Das ist überhaupt nicht gut. Weeks before the federal election in Germany, cybersecurity collective Chaos Computer Club (CCC) warns that the designated software for registering votes is plagued with critical vulnerabilities.
The organization, which has previously unearthed flaws in Samsung S8’s hardware, conducted a thorough analysis of the tabulating system for the upcoming election and discovered severe flaws that could be exploited to tamper with the vote count.
The news comes in midst of reports suspecting Russian intervention in last year’s US election.
“Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries,” the group says. “‘PC-Wahl’, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades.”
CCC spokesperson Linus Neumann further noted that “the amount of vulnerabilities and their severity exceeded our worst expectations.”
According to the collective’s assessment, malicious agents are likely already aware of these shortcomings. The CCC said that penetrating the voting mechanism, as well as the server where the data is hosted, proved to be scarily easy during their testing attempts.
“A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one,” Neumann added.
Among other things, the cybersecurity club found that the automated software updates have no signature and are downloaded insecurely over HTTP. They also observed that the encryption used for registered votes was fully-reversible, since the symmetric key was hardcoded in the software.
In fact, the vulnerabilities were so glaring that, if not properly addressed, the CCC fears “the documented attacks have the potential to permanently impact public trust in the democratic process.”
The group has since posted and detailed proof-of-concept in this report [PDF] – but you better bring your German dictionary with you.
Read next: Atlassian launches its Slack-killer, Stride