Shortly before the election in the USA, security problems of an election analysis software in Switzerland become public. Several cantons are using outdated and vulnerable software and make it clear that IT security has not been a major issue in recent years. Together with the Swiss online magazine Republik, IT security experts took a closer look at the software used.
Security problems in election evaluation software
At the end of September, the online magazine Republik published a report, which presents the research results of two research teams from ETH and the University of Zurich. The reason for this research was the debates about security concerns in e-voting. Due to these concerns, e-voting has not been used in the past. Since this procedure has already been put on hold once, the researchers have assumed a classic postal voting procedure.
In the course of the research, many different security gaps have emerged, these are due to classic misconfigurations in the software. But also public security checks were not carried out in many cantons, so that for example “man in the middle” attacks are possible.
Security problems in election software have not become public for the first time. In 2017, many security gaps were discovered in the election evaluation software of the provider Vote IT in Germany.
The second research team of the University of Zurich dealt with individual software systems of the different cantons. Serious security flaws were found in many of these systems, despite the fact that the interfaces on which testing could be performed were only available in very small numbers. An attack that was possible in one system allowed any user who knew the password to manipulate, copy or delete all entries in the database.
Requirements of the IT security experts
One member of the research team is the penetration tester Melchior Limbacher, who told Swiss television that the research team assumes that the systems used have never been tested for security. Although the Republic has not yet received any indication that these vulnerabilities have been exploited, it is necessary that the software systems used comply with international security standards.
Another big problem is that some parts of the software systems are closed. This means that the research team or no other user can see what is actually happening in the background. An increasingly popular method is to make software public. Limbach said in the TV interview: “Making software public and verifiable is now considered the best way to achieve IT security.
We have already talked about the topic of open source on many occasions. A good example is the HIBP founder Troy Hunt, who also published how important open source software is today. The Chaos Computer Club from Switzerland demands from the government as well as from the individual cantons that they fulfill their security duty and use only secure software for the determination of results.