How you could hack the Dutch elections … for the last 26 years, and counting (!) Sijmen Ruwhof Freelance IT Security Consultant / Ethical Hacker SHA2017
How you could hack the Dutch elections
… for the last 26 years, and counting (!)
Sijmen RuwhofFreelance IT Security Consultant / Ethical Hacker
SHA2017
• Started hacking in 1997: 19 years ago
• Since 2005 professional: 12 years ago
• 650+ security tests performed
Breaking into governmental organizations, banks and high-profile companies to help defend against hackers.
Who is Sijmen Ruwhof?
Some companies I work for
• Dutch voting process
• Weaknesses
• Improvements
• International context
Agenda
Voting process history
“We’ve heard about computers! They can automate things and save us time!
Let’s try it!”
1991-2009
1991-2009
“We hired TNO. They are like IBM, so it’s all fine. Don’t worry, they’re famous.”
1991-2009
• Amsterdam was one of the last cities to adopt voting machines.
• Rop Gonggrijp lived in Amsterdam.
1991-2009
• 1989: Author of hacking magazine
• 1993: Co-founder internet provider XS4ALL
• 1998: Sold XS4ALL to KPN
• 1998: Founded hacker company ITSX
• 2006: Sold ITSX to Madison Gurkha
• 2006: Founded ‘We don’t trust voting machines’
Meet Rop Gonggrijp
• 2006: Rop in Tv broadcast: “Voting machines can be easily manipulated and voting secrecy can be easily circumvented.”
• 2006: Secret service: “Well, now you ask us, yes, he has a point.”
“Don’t trust voting machines”
• 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers are valuable to us.”
• 2006: Minister: “The supplier promises it can fix the issues. We can trust them.”
“Don’t trust voting machines”
• 2006: Rop sues the government.
• 2007: Judge: “Rop is right. These voting machines can’t be trusted.”
• 2008: Government: “We have to obey a judge, so we must go back to pen & paper.”
“Don’t trust voting machines”
2009-now
2009-now
2009-now
Fast forward to 2017 >>>
“We heard old cryptography seems to be used, what’sthe impact Sijmen?”
RTL News
“Wait! What? Software is used? No way.. we use paper!
They learned their lesson, right? … right?!!”
My initial reaction
RTL News explains:
• Voting with pencil & paper.
• Manual paper counting.
• But then (…)
2009-now
• Each city enters vote totals into computer program.
• City delivers USB stick to vote district:
2009-now
1. Local voting office : paper
2. City central voting office : digital
3. 20 voting districts : digital
4. Central election council : digital
2009-now
“This can’t be true.”
My reaction
Weaknesses
Starting watching YouTube
Instructor leaks technical info
• One main webserver.
• Multiple clients can enter data via local network.
Risks:
• Multiple network connected computers involved.
• No HTTPS.
Client-server architecture
• No security policy.
• No security checks.
• Bring your own computer and USB stick.
Any computer will do
But: “WiFi should be turned off.”
Internet connected computers
• PDF with hash code is printed.
• XML files with vote totals is saved on USB stick.
• 1 person transfers results to election district.
SHA-1 & XML
• AutoRun
• BadUSB
• RubberDucky
USB attack
SHA1 hash in footer of PDF
Compare SHA1 hash
• Instructor doesn’t mention this important security check at all.
• No enforcement to enter the hash code.
• The insecure, old and deprecated SHA1 hash algorithm is used.
Bad crypto implementation
• Only first four characters have to be filled in.
• Limit the strength of the SHA1 key to 2^16 combinations (65,536 possibilities) and delivers almost zero cryptographic strength.
• Password auto completion is on.
• Short & weak passwords allowed.
• Instructor has username ‘osv’ and probably password ‘osv’.
No password policy
Software uses admin privileges
No auto hash check in place
Just mail the results
• Design phase: No IT security expert was consulted.
• Test phase: No ethical hacker has reviewed OSV.
• It’s partly open source.
• Logs aren’t collected on a central server.
• No intrusion detection system is active.
• OSV integrity is hard to validate & optional.
• …
List continues
• Some problems already found by student Maarten Engberts in 2011, but ignored (!).
• Maarten went full disclosure.
Problems ignored for years
• I initially only spend three hours watching YouTube video’s and reading PDF documentation.
• Conclusion: “This is absolutely terrible”
• RTL is shocked and asks Rop, a professor and another hacker to validate my research: they all agree.
Recapitulatory
It’s Groundhog Day again!
• Ignoring: Journalists couldn’t get contact.
• Denying: To journalists:“Trust us, it’s safe”
• Threaten: To journalists: “We’ll see for who this is going to be a problem.”
Response from Election Council
• 2 days after publication: minister bans software.
• Cities respond angry: “This can be fixed.”
Response to publication
• Minister: “Wow, you guys can yell. Please keep quiet! Elections are coming. Okay, you may use Excel!”
• Cities: “Excel? We want OSV back!”
• Vendor: “We can fix it.”
• Minister: “Ok. Fix it.”
• Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then it’s okay.”
Response to publication
“OSV is indeed very insecure.”
Fox-IT is hired
“The elections are in a few weeks and we can’t abort now! Let’s apply some quick fixes.”
Government reaction
• Elections were held.
• Everybody trusts the output.
• No transparency: election council went dark.
Current status
• Elections were insecure since 1991.
• Why should we trust the output?
Can current election be trusted?
Improvements
• Paper should always be in the lead.
• Printed PDFs can’t be trusted.
• Only use software to validate manual counting.
Improvements
• Complete transparency:
– Each voting office should publish results on their site and in their physical office.
– All processes & procedures should be documented & published.
Improvements
• Security awareness program for all employees.
• Implement security & fraud monitoring
• Test if election can be manipulated.
Improvements
• Dutch voting process could be easily hacked since 1991: that’s 26 years, and still counting (!)
• We don’t know if someone tampered with results. We can’t check it. Logs are erased after 3 months.
This isn’t acceptable.
Conclusion
International context
Source: https://www.bloomberg.com/features/2016-how-to-hack-an-election/
Washington Post:
“Homeland Security official: Russian government actors tried to hack election systems in 21 states”
• Paper should always be in the lead.
• Full transparency.
• Computers are not secure enough to run an election.
Final words
• Current governments will never admit election insecurity.
• So *we* need to fight for and protect our democracy!
Final words
Sijmen.Ruwhof.net
twitter.com/sruwhof
Thanks!