How you could hack the Dutch elections

… for the last 26 years, and counting (!)

Sijmen RuwhofFreelance IT Security Consultant / Ethical Hacker

SHA2017

• Started hacking in 1997: 19 years ago

• Since 2005 professional: 12 years ago

• 650+ security tests performed

Breaking into governmental organizations, banks and high-profile companies to help defend against hackers.

Who is Sijmen Ruwhof?

Some companies I work for

• Dutch voting process

• Weaknesses

• Improvements

• International context

Agenda

Voting process history

“We’ve heard about computers! They can automate things and save us time!

Let’s try it!”

1991-2009

1991-2009

“We hired TNO. They are like IBM, so it’s all fine. Don’t worry, they’re famous.”

1991-2009

• Amsterdam was one of the last cities to adopt voting machines.

• Rop Gonggrijp lived in Amsterdam.

1991-2009

• 1989: Author of hacking magazine

• 1993: Co-founder internet provider XS4ALL

• 1998: Sold XS4ALL to KPN

• 1998: Founded hacker company ITSX

• 2006: Sold ITSX to Madison Gurkha

• 2006: Founded ‘We don’t trust voting machines’

Meet Rop Gonggrijp

• 2006: Rop in Tv broadcast: “Voting machines can be easily manipulated and voting secrecy can be easily circumvented.”

• 2006: Secret service: “Well, now you ask us, yes, he has a point.”

“Don’t trust voting machines”

• 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers are valuable to us.”

• 2006: Minister: “The supplier promises it can fix the issues. We can trust them.”

“Don’t trust voting machines”

• 2006: Rop sues the government.

• 2007: Judge: “Rop is right. These voting machines can’t be trusted.”

• 2008: Government: “We have to obey a judge, so we must go back to pen & paper.”

“Don’t trust voting machines”

2009-now

2009-now

2009-now

Fast forward to 2017 >>>

“We heard old cryptography seems to be used, what’sthe impact Sijmen?”

RTL News

“Wait! What? Software is used? No way.. we use paper!

They learned their lesson, right? … right?!!”

My initial reaction

RTL News explains:

• Voting with pencil & paper.

• Manual paper counting.

• But then (…)

2009-now

• Each city enters vote totals into computer program.

• City delivers USB stick to vote district:

2009-now

1. Local voting office : paper

2. City central voting office : digital

3. 20 voting districts : digital

4. Central election council : digital

2009-now

“This can’t be true.”

My reaction

Weaknesses

Starting watching YouTube

Instructor leaks technical info

• One main webserver.

• Multiple clients can enter data via local network.

Risks:

• Multiple network connected computers involved.

• No HTTPS.

Client-server architecture

• No security policy.

• No security checks.

• Bring your own computer and USB stick.

Any computer will do

But: “WiFi should be turned off.”

Internet connected computers

• PDF with hash code is printed.

• XML files with vote totals is saved on USB stick.

• 1 person transfers results to election district.

SHA-1 & XML

• AutoRun

• BadUSB

• RubberDucky

USB attack

SHA1 hash in footer of PDF

Compare SHA1 hash

• Instructor doesn’t mention this important security check at all.

• No enforcement to enter the hash code.

• The insecure, old and deprecated SHA1 hash algorithm is used.

Bad crypto implementation

• Only first four characters have to be filled in.

• Limit the strength of the SHA1 key to 2^16 combinations (65,536 possibilities) and delivers almost zero cryptographic strength.

• Password auto completion is on.

• Short & weak passwords allowed.

• Instructor has username ‘osv’ and probably password ‘osv’.

No password policy

Software uses admin privileges

No auto hash check in place

Just mail the results

• Design phase: No IT security expert was consulted.

• Test phase: No ethical hacker has reviewed OSV.

• It’s partly open source.

• Logs aren’t collected on a central server.

• No intrusion detection system is active.

• OSV integrity is hard to validate & optional.

• …

List continues

• Some problems already found by student Maarten Engberts in 2011, but ignored (!).

• Maarten went full disclosure.

Problems ignored for years

• I initially only spend three hours watching YouTube video’s and reading PDF documentation.

• Conclusion: “This is absolutely terrible”

• RTL is shocked and asks Rop, a professor and another hacker to validate my research: they all agree.

Recapitulatory

It’s Groundhog Day again!

• Ignoring: Journalists couldn’t get contact.

• Denying: To journalists:“Trust us, it’s safe”

• Threaten: To journalists: “We’ll see for who this is going to be a problem.”

Response from Election Council

• 2 days after publication: minister bans software.

• Cities respond angry: “This can be fixed.”

Response to publication

• Minister: “Wow, you guys can yell. Please keep quiet! Elections are coming. Okay, you may use Excel!”

• Cities: “Excel? We want OSV back!”

• Vendor: “We can fix it.”

• Minister: “Ok. Fix it.”

• Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then it’s okay.”

Response to publication

“OSV is indeed very insecure.”

Fox-IT is hired

“The elections are in a few weeks and we can’t abort now! Let’s apply some quick fixes.”

Government reaction

• Elections were held.

• Everybody trusts the output.

• No transparency: election council went dark.

Current status

• Elections were insecure since 1991.

• Why should we trust the output?

Can current election be trusted?

Improvements

• Paper should always be in the lead.

• Printed PDFs can’t be trusted.

• Only use software to validate manual counting.

Improvements

• Complete transparency:

– Each voting office should publish results on their site and in their physical office.

– All processes & procedures should be documented & published.

Improvements

• Security awareness program for all employees.

• Implement security & fraud monitoring

• Test if election can be manipulated.

Improvements

• Dutch voting process could be easily hacked since 1991: that’s 26 years, and still counting (!)

• We don’t know if someone tampered with results. We can’t check it. Logs are erased after 3 months.

This isn’t acceptable.

Conclusion

International context

Source: https://www.bloomberg.com/features/2016-how-to-hack-an-election/

Washington Post:

“Homeland Security official: Russian government actors tried to hack election systems in 21 states”

• Paper should always be in the lead.

• Full transparency.

• Computers are not secure enough to run an election.

Final words

• Current governments will never admit election insecurity.

• So *we* need to fight for and protect our democracy!

Final words

Sijmen.Ruwhof.net

twitter.com/sruwhof

Thanks!