In a brilliant move of PR strategy, the DEFCON voting village will be featuring children hackers to show how vulnerable our election systems are.— Ray [Redacted] (@RayRedacted) August 3, 2018
This is going to be a blast! pic.twitter.com/ISZ9aRpADg
If organizers of the world’s largest hacking convention are correct, then our state election websites are so easy to breach that even an 11-year-old can do it — in under 10 minutes, no less.
If anything, this raises questions regarding how easily a foreign agent can have access to our voting mechanisms, and how easily it could be for a hacker to change the outcome of an entire race.
During this year’s DEFCON 26, Emmett Brewer, 11, managed to hack into a replica of the Florida state election website and change the voting results found on the website in under 10 minutes. An 11-year-old girl also managed to do the same, tripling the number of votes on the replica site within 15 minutes. More than 30 other children were also able to hack similar replica sites under a half hour.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
DEFCON put up the challenge by launching the “DEFCON Voting Machine Hacking Village,” giving children between the ages of 8 and 16 a chance to show off their skills. The challenge involved about 50 children targeting these replica sites with the goal of manipulating both vote count and party and candidate names.
After learning about the results, the National Association of Secretaries of State issued a statement saying they do not believe hackers would have access to the actual state websites.
In addition, they explained, the sites are not directly linked to the voting system used in these states.
“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” they said. “While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”
Still, the statement explained, secretaries are “ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections.”
Nico Sell, one of the organizers of the event and co-founder of the non-profit teaching children how to hack called r00tz Asylum, said the fact that young children can gain access to these websites spells trouble.
“These are very accurate replicas of all of the sites,” Sell told reporters. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes. It’s negligent for us as a society.”
Last year, Sell said, adult hackers had access to the same replica state election websites, and some managed to hack them in under five minutes. That’s when they thought that bringing the challenge to children could make an even more impacting case in support of major reforms to our voting systems.
“To me that statement says that the secretaries of states are not taking this seriously. Although it’s not the real voting results it’s the results that get released to the public. And that could cause complete chaos,” Sell added. “The site may be a replica but the vulnerabilities that these kids were exploiting were not replicas, they’re the real thing.”
She added that the risks to the Democratic process in America are serious, and the public is not well aware of them.
“I think the general public does not understand how large a threat this is, and how serious a situation that we’re in right now with our democracy,” Sell said.
Last year, after DEFCON hackers managed to breach these replica sites in less than five minutes, former U.S. permanent representative to NATO Douglas Lute said that “If Russia can attack our elections, so can others.”
This year, DEFCON proved that even children can gain access to sites that should be designed to keep anyone from meddling with them.
As Matt Blaze, a computer and information science professor who helped to organize the “hacking village” explained, the replicas were, in many cases, designed to be even harder to hack than the real thing. And still, children managed to crack the code.
“It’s not surprising that these precocious, bright kids would be able to do it because the websites that are on the internet are vulnerable, we know they are vulnerable,” he said. “What was interesting is just how utterly quickly they were able to do it.”
With the President Donald Trump administration scrutinized over the Russia election meddling probe, it’s obvious that what transpired at this year’s DEFCON proves that anyone could have tried, and succeeded, to manipulate the election sites in 2016. However, it will take more than just a few kids hacking into our state election sites to push the president to act on this piece of news. After all, he's been reluctant in standing up to Russia and has only recently admitted that the foreign state could have meddled in our elections.
Is democracy eroding in the land of the free? It sure seems like it.
Banner and thumbnail image credit: Reuters/Mike Blake