ANPEa polling station for the 2023 Provincial Council elections
NOS News•today, 4:02 PM•Adjusted today, 4:31 PM
Joost Schellevis
editor Tech
Joost Schellevis
editor Tech
A leak in the vote counting software used for elections in the Netherlands has potentially enabled the manipulation of election results. There is no evidence that that happened; a hacker who discovered the leak reported it to the Electoral Council. It has now been resolved, reports that agency.
Municipalities use the software, Supporting Software Elections 2020, to add up the totals from polling stations.
The leak allowed malicious parties to gain access to the infrastructure of the software supplier that makes the vote counting software. This could allow a modified, manipulated version of the software to be distributed, which could ultimately, for example, adjust the results of elections.
As far as we know, that did not actually happen. In addition, after the votes are counted, samples are taken to check whether the counts are correct, which should detect fraud. The leak will no longer be present in the upcoming House of Representatives elections on November 22.
Signature
The hacker who found and reported the problem discovered that vendor credentials were present in the source code of the installation software. This allowed him to log in to the supplier’s infrastructure, including the part of the infrastructure where the vote counting software was housed.
He could have placed his own, modified version of the software there. Whether that in itself would have been enough to manipulate the elections is not certain: in theory, municipalities must check whether the digital signature of the software is correct before using it.
A forged signature allowed the software to be identified as legitimate; To do this, the hacker would have had to penetrate further into the software’s internal infrastructure. There are no concrete indications that that was possible.
Arrested quickly
The problem was only noticed after the Provincial Council elections last March. It is unknown how many elections the vulnerable software was used in.
Hacker Maarten Boone, who found the leak, writes It took less than an hour to get to the bottom of the leak. At the same time, he praises the response of the head of ICT security at the Electoral Council. “They picked it up very quickly and the resolution went smoothly and super fast,” Boone said.
He also writes that he is pleased with the practice in the Netherlands that hackers with good intentions can safely report vulnerabilities in computer programs, without having to fear prosecution.
Installation software
The security issue was likely never noticed because previous security testing never examined the installation software. That can be read in one decision note that outgoing Minister De Jonge of the Interior published. From now on, the installation software will also be included.
An additional security test conducted after the breach was reported revealed two more minor security issues. These have now been resolved.
2023-09-12 14:02:39
#Hacker #discovers #vulnerability #election #counting #software #hour #work
