A leak in the vote counting software used for elections in the Netherlands has potentially enabled the manipulation of election results. There is no evidence that that happened; a hacker who discovered the leak reported it to the Electoral Council. It has now been resolved, the agency reports.
Municipalities use the software to add up the totals from polling stations. The version with the leak was first used in the autumn of 2021, during the municipal redistricting elections. This also happened at the municipal elections a year later and at the Provincial Council elections last March.
The leak was discovered in June. The leak will no longer be present in the upcoming House of Representatives elections on November 22.
Manipulated version
The leak allowed malicious parties to gain access to the infrastructure of the software supplier that makes the vote counting software. This could allow a modified, manipulated version of the software to be distributed, which could ultimately, for example, adjust the results of elections.
The supplier of the software has “registered a number of login attempts”, the Electoral Council reported in response to questions from NOS. However, there is no reason to think that this led to misuse of the software, the authority emphasizes.
In addition, after the votes are counted, samples are taken to check whether the counts are correct, which should detect fraud.
Signature
The hacker who found and reported the problem discovered that vendor credentials were present in the installation software. This allowed him to log in to the supplier’s infrastructure, including the part of the infrastructure where the vote counting software was housed.
He could have placed his own, modified version of the software there. Whether that in itself would have been enough to manipulate the elections is not certain: in theory, municipalities must check whether the digital signature of the software is correct before using it.
A forged signature allowed the software to be identified as legitimate; To do this, the hacker would have had to penetrate further into the software’s internal infrastructure. There are no concrete indications that that was possible.
Arrested quickly
Hacker Maarten Boone, who found the leak, writes that it took him less than an hour to figure out the leak. At the same time, he praises the response of the head of ICT security at the Electoral Council. “They picked it up very quickly and the resolution went smoothly and super fast,” Boone said.
He also writes that he is pleased with the practice in the Netherlands that hackers with good intentions can safely report vulnerabilities in computer programs, without having to fear prosecution.
Installation software
The security issue was likely never noticed because previous security testing never examined the installation software. This can be read in a decision note published by outgoing Minister De Jonge of the Interior. From now on, the installation software will also be included.
An additional security test conducted after the breach was reported revealed two more minor security issues. These have now been resolved.
