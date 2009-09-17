Stories
Vulnerabilities Found in German Election Software

posted by mrpg on Sunday September 10, @04:07PM   Printer-friendly
from the I'm-not-a-berliner-but-I'm-worried dept.
Security

takyon writes:

Proprietary Software Used In German Elections Trivial To Hack, Say CCC Researchers

Security researchers from the Chaos Computer Club (CCC) have discovered that the software used to capture, aggregate, and tabulate the votes in many German elections had multiple vulnerabilities, exposing it to trivial potential attacks.

The proprietary software, called PC-Wahl, has been used to record, analyze, and present election data in national, state, and municipal elections for decades. The CCC hackers argued that the security holes are severe enough that they could jeopardize the trust in the final results of the upcoming parliamentary election (unless the security flaws are patched by then).

Also at Chaos Computer Club: Software to capture votes in upcoming national election is insecure.

Original Submission


  • (Score: 1, Informative) by Anonymous Coward on Sunday September 10, @04:29PM

    The list of vulnerabilities includes:

    • Updating the software over HTTP and not using signatures to ensure the authenticity of the updates.
    • The update server was installed on shared hosting plan, which made it vulnerable to local privilege escalation attacks.
    • The FTP access credentials were located in a public file called test.zip that anyone could have found.
    • Voting results were transmitted over non-secure FTP transmissions that only rotated credentials once every few years. Alternatively, they could be transmitted over a non-secure XML protocol (that also happens to be a government standard).
    • The votes were encrypted with a hardcoded symmetric key, which made it easy to decrypt them.
