How you could hack the Dutch elections for the last 26 years
-
Upload
sijmen-ruwhof -
Category
Technology
-
view
2.836 -
download
0
Transcript of How you could hack the Dutch elections for the last 26 years
![Page 1: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/1.jpg)
How you could hack the Dutch elections
… for the last 26 years, and counting (!)
Sijmen RuwhofFreelance IT Security Consultant / Ethical Hacker
SHA2017
![Page 2: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/2.jpg)
• Started hacking in 1997: 19 years ago
• Since 2005 professional: 12 years ago
• 650+ security tests performed
Breaking into governmental organizations, banks and high-profile companies to help defend against hackers.
Who is Sijmen Ruwhof?
![Page 3: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/3.jpg)
Some companies I work for
![Page 4: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/4.jpg)
• Dutch voting process
• Weaknesses
• Improvements
• International context
Agenda
![Page 5: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/5.jpg)
Voting process history
![Page 6: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/6.jpg)
“We’ve heard about computers! They can automate things and save us time!
Let’s try it!”
1991-2009
![Page 7: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/7.jpg)
1991-2009
![Page 8: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/8.jpg)
“We hired TNO. They are like IBM, so it’s all fine. Don’t worry, they’re famous.”
1991-2009
![Page 9: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/9.jpg)
• Amsterdam was one of the last cities to adopt voting machines.
• Rop Gonggrijp lived in Amsterdam.
1991-2009
![Page 10: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/10.jpg)
• 1989: Author of hacking magazine
• 1993: Co-founder internet provider XS4ALL
• 1998: Sold XS4ALL to KPN
• 1998: Founded hacker company ITSX
• 2006: Sold ITSX to Madison Gurkha
• 2006: Founded ‘We don’t trust voting machines’
Meet Rop Gonggrijp
![Page 11: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/11.jpg)
• 2006: Rop in Tv broadcast: “Voting machines can be easily manipulated and voting secrecy can be easily circumvented.”
• 2006: Secret service: “Well, now you ask us, yes, he has a point.”
“Don’t trust voting machines”
![Page 12: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/12.jpg)
• 2006: Cities: “It’s just an opinion. We don’t know Rop. Computers are valuable to us.”
• 2006: Minister: “The supplier promises it can fix the issues. We can trust them.”
“Don’t trust voting machines”
![Page 13: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/13.jpg)
• 2006: Rop sues the government.
• 2007: Judge: “Rop is right. These voting machines can’t be trusted.”
• 2008: Government: “We have to obey a judge, so we must go back to pen & paper.”
“Don’t trust voting machines”
![Page 14: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/14.jpg)
2009-now
![Page 15: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/15.jpg)
2009-now
![Page 16: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/16.jpg)
2009-now
![Page 17: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/17.jpg)
Fast forward to 2017 >>>
![Page 18: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/18.jpg)
“We heard old cryptography seems to be used, what’sthe impact Sijmen?”
RTL News
![Page 19: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/19.jpg)
“Wait! What? Software is used? No way.. we use paper!
They learned their lesson, right? … right?!!”
My initial reaction
![Page 20: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/20.jpg)
RTL News explains:
• Voting with pencil & paper.
• Manual paper counting.
• But then (…)
2009-now
![Page 21: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/21.jpg)
• Each city enters vote totals into computer program.
• City delivers USB stick to vote district:
2009-now
![Page 22: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/22.jpg)
1. Local voting office : paper
2. City central voting office : digital
3. 20 voting districts : digital
4. Central election council : digital
2009-now
![Page 23: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/23.jpg)
“This can’t be true.”
My reaction
![Page 24: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/24.jpg)
Weaknesses
![Page 25: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/25.jpg)
Starting watching YouTube
![Page 26: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/26.jpg)
Instructor leaks technical info
![Page 27: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/27.jpg)
• One main webserver.
• Multiple clients can enter data via local network.
Risks:
• Multiple network connected computers involved.
• No HTTPS.
Client-server architecture
![Page 28: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/28.jpg)
• No security policy.
• No security checks.
• Bring your own computer and USB stick.
Any computer will do
![Page 29: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/29.jpg)
But: “WiFi should be turned off.”
Internet connected computers
![Page 30: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/30.jpg)
• PDF with hash code is printed.
• XML files with vote totals is saved on USB stick.
• 1 person transfers results to election district.
SHA-1 & XML
![Page 31: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/31.jpg)
• AutoRun
• BadUSB
• RubberDucky
USB attack
![Page 32: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/32.jpg)
SHA1 hash in footer of PDF
![Page 33: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/33.jpg)
Compare SHA1 hash
![Page 34: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/34.jpg)
• Instructor doesn’t mention this important security check at all.
• No enforcement to enter the hash code.
• The insecure, old and deprecated SHA1 hash algorithm is used.
Bad crypto implementation
![Page 35: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/35.jpg)
![Page 36: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/36.jpg)
• Only first four characters have to be filled in.
• Limit the strength of the SHA1 key to 2^16 combinations (65,536 possibilities) and delivers almost zero cryptographic strength.
![Page 37: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/37.jpg)
• Password auto completion is on.
• Short & weak passwords allowed.
• Instructor has username ‘osv’ and probably password ‘osv’.
No password policy
![Page 38: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/38.jpg)
Software uses admin privileges
![Page 39: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/39.jpg)
No auto hash check in place
![Page 40: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/40.jpg)
Just mail the results
![Page 41: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/41.jpg)
• Design phase: No IT security expert was consulted.
• Test phase: No ethical hacker has reviewed OSV.
• It’s partly open source.
• Logs aren’t collected on a central server.
• No intrusion detection system is active.
• OSV integrity is hard to validate & optional.
• …
List continues
![Page 42: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/42.jpg)
• Some problems already found by student Maarten Engberts in 2011, but ignored (!).
• Maarten went full disclosure.
Problems ignored for years
![Page 43: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/43.jpg)
• I initially only spend three hours watching YouTube video’s and reading PDF documentation.
• Conclusion: “This is absolutely terrible”
• RTL is shocked and asks Rop, a professor and another hacker to validate my research: they all agree.
Recapitulatory
![Page 44: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/44.jpg)
It’s Groundhog Day again!
![Page 45: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/45.jpg)
• Ignoring: Journalists couldn’t get contact.
• Denying: To journalists:“Trust us, it’s safe”
• Threaten: To journalists: “We’ll see for who this is going to be a problem.”
Response from Election Council
![Page 46: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/46.jpg)
• 2 days after publication: minister bans software.
• Cities respond angry: “This can be fixed.”
Response to publication
![Page 47: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/47.jpg)
• Minister: “Wow, you guys can yell. Please keep quiet! Elections are coming. Okay, you may use Excel!”
![Page 48: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/48.jpg)
• Cities: “Excel? We want OSV back!”
• Vendor: “We can fix it.”
• Minister: “Ok. Fix it.”
• Vendor: “Ditch the USB sticks and airgap things. Use SHA256. Then it’s okay.”
Response to publication
![Page 49: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/49.jpg)
“OSV is indeed very insecure.”
Fox-IT is hired
![Page 50: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/50.jpg)
“The elections are in a few weeks and we can’t abort now! Let’s apply some quick fixes.”
Government reaction
![Page 51: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/51.jpg)
• Elections were held.
• Everybody trusts the output.
• No transparency: election council went dark.
Current status
![Page 52: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/52.jpg)
• Elections were insecure since 1991.
• Why should we trust the output?
Can current election be trusted?
![Page 53: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/53.jpg)
Improvements
![Page 54: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/54.jpg)
• Paper should always be in the lead.
• Printed PDFs can’t be trusted.
• Only use software to validate manual counting.
Improvements
![Page 55: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/55.jpg)
• Complete transparency:
– Each voting office should publish results on their site and in their physical office.
– All processes & procedures should be documented & published.
Improvements
![Page 56: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/56.jpg)
• Security awareness program for all employees.
• Implement security & fraud monitoring
• Test if election can be manipulated.
Improvements
![Page 57: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/57.jpg)
• Dutch voting process could be easily hacked since 1991: that’s 26 years, and still counting (!)
• We don’t know if someone tampered with results. We can’t check it. Logs are erased after 3 months.
This isn’t acceptable.
Conclusion
![Page 58: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/58.jpg)
International context
![Page 59: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/59.jpg)
Source: https://www.bloomberg.com/features/2016-how-to-hack-an-election/
![Page 60: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/60.jpg)
Washington Post:
“Homeland Security official: Russian government actors tried to hack election systems in 21 states”
![Page 61: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/61.jpg)
![Page 62: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/62.jpg)
![Page 63: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/63.jpg)
![Page 64: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/64.jpg)
• Paper should always be in the lead.
• Full transparency.
• Computers are not secure enough to run an election.
Final words
![Page 65: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/65.jpg)
• Current governments will never admit election insecurity.
• So *we* need to fight for and protect our democracy!
Final words
![Page 66: How you could hack the Dutch elections for the last 26 years](https://reader034.fdocuments.in/reader034/viewer/2022050613/5a67d4697f8b9aa6128b5277/html5/thumbnails/66.jpg)
Sijmen.Ruwhof.net
twitter.com/sruwhof
Thanks!