Security assessment of Dutch election software

Last month I started an independent security assessment on the software that totalizes votes in the upcoming Dutch elections on March 21, 2018. The software is called OSV (Ondersteunende Software Verkiezingen) and made by German company IVU Traffic Technologies AG. IVU was hired to do so by the Electoral Council (Kiesraad).

OSV program 4 and 5 (P4, P5) version 2.21.4 was in scope and researched in this security assessment. This is the official version that will be used in the Dutch elections that will be held on March 21, 2018. OSV P4 and P5 are responsible for totalizing the election outcome.

After completing the security review of OSV P4 and P5 and the processes around it, 47 security vulnerabilities were found in OSV and processes around it:

Tonight RTL News went live with the research on Dutch national Tv:

Validated research
The following IT security experts also collaborated with validating findings and were consulted:

  1. Election security specialists Rob Gonggrijp and Arjen Kamphuis.
  2. Professor IT security Herbert Bos from VU University Amsterdam and his team:
    Marco Oliverio, Sanjay Rawat, Sebastian Österlund and Andrei Tatar
  3. Independent IT security researchers and ethical hackers:
    Ger Schinkel and John de Kroon.

Most important findings

1. Software decides who won the election and this output is fully trusted again
RTL News found out that the Electoral Council and municipalities silently trusted OSV output again and will use it to calculate who will win the upcoming elections on March 21, 2018. This renewed trust in OSV was not validated by an independent respectable cyber security firm. The Electoral Council did not hire Fox IT again in 2018 to check if all major security risks were properly solved in the new OSV version made by IVU.

After election day on March 22, 2018, civil servants from the central vote office of a municipality will enter vote totals from polling stations into OSV. OSV will totalize all vote totals per candidate and generate a PDF file that contains the election result that has to be printed (a N11 and O3 document). The printed election result becomes official and trusted ‘paper that is in the lead’. It will not be manually validated by civil servants as OSV is trusted to be unhackable again.

If someone hacks the OSV server, then this person can easily manipulate votes by changing votes stored in the OSV database and in the PDF files stored on the server that have to be printed.

2. OSV security has not been substantially improved in comparison with last year
If OSV output is trusted again, you would expect security to be significantly improved. And indeed, security improvements have been made. However, not enough. Last year on January 30, 2017 IT security researcher Sijmen Ruwhof published on his weblog a detailed technical analysis of all the weaknesses he found in OSV P4 and P5. A retest has been performed to see if the findings mentioned on the weblog were resolved in the latest version of OSV:

There are 25 open security risks after the retest (all unsolved and partly solved findings):

The retest shows that OSV security has not been substantially improved in comparison with last year.

3. OSV uses out-dated, deprecated and insecure technology from ten years ago
OSV has been developed in 2008 and has not changed a lot over the years. The OSV version used in the March 2018 election still uses very old and insecure (JBoss & Java) technology from 2008 and 2013, that misses many important security updates. These technologies are also not properly configured and hardened against hack attacks. An advanced hacker that has gained access to the offline OSV network of a municipality could break into the OSV server by exploiting unpatched security vulnerabilities. Once an adversary has gained access to the OSV server, votes can be easily changed without detection.

Professor IT security Herbert Bos from VU University Amsterdam also independently investigated the OSV source code. He came to the following conclusion: “The OSV source code is written very poorly. For that reason alone it should be abolished.”

4. Sophisticated or opportunistic attackers can influence election outcome probably unnoticed
Based on the all the 47 vulnerabilities found in OSV and processes around it, it is believed that hackers from foreign intelligence agencies can easily manipulate vote totals by hacking into the OSV server of a municipality. But election fraud may also come from much closer, for example from opportunistic or bribed system administrators working at municipalities that already have full access over the OSV server. As active security and fraude monitoring on OSV servers is missing, fraud will probably go undetected if done not too obviously and greedy.

5. Official vote reports from polling stations are not published on the internet
Currently it is up to each municipality to publish the vote totals of each polling station on their website. Some cities publish in their own format all the vote totals of a polling station, and others only publish the aggregated total votes in a municipality without details of all the vote totals of each polling station. Scans of each official paper polling station report (process-verbaal) are never uploaded to the internet. A digital export file of all the vote totals is generated by OSV. This file is in some cases converted to HTML by municipalities and published (partially) on their website.

The official polling station reports that contain all the vote totals of a municipality can only be looked at offline at the office of a municipality. This raises the bar significantly for citizens and polling station chairmans to validate if someone has tampered with the election outcome in the totalization process. If a concerned citizen wants to independently validate all the totalizing of votes himself in The Netherlands, he or she would have to visit each municipality and copy all the official reports from polling stations. This takes a lot of time. Elections should be completely verifiable with minimal effort by everyone that thinks election integrity is at risk.

Most important recommendations

1. Do not trust output from OSV again: use OSV to validate manually counted votes
History shows that exclusive manual aggregation of vote totals is error-prone, and exclusive digital aggregation of vote totals is vulnerable to manipulation by sophisticated attackers.

OSV can be useful however, even to strengthen the security of an election. All vote totals for each candidate from a political party should be manually totalized by the central vote office of a municipality. Afterwards, the vote totals as calculated by each independent polling station in a municipality should be entered into OSV. OSV should also totalize all vote totals and calculate who won the election. OSV output should be used to verify if the manual totalization is done properly and without mistakes.

Untrusting OSV and manually totalizing vote totals takes a couple more days to perform, but eliminates all the risks that our election can be hacked by manipulating vote totals. Waiting a couple more days on the election outcome is nothing compared to the impact if the election gets hacked. Official paper vote total reports of municipalities should be manually be filled in by civil servants based on the manual calculated vote totals. OSV prints should never be used as official documents anymore. The cyber security of OSV is of much less importance if its output is distrusted.

2. Complete transparency and easy access of official vote reports from polling stations
It is strongly advised to immediately scan all official vote total reports (processen-verbalen) from polling stations and upload them to a secure portal a couple of days after elections are held. This portal does not currently exist and should be developed by the Central Electoral council. This portal should also also publish all uploaded official vote totals reports on their website so people can independently review them.

In a reaction the Electoral Council states towards RTL News that: “A bill is being prepared in which all official reports from polling stations will be made public on the internet in the future.”. Good to hear this point is already being picked up!


It is strongly and urgently recommended to not trust software output in determining who won an election. Software can be hacked undetectable on many level and stages. Even offline and air-gapped networks can be hacked with utmost precision, as shown in the news about the Stuxnet worm in 2010. Recent history has shown that intelligence agencies worldwide have breached the most well protected IT networks in the world with highly advanced and complex malware infrastructure.

OSV uses out-dated, deprecated and insecure technology from ten years ago. OSV security has not been substantially improved in comparison with last year. It is build by a software company that seem to have no clue about how to protect software against hackers and the cyber threat landscape of nowadays. Over 50 security weaknesses have been identified in only a couple of days. OSV’s security architecture is broken by design: it has major security flaws that can’t be fixed.

OSV should be used only to validate if manual totalizing vote totals is done properly and without any mistakes.

VU University Amsterdam

The department specialized in IT security (VUSec) from VU University Amsterdam was contacted to also look into the security of OSV and to validate this research. They also published a security analysis of OSV:

  • “[..] During our analysis, we focused (almost) exclusively on the code. A related and very readable security analysis by Sijmen Ruwhof that focuses more on the context and use. We agree with his findings and just report on the more technical issues that we discovered. The issues we found, combined with the security analysis by Sijmen Ruwhof are sufficient reason for us to conclude that we should not rely on this software for something that is so essential to the heart of a democratic state itself as the election results. [..] Software is inherently vulnerable and corruption and manipulation by attackers may have huge consequences for the trustworthiness of the election results, and, as a consequence, the trust voters may have in the democratic system. Do not gamble with the elections. Do not rely on software alone. [..]”

Update March 13, 2018: RTL Late Night

Talk show RTL Late Night about the insecure election software on Dutch national Tv:

Update March 13, 2018

Update March 14, 2018: Responsible minister responds to our research

Dutch minister from Internal Affairs Kajsa Ollongren answers questions from political parties about the insecure vote count software:

The ministers ignores our research and continues trusting the output of the software, without manually validating it (!). This is very irresponsible and dangerous! Our elections will still be hack-able next week on Marche 21, 2018. Unbelievable.

Update March 15, 2018: Interviewed by DUIC

De Utrecht Internet Courant (DUIC) interviewde me over hoe de verkiezingen in gemeente Utrecht (en de rest van het land) in een achterkamertje worden berekend:

Update March 19, 2018: Platform Honest Elections starts action

The platform Honest Elections starts an action to validate the election results:

“Platform Eerlijke Verkiezingen roept burgers op: Help mee met controle uitslag raadsverkiezingen

Het Platform Eerlijke Verkiezingen roept zoveel mogelijk burgers op mee te helpen bij het controleren van de raadsverkiezingen van a.s. woensdag. Mensen kunnen zich aanmelden als vrijwillig verkiezingswaarnemer op “Bij de Tweede Kamerverkiezingen van maart 2017 zijn er vele onregelmatigheden vastgesteld”, zegt woordvoerder Matthijs Pontier, zelf kandidaat raadslid in Amsterdam. “Dat mag niet weer gebeuren.”

Ollongren draait veiligheidsmaatregelen Plasterk terug
Vorig jaar bleek uit onderzoek van RTL Nieuws dat de software waarmee de stemmen bij verkiezingen worden opgeteld vol lekken zat. Daarop nam toenmalige minister Plasterk maatregelen: het tellen en verwerken van alle stemmen moest voortaan in aanwezigheid van 2 personen en de stemmen werden niet alleen met de computer, maar ook handmatig opgeteld. Op 13 maart j.l. ontdekte wederom RTL Nieuws dat Ollongren die maatregelen stilzwijgend heeft teruggedraaid.

Volgens de IT experts is daardoor de uitslag niet veilig. De ethische hacker Sijmen Ruwhow, die in opdracht van grote banken en bedrijven ICT-systemen test, vond 50 beveilingsproblemen in de software die a.s. woensdag gebruikt zal worden. Ethische hacker Ger Schinkel stelde vast dat het de software een verouderde Java-versie gebruikt “terwijl van Java bekend is dat als het een gatenkaas is, als je het niet up to date houdt”, aldus Schinkel. Er is al 10 jaar forse kritiek van IT-experts op zowel stemcomputers als de telsoftware.

Oproep aan burgers: meld je aan als verkiezingswaarnemer op
“Wij vinden dat een verkiezingsuitslag altijd boven alle twijfel verheven moet zijn”, zegt woordvoerder Matthijs Pontier. “Als de overheid het niet regelt, dan moeten wij burgers het maar zelf doen. Daarom roepen wij burgers op om zich als verkiezingswaarnemer aan te melden op en zich gereed te houden om woensdagavond na 9 uur, als het tellen van de stemmen begint, naar een lokaal stembureau te gaan. Iedereen die zich aanmeldt krijgt van ons een email naar welk stembureau in zijn buurt hij kan gaan”, aldus Pontier.”

Update March 20, 2018: Answers on questions from political party SP Utrecht

On March 15, 2018 political party SP asked official questions towards municipality Utrecht. They were answered on March 20, 2018:

Vraag 1: Klopt het dat het centrale stembureau, met als voorzitter de burgemeester, verantwoordelijk is voor het hele proces van verkiezingen?
Ja, binnen de kaders van de Kieswet.

Vraag 2: Is het centraal stembureau bevoegd om ten aanzien van het telproces zelf extra maatregelen te nemen om de veiligheid en betrouwbaarheid te waarborgen?
Wij gaan tot het uiterste om binnen de gestelde kaders de veiligheid en betrouwbaarheid te borgen. Naar aanleiding van uw vragen zullen wij als extra controlemaatregel drie lijsten handmatig op lijsttotaal totaliseren. Deze lijsten worden bepaald door loting, uitgevoerd door de burgemeester.

Vraag 3: Is het college op de hoogte van het veiligheidsrapport van Sijmen Ruwhof?
Ja, daar zijn wij van op de hoogte.

Vraag 4: Kan het college aangeven wanneer voor het laatst de computers waarop de OSV software wordt gedraaid zijn aangesloten geweest op internet, kunt u garanderen dat voor die tijd deze software niet is gehacked?
De computers die worden ingezet voor OSV worden na elke verkiezing schoongemaakt en voorzien van een speciaal ‘image’ (speciale programmatuur) zonder dat de pc daarvoor wordt verbonden met internet of wifi. De Kiesraad is verantwoordelijk voor de veiligheid van de software. Voordat de lokale ondersteunende software wordt geïnstalleerd in Utrecht wordt deze echter nogmaals gecontroleerd door onze beveiligingsdeskundigen.

Vraag 5: Is er naar mening van het college sprake van het vier-ogen-principe indien invoer door de tweede gebruiker kan worden gewijzigd (zie paragraaf 4.1.6 van het veiligheidsrapport)?
De eerste en tweede invoer gebeurt los van elkaar. Mocht er een verschil zijn tussen deze twee invoeren dan komt een controleur om te kijken hoe dat verschil is ontstaan. De meest voorkomende oorzaken voor verschillen zijn typefouten en fouten door het overnemen van een cijfer uit een verkeerde kolom. Die fouten worden zichtbaar bij controle van tweede invoer.

Vraag 6: Is het college bereidt om de aanbeveling uit het veiligheidsrapport, namelijk het handmatig optellen aan de hand van de papieren processen verbaal, op te volgen en de OSV-software alleen te gebruiken voor controle? Zo nee, waarom niet?
Nee, het volledig handmatig verwerken van de uitslagen is heel foutgevoelig en tijdrovend. Om die reden heeft de minister deze verplichting ook laten vallen.

Vraag 7: Is het college bereidt om alle papieren processen verbaal van stembureaus te publiceren op internet zodat bewoners zelf kunnen controleren? Zo nee, waarom niet?
Hierin zijn wij gebonden aan wetgeving. Wij mogen deze processen verbaal allen ter inzage leggen en niet overgaan tot het publiceren op internet. Vanaf vrijdagmiddag 23 maart liggen de processen verbaal ter inzage in het stadskantoor.

Vraag 8: Waarom is het proces van het totaliseren van de stemtotalen niet openbaar? Zijn er wettelijke beperkingen, en zo ja welke? Zo nee, kunt u hierover actief communiceren?
Zoals de minister van BZK aangaf in het AO is de telling van de stemmen op de stembureaus en de zitting van het centraal stembureau op 23 maart openbaar. Het voorbereiden van de zitting, waartoe het totaliseren van de stemmen behoort, is niet openbaar (Kieswet artikelen J35, O1 en P1). Wij houden ons aan de regels die worden bepaald door de minister van BZK en de Kieswet.

Update March 20, 2018: RTL News update

RTL News called a few other municipalities and reported the following news:

“Extra manual  due to controversial election software

Several municipalities will perform an extra manual validation of the municipal elections. Multiple municipalities such as Utrecht and Tilburg are responding to residents who are worried about the security of the election software with which votes are counted.

Ballots in the Netherlands are counted manually, but the results of the polling stations are counted in the town hall with special software. A week ago, RTL News revealed that the software that calculates the election results contains dozens of security vulnerabilities. This would allow malicious parties to manipulate with election results fairly easily and undetectable, experts say.

Caring about software
After the broadcast, Utrecht invited one of the IT experts to the town hall, says Henk van Dijkhuizen, head of Public Affairs of the municipality, against RTL News. “He pointed out a missing link in the system: a manual check of the result, I share his concerns, if you rely too heavily on software, you can be disappointed.”

The municipality still uses the software to add up all the results of the various polling stations. But then a sample is also done. From three randomly selected political parties, all totals are summed up by hand. If the manual calculation equals that of the computer, it is virtually impossible that the leaks in the software have been misused.

Security researcher Sijmen Ruwhof thinks it is ‘a very nice solution’ for Utrecht. “A good compromise given the short time that is left. Verifying that our election isn’t hacked is now not solely depending on citizens to check the results in these municipalities.”

‘A lot of trouble with manually recounting’
Last week it turned out that Minister Ollongren of Home Affairs had just abrogated the manual recount. It generated a lot of political commotion. She said that municipalities had ‘a lot of trouble’ with the previous elections.

But the municipality of Utrecht thinks that their way of manual verifying the election result is easy to do. “Moreover,” says Van Dijkhuizen, “if this increases the confidence in the elections, then we should just do this.”

Update March 21, 2018: Major of Rotterdam

Major Aboutaleb of Rotterdam doesn’t know that software calculates who will win the election in his municipality and doesn’t take it serious:

“We hebben geen Russische invloeden, tenzij er kleine Russische mannetjes in die bakken zitten waar we de stemformulieren indoen, om die stemformulieren te vernietigen of door middel van een magic thing te doen verdwijnen. Nee, want we stemmen met het rooie potlood.”

Dutch sites that link to this security research

  1. ‘Uitslag gemeenteraadsverkiezingen niet veilig, minister negeert adviezen’
  2. ‘Column: Ongenode gasten’
  3. ‘Toch extra handmatige natellingen vanwege omstreden verkiezingssoftware’
  4. ‘Reactie Kiesraad op berichtgeving RTL-nieuws over verkiezingssoftware OSV’
  5. ‘Security analysis elections software’
  6. Video: ‘Democratische vernieuwing: algemeen overleg’
    (from 55:17 min. till 1:18:30 min.)
  7. ‘Als iemand mag meekijken dan wordt opeens duidelijk hoe schimmig en onveilig de uitslag is’
  8. ‘Platform Eerlijke Verkiezingen roept burgers op: Help mee met controle uitslag raadsverkiezingen’
  9. ‘Ollongren en RTL Nieuws oneens over veiligheid verkiezingen’
  10. ‘Verkiezingssoftware nog steeds onveilig’
  11. ‘Utrecht: handmatige natelling bij verkiezingen vanwege softwareprobleem’
  12. ‘Software verkiezingen nog steeds onveilig’
  13. ‘Software gemeenteraadsverkiezingen nog steeds onveilig’
  14. ‘Minister Ollongren blijft achter omstreden software verkiezingen staan’
  15. ‘Software verkiezingen nog steeds onveilig’
  16. ‘Ollongren beslist: stemmen tellen gewoon weer via onveilige software’
  17. ‘Zorgen over software gemeenteraadsverkiezingen’
  18. ‘Toch extra handmatige natellingen vanwege omstreden verkiezingssoftware’
  19. ‘Onderzoeker vindt weer ernstige lekken in telsoftware gemeenteraadsverkiezingen’
  20. ‘Kajsa Ollongren maakt verkiezingen #gr18 stiekem onveilig door verouderde software’
  21. ‘Softwaresystemen voor het tellen van stemmen gemeenteraadsverkiezingen blijken wéér onveilig’
  22. ‘Software verkiezingen nog steeds onveilig’
  23. ‘Verwerking verkiezingsuitslag gemeenteraadsverkiezingen blijkt onveilig’
  24. ‘Utrecht doet toch extra handmatige natelling’
  25. ‘Software verkiezingen nog steeds onveilig’
  26. ‘Kiesraad: Huidige verkiezingssoftware moet vervangen worden’
  27. ‘Software gemeenteraadsverkiezingen onveilig door terugdraaien veiligheidsmaatregelen’
  28. ‘Twijfels over veiligheid software voor tellen stemmen too obviously and greedy.’
  29. ‘Ollongren geeft zelf onjuiste informatie’
  30. ‘Kajsa Ollongren (D66) draait stilletjes veiligheidsmaatregelen verkiezingssoftware terug’
  31. ‘Vragen SP aan Gemeente Utrecht: inzake lokale verantwoordelijkheid veilig en betrouwbaar telproces bij verkiezingen’
  32. ‘Onderzoeker vindt weer ernstige lekken in telsoftware gemeenteraadsverkiezingen’
  33. ‘Telsoftware OSV voor verkiezingen bevat ernstige lekken’
  34. ‘Stemmen via de blockchain: is dat een goed idee of niet?’

English sites that link to this security research

  1. ‘Concerns raised over election software safety’
  2. ‘Concerns raised over election software safety’
  3. ‘Result municipal elections not safe, minister ignores opinions’

About Sijmen Ruwhof

Freelance IT Security Consultant / Ethical Hacker
This entry was posted in critical infrastructure, cyber warfare, e-voting, hacking, responsible disclosure, security assessment, tv, website security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.