In Switzerland, more than half of the cantons of obsolete and vulnerable software for the determination of election results. This ended at the end of last week publishers of the Swiss online magazine republic in cooperation with IT security experts. These emphasize: Some of these software systems did not meet international safety standards.
To a number of vulnerabilities pay missing safety precautions, weak closures or various misconfigurations of servers. Above all, the programs of two software companies as well as the in-house developments of three cantons are affected according to the Republic of it.
For the cantons, a fuel different software and specialized systems are used for votes and options. "Result program software" Programs mentioned in real time expect seat gains and losses and are graphically.
Intransparent, obsolete and defective software
As a republic writes, two research teams of the ETH and the University Zurich analyzed after the debates, which lately applied for safety concerns on ice "E-voting" Last year, the Swiss electoral processes, but went from classical absentee vision. In this context, they rely on intransparent, outdated and defective software systems that were used for the payment of votes on paper.
Thus, in an investigation of the ETH Zurich, many cantons use software for the result determination, which did not undergo a public security screening. In his study "Cyber-Risks in Paper Voting" The ETH Research Team also dealt with the situation in Germany, where in 2017 also graved security deficiency in the election evaluation software PC choice of the provider Vote It has been revealed.
"Man in The Middle" and weak standard password
The second research team of the University Zurich dealt with the Republic Author Adrienne Fichter deepened with the individual software systems of the cantons, as far as these defects could be analyzed publicly available interfaces and information at all.
The Computer Science Doctor Christian Killer and the Zurcher IT Security Consultant and Penetration Tester Melchior Limacher took assistant programs for at least 14 cantons. To the various problems and security swallow numbers according to the republic "Man in The Middle"-Attacks, potential insider attacks and weak standard passwords. In a system, each person who is owned by the password can be fully manipulated all records directly in the database, so online magazine. "Versions of the software providers but also follow missing IT security awareness in cantonal administrations", Looks republic as the cause of the security ies.
So far no security specifications
The research also shows a clear regulatory chute. Because of MaBab Republic exist "Until today no security specifications for the purchase and operation of such systems". The Swiss television (SRF) said Penetration Tester Limacher that he amed that the systems have never been checked for security and did not exist for appropriate requirements.
Nevertheless, so the republic, you have "No clues to obtain or found that the above weak points have been exploited in the past".
Faller software required
In addition, the sick loud killer and Limacher some of the election provictions on their intransparency. "We have found that often closed systems are in use. This leads to not verify if a system really does what it should do", they said the SRF. In addition to national regulation, there were other possibilities here, the two agreed according to SRF: "Software public and checkable will be considered today as a congestion in IT security".
The report of the online magazine provided for a lot of echo and discussions. There are probably some cantons of action and one of the software companies has been confused to want to shelter security.
Take the cantons in the obligation
Hernani Marques demands from the Swiss Chaos Computer Club, "that for the digital result determination of the same criteria, such as the highly regulated e-voting, must apply". He calls on the federal government to perceive his supervisory obligation to increase at minimum standards in cantons and municipalities, as well as regarding independent checks of systems for compulsory.
The Federal Chancellery, in turn, now wants to take the cantons in the duty, these had to deal with the security of their software. Any weaknesses or problems are analyzed by the status places and where to fix it, so the federal government. However, first political voices have a different view: "The covenant can not just look away. The scope is too significant", Applies to Grunliberal National Council Judith Bellaiche.