Analysis Report: ccc.de
The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code.
Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries. „PC-Wahl“, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades.
The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages.  The technical details and the software used to exploit the weaknesses are published in a repository. 
„Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.
„A whole chain of serious flaws, from the update server, via the software itself through to the election results to be exported allows for us to demonstrate three practical attack scenarios in one“, Neumann continues.
The software can be used to record the result of the counting in a polling station and to transmit the result to the municipality. The local election authorities use the same software to aggregate the results and transmit them to the state election authorities. In some states „PC-Wahl“ is also used by the state election authorities.
The documented attacks have the potential to permanently impact public trust in the democratic process – even in cases where an actual manipulation would be discovered in hours or days. Whether an actual manipulation is discovered at all depends on the procedures followed in the various states – at this moment, and as a result of our findings, these procedures are being changed. In the state of Hesse it is now mandatory to verify every transmission using „PC-Wahl“ using some independent channel.
The attack scenarios shown, and the remarkably bad general state of this software call into question the security of competing products used for the same purpose. In the Netherlands, the Dutch version of another product, IVU.elect, used in Germany, was tested by Sjoerd van der Hoorn and Sijmen Ruwhof. The results were not pretty. 
„It is simply not the right millenium to quietly ignore IT-security problems in voting“, says Linus Neumann. „Effective protective measures have been available for decades, there is no conceivable reason not to use them.“