In this talk I'll present my findings when researching the security of the Dutch voting system. I quickly found various important security mistakes which would made it very easy to tamper with the results. Based on my research the Dutch government dumped the voting software.
In this talk I'll present my findings when researching the security of the Dutch voting system that is running the democratic election process since 2009. I quickly found various important security mistakes which would made it very easy to tamper with the results. Based on my research the Dutch government stopped using the voting software. I'll walk through all the security mistakes and various attack scenario's I found and tell how I would hack the election.
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
How Hack Dutch Elections
1. How you could hack the Dutch elections
… for the last 26 years, and counting (!)
Sijmen Ruwhof
Freelance IT Security Consultant / Ethical Hacker
SHA2017
2. • Started hacking in 1997: 19 years ago
• Since 2005 professional: 12 years ago
• 650+ security tests performed
Breaking into governmental organizations, banks and high-profile
companies to help defend against hackers.
Who is Sijmen Ruwhof?
8. “We hired TNO. They are like IBM, so it’s all fine. Don’t
worry, they’re famous.”
1991-2009
9. • Amsterdam was one of the last cities to adopt voting machines.
• Rop Gonggrijp lived in Amsterdam.
1991-2009
10. • 1989: Author of hacking magazine
• 1993: Co-founder internet provider XS4ALL
• 1998: Sold XS4ALL to KPN
• 1998: Founded hacker company ITSX
• 2006: Sold ITSX to Madison Gurkha
• 2006: Founded ‘We don’t trust voting machines’
Meet Rop Gonggrijp
11. • 2006: Rop in Tv broadcast:
“Voting machines can be easily manipulated and voting secrecy can
be easily circumvented.”
• 2006: Secret service: “Well, now you ask us, yes, he has a point.”
“Don’t trust voting machines”
12. • 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers
are valuable to us.”
• 2006: Minister: “The supplier promises it can fix the issues. We can
trust them.”
“Don’t trust voting machines”
13. • 2006: Rop sues the government.
• 2007: Judge: “Rop is right. These voting machines can’t be
trusted.”
• 2008: Government: “We have to obey a judge, so we must go back
to pen & paper.”
“Don’t trust voting machines”
18. “We heard old cryptography seems to be used, what’s
the impact Sijmen?”
RTL News
19. “Wait! What? Software is used?
No way.. we use paper!
They learned their lesson, right?
… right?!!”
My initial reaction
20. RTL News explains:
• Voting with pencil & paper.
• Manual paper counting.
• But then (…)
2009-now
21. • Each city enters vote totals into computer program.
• City delivers USB stick to vote district:
2009-now
22. 1. Local voting office : paper
2. City central voting office : digital
3. 20 voting districts : digital
4. Central election council : digital
2009-now
27. • One main webserver.
• Multiple clients can enter data via local network.
Risks:
• Multiple network connected computers involved.
• No HTTPS.
Client-server architecture
28. • No security policy.
• No security checks.
• Bring your own computer and USB stick.
Any computer will do
30. • PDF with hash code is printed.
• XML files with vote totals is saved on USB stick.
• 1 person transfers results to election district.
SHA-1 & XML
34. • Instructor doesn’t mention this important security check at all.
• No enforcement to enter the hash code.
• The insecure, old and deprecated SHA1 hash algorithm is used.
Bad crypto implementation
35.
36. • Only first four characters have to be filled in.
• Limit the strength of the SHA1 key to 2^16 combinations (65,536
possibilities) and delivers almost zero cryptographic strength.
37. • Password auto completion is on.
• Short & weak passwords allowed.
• Instructor has username ‘osv’ and probably password ‘osv’.
No password policy
41. • Design phase: No IT security expert was consulted.
• Test phase: No ethical hacker has reviewed OSV.
• It’s partly open source.
• Logs aren’t collected on a central server.
• No intrusion detection system is active.
• OSV integrity is hard to validate & optional.
• …
List continues
42. • Some problems already found by student Maarten Engberts in
2011, but ignored (!).
• Maarten went full disclosure.
Problems ignored for years
43. • I initially only spend three hours watching YouTube video’s and
reading PDF documentation.
• Conclusion: “This is absolutely terrible”
• RTL is shocked and asks Rop, a professor and another hacker to
validate my research: they all agree.
Recapitulatory
45. • Ignoring: Journalists couldn’t get contact.
• Denying: To journalists:“Trust us, it’s safe”
• Threaten: To journalists:
“We’ll see for who this is going to be a problem.”
Response from Election Council
46. • 2 days after publication: minister bans software.
• Cities respond angry: “This can be fixed.”
Response to publication
47. • Minister: “Wow, you guys can yell. Please keep quiet!
Elections are coming. Okay, you may use Excel!”
48. • Cities: “Excel? We want OSV back!”
• Vendor: “We can fix it.”
• Minister: “Ok. Fix it.”
• Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then
it’s okay.”
Response to publication
54. • Paper should always be in the lead.
• Printed PDFs can’t be trusted.
• Only use software to validate manual counting.
Improvements
55. • Complete transparency:
– Each voting office should publish results on their site and in their physical
office.
– All processes & procedures should be documented & published.
Improvements
56. • Security awareness program for all employees.
• Implement security & fraud monitoring
• Test if election can be manipulated.
Improvements
57. • Dutch voting process could be easily hacked since 1991: that’s 26
years, and still counting (!)
• We don’t know if someone tampered with results. We can’t check
it. Logs are erased after 3 months.
This isn’t acceptable.
Conclusion