding the password was quite trivial to do because all these stuff I needed to know for that was included in our class file. And I was able to decrypt the password without any issue here. And that moment I realized that also the password that Toby has shown us before that he found with the ghost get vulnerability is indeed the MySQL root password here. So after I had access to the MySQL system, I tried to dump the user table to look which users are allowed to access the database. So, and that is how your user table looks like. We have four times the user root. And the user root requires a password if I'm coming from localhost. But wait a moment. Here we also have the host PCI 1939. And as you can see here, there is no MySQL password statement. That means that someone coming from host PCI 1939 is always allowed to connect as root and does not even need to provide any password for that. And that's really strange. So, what could happen from this? Well, now someone on the network can now do just some voting manipulation that's quite trivial. Because as soon as I set my host to the correct host name, I get full access to the database. They're all my local voting results are stored. And since I moved, I can interfere with them. I can change them however I want to. And this vulnerability is so damn weird and trimier. It takes me no effort to do this at all. And so we won't even go into a demo here because it's so stupid simple in this case. Usually I would say that's enough for today because we already have full access to the voting system and can change whatever we want to. However, this time we decided to go deeper because we saw PCI 1939 as a real door opener. So we have access to the voting results. We can change them, but we still don't have access to the entire voting system. So what about the PC? Might it be possible that that would access to the database server to gain remote code execution at that machine? So for this experiment, I use the following setup. On the right hand side, we have the voting system with the exposed MariaDB database base server. In the left hand side, that's my system. I named myself PCI 1939 just because I can do it. And I established a connection to the MariaDB server. I use root as a username. I don't need any password. And it is immediately accepted. So now that I am connected, I'm allowed to issue commands. For example, I can now instruct MariaDB to enable one of its plugins. This plugin is called HA Connect. It's one of the plugins that usually come directly with MariaDB. And this is a very powerful MySQL storage driver. So now I will show you what I can do with that storage driver. So at next, I will now create a table that's called PWN. And I'm using the HA Connect storage driver and I instruct the storage driver to create a file that's called pwn.dll and to place it right into that plugin folder. There is nothing that stops me from doing so. So that is one of the special features of the HA Connect storage driver that I can just say, this table is mapped to that file in the file system. However, this file is still empty because the table is empty. But since this is a database, I can now just issue insert into statements and load whatever data I want to, for example, some malicious DLL. I can just load into the table via that insert into statement. And then it is directly written into our malicious DLL, pwn.dll. Okay, so at next, after I've finished writing, I will instruct MariaDB to enable this plugin that I have just uploaded. And enabling a plugin means that we are executing the code that is stored in this DLL file. So that means we have remote code execution. I don't even ask what you can do with remote code execution. Well, I can't do everything. So that means I have now gained full control over the entire vote counting system. So I'm not only talking about the data in the database, I'm talking about the entire computer that I cannot fully control and manipulate however I want to. And that's possible only by using devoting software and accessing it over the network interfaces that it has exposed. And now I will show you how simple this is to execute an arbitrary program on the system. This is the vote counting computer system. To begin, let's start the vote counting software. Now the Apache Tomcat web server and the MariaDB database server are being launched. Finally, the Firefox portable is started. The system is now ready for operation. But beware, the attacker becomes active. His hostname is the infamous PCI-1939. Immediately, he launches the Python attacks with fun.py. It connects to the MariaDB server as route without password and uploads a malicious DLL plugin. When the upload has been finished, the malicious plugin is executed. As we can see, the calculator was started. Thus, remote code execution was successful. The vote counting computer system is now under control of the attacker. After we have found so devastating issues with the vote counting software, we immediately notified the vendor AKTB. And they were very professional about it and responded very quickly to our initial emails. So we really liked working together with them and telling them our results and they were always positive about it. So they also recommended some fixes. So for example, they told us you should only use that voting software in a secure environment like in an administration network. However, we don't really believe that this is a good solution. Exactly. And we're not very happy about this proposal because we have two problems that still arise even if it's in a secure environment. First of all, an administrative PC could still be infected with some malware or it could be manipulated before the election takes place. And then the second hand, we had this bug with the broken access control, do you remember? And even if you would have been in a secure environment, this bug would have been totally worked and you could have completely deleted all data work or re-open directions or something like this. But we are so quite happy that they took us seriously because they even have announced updates. So for example, they wrote us that they are planning on adding CSRF tokens for the pages where we found cross-site vulnerabilities. So that's already a good step into the right direction. So now let's summarize what we have presented today. So first of all, we discovered several problematic aspects in the concept and its practical implementation. So first of all, the entire voting system, it's running on untrustworthy computer systems. They could have been manipulated beforehand. They could have malware on them or they just could not just function correctly. So that's already very problematic from the beginning because we have no underlying trust that we can put into those systems and we are using them to count out our votes, to count out the entire election. So what's even more is that even if we use the software and the PC that the lies beyond it is secure, it still has not enough transparency. It's very hard to understand what the software is exactly doing and how is it doing this. So I cannot really understand how does it come to its result. Please keep in mind that we have almost 600 candidates and several hundreds of ballots that have all to be input into that computer system and then some magic happens and it spits out its result. So then we just have to take this result because it's just impossible to check if really each vote has been counted correctly or if there anything strange has happened or any manipulation took place. And this is also possible because we found lots of vulnerable software and not just the system security was affected but it was also absolutely possible to manipulate the whole election from very many parts in the network and this lets us to conclude that these elections are at a high risk with this technology. So and this is the reason that we want you as election worker. The more eyes are looking at the election the more secure it becomes and if you are interested in becoming an election worker just get into contact with your local administration. They are always very happy to have volunteers who want to take part as election workers. So and from my personal experience I'm doing this for several years now. It's also a lot of fun. You get into contact with a lot of people. So I enjoy this a lot and I can just recommend it and this is a good way how every one of us can support the democracy in their country. So to conclude our talk we found out that security in this technology is really bad and that's not all of it. So this is just the tip of the iceberg because we looked only at one of the solutions that is available for vote counting and this was also in a special configuration. So what is even more difficult to see is what happens behind all the stuff we have seen today because when we export the data and bring it to the central administration and the data is imported and uploaded. So where does all this data go? Where are all the results from all these data from all the polling stations are summarized? We don't know yet how this works. We don't have the software that we can analyze. So there is still a lot of work that has to be done here to really check the entire system. We just took a look at a very small portion and that is just the vote counting software here. Next we were very shocked that this information that vote counting is already shifted to software is not publicly known and this is also why we created this talk today as this is an information that is crucial for the democracy that there is already this software in use and it is not really secure. So this was a big thing for us to keep bringing it out to the people. So and one other thing is everything that we have seen today is entirely legal because at least in Bavaria we don't have any rules or any laws against the use of unsecure computer systems of unsecure vote counting software. So as we've seen in the beginning we only have very rough legal guidelines where it says well you can just use computers for vote counting but we need stricter guidelines here because it cannot continue as we've seen it today and in other states in Germany there is sometimes something like let's say guidelines or even certification process for such digital software but in most states that I had a look at there are no rules at all and that is nothing that should continue in the next years that way. Additionally in the end before any of the software to electronically count the votes should go live unbiased tests for everyone should be available to prove themselves that this software is secure and this software is doing what it's promising to us because it is directly influencing our democracy and if this software is manipulated it manipulates our voting our election and our democracy. So in the end we can just leave you with two questions how much digital support is required and how much is toilet paper? Thank you very much for the interesting talk Johannes and Tobias and thank you very much for your work on the topic. I hope you do have time for a little Q&A as we have quite a few questions actually. Sure that is okay all right so the first question from the internet is is there any suspicion that these vulnerabilities have been actively used? Well it's very hard to tell so at least for the town that I am from I did not notice any special occurrences there so however I don't have an overview of my entire barrier so that's quite hard to tell I think it's even impossible to tell if there were any manipulations so far so unfortunately we cannot say that. Additionally we just at one place in this whole system so we don't have an overview if there was any mismatching numbers or any other influences that happened but that we didn't see at the moment because we were just at one position in the system at one station of the of the election. Okay thank you for the answer do you believe that it is possible to have a digital vote that is as secure and trustworthy as physical or paper-based voting is? Well in my opinion that's not possible if we want to have the same sort of transparency that we have any paper-based voting system because when we have paper-based voting we can just go into the voting room and watch what's going on there we can see the ballots that are handed in the ballots that come out of the box that are counted are summed up I can really try to find out what's going on there I can have a look at that understand what the people are doing there but the moment that I have only a digital vote I cannot really find out if the computer is doing the right thing if there were some manipulations so in terms of transparency I don't think it is possible in the same yeah in the same way as in paper-based ballots for example. I would have to add to this if there would be the possibility to get the same traceability and visibility that you can always see which results came from which position and if they are signed very transparent then it would maybe be possible in any future but not with any kind of this software we saw there. All right thank you. Do you by any chance know which states in Germany use the software okay vote as far? We cannot directly say which states actively use them because you only need to place in the elections here in Munich or Bavaria but we can tell that we found very much hints in the source code that they were also used in for example Hamburg, Bremen, Hessen or Rheinland-Pfalz but we don't know if they were already used there or if it's planned to be used there or if they did already use them in the past elections and decided against them for future ones we don't know that about this exactly. Okay maybe you can stay for a second on your job as a election worker. The process of manually entering data into this system is there a process for this? Do you have an idea on the risk of this part here? Yes so it's basically the thing that there are at least two or three people sitting in front of each computer and then they are entering each ballot so people are really cross-checking that the ballot has been entered correctly so it's like one person has the ballot in front of him or her and the other person reads the votes and the other person types it in and they are cross-checking each other so that there isn't any error during typing in those election results in your computer. All right thank you for the elaboration. Someone is asking how the systems connected to the internet or sum up a network? If the understanding of your talk was correctly received by that person the results are written to some physical medium which is turned into transmit the results so you sense something physically so why care for the windows version or the that is running on these machines? Is that correct understanding? Well the problem with that is that it depends on the local administration how they set up their computer systems so I also read this in the chat here someone has written that they had their voting software in a very limited network connectivity so the computer was not connected to the internet however it depends very on the administration and on the computer network that is being used there so it is entirely possible that computers are connected to the internet because there are no guidelines on how these computers are allowed to be set up so I cannot fully exclude this so and if someone for example just enables the wireless network or connects to some unsecured hotspot they are connected then so it's it's hard to tell here but I would not exclude this possibility. To extend the answer we even tried to find out if there is any software side protections that checks if there is internet connection present and would then deny this voting system but there wasn't or at least we couldn't find one so even if the administration was not advised if there is a pt pcs should be disconnected from this from the network there isn't even a security mechanism in place that would check this and stop it or even show a warning that this is connected and they should be disconnected from the internet before the counting can begin. Interesting all right now we have one message on the IRC from someone who worked with this particular piece of software in demo mode by themselves obviously and the question they have is did you notice a possibility to enter negative votes for a candidate so saying minus two votes for instance. Well that's that's difficult to tell I thought about if this is possible so perhaps you might have to manipulate the database directly so I'm not entirely sure I'm not sure if I tried this out this one so but however as soon as I have database access it's entirely possible to manipulate anything so well we could try this out again however I don't think that it changes much in our result so yeah that's an interesting question so far I cannot answer this right now so I'm not sure Tobi have you tried out something like that. We've tried manipulating some already submitted votes but I think this was not really possible however as you showed when you export the data and import into the main PC the votes that were already in place possibly by an attacker would then discard the newly imported votes so this would probably replace this data and these votes but via the web interface I think it was not possible however we found enough abilities with database access that you could do it by this way if you want to. All right thank you for your explanation. Out of pure curiosity people ask how did you get access to the software in the first place to carry out your analysis. Well that's a good question here because there's a nice story behind that so I was an election worker and I was supporting setting up the system and doing some IT support in the evening and at some point we tried to merge our results so we exported the results from one computer to move them to the other one however the import failed because there is some artificial limitation in software so as soon as your export files are larger than 10 megabytes they cannot be imported anymore so this happens quite quickly when you have a few hundreds of votes or few hundreds of ballots and then the input doesn't work anymore and I had a look at this file it was just a JSON file with a lot of white space so I copied all the stuff to my computer to fix this and there was also later on a software fix that was published by the software vendor however then I had the software on my computer just because I wanted to fix this election and it was really late at night then I returned home and I noticed oh I still have that software on my computer let's have a look at this so yeah it was just by by chance so I tried to fix something got all the software on my PC and then I had it ready to analyze even with some data on that though that I really knew how this works in practice and yes but if someone would try to gain access to that software that's quite simple because they could just restore the deleted data from one of the computers that are in the schools perhaps someone doesn't even delete the election software from their computer in the school or some person could just steal one of the USB sticks that have been used for installation so I don't even think that that would be noticed then interesting indeed you mentioned in your talk that the software certified by the BSI and that they claim to be certified by the open web application security project but how could such a broken system be certified by these parties in the first place and what's wrong with the certification process yes this obviously happened I mean like why not use a certified why do we use certified stuff in the first place if it gets certified even if it's broken I think the first point about this is that we already mentioned in the talk that there are no legal requirements you don't need any certification that you can software can be used in our voting in our elections here in Germany or in most parts of Germany and additionally this the screenshot we show where with the OSP and the BSI was just a promotion of the ACADB for their software but I think there was no real certification attached so we don't know if the BSE ever saw this software for real or if they just put it on there and said yeah BSE certified or with the BSE startups in mind like they already have the IT Grundschutz and they maybe tried to implement after the after this technology or after the system architecture but the BSI never checked on it so I don't think there's any real certification for the software so just to add a few details here that's not really a certification there they just said that they follow the BSI and OS guidelines I think that was also the wording that was used on the website so there's no real certification behind that so far thank you for the answer do you know by chance how the municipalities published the election results well I don't know in detail how it works so when we handed in our election results they got uploaded onto some other software and that's also the end that I've seen so they're ended in the computer system and they're electronically transmitted and that first of all it generates a preliminary result and finally there's a final result generated but however I don't really know how this works but the election results that were generated this okay vote are definitely going into the final result so perhaps there's also some paper based protocol between that I don't really know if they're using this the data that's in the computer or the data that is on the paper but however it doesn't change very much here okay um jumping over here a bit um the last question would be um what in in your experience how practical and expensive are hand recounts here and did you not observe these um I think this is very different from election to election and from city to city if this is a rather small town you could probably easily re-elect all all the votes and I recount the votes but if this is a big city like Munich for example with millions of votes and you would have to recount this this would particularly delay the voting or the result pretty much and this could have really bad influences if this would happen that the software is shown that it has kind of manipulation happened and they had to recount all the stuff by hand again so counting this by hand is indeed very very thoughtful because they have like 70 votes per ballot and even summing up all that is still error prone if it's done by hand so it's difficult to do that and up to my knowledge it's not generally recounted after the election so I tried to find something in the internet um regarding that and I just found um some pdf um where they said well it's not practical feasible to recount all the election results and all the ballots so that's just rather do a meter level check on is the protocol complete how about special ballots that were not really clear and so on but it's not like every ballot will be recounted as far as I understand okay oh thank you very much Tobias and Johannes for answering all the questions thank you again for your talk thank you thank you