Election security11-year old took 10 minutes to hack a replica of Florida's election reporting website

Published 15 August 2018

DEFCON, the world’s largest hacking convention, took place in Las Vegas over the weekend. Emmett Brewer, one of about 40 children between the ages of 8 and 16 who were taking part in the event, took less than 10 minutes to hack into a replica of Florida’s election reporting website. An 11-year old girl also managed to break into the site, tripling the number of votes for one of the candidates. Several 8-year old kids managed to tamper with vote tallies and change candidates’ names.

The world’s largest hacking convention took place in Las Vegas over the weekend, and an 11-year-old was able to hack into a replica of Florida’s election reporting website in less than 10 minutes and change votes. 

PBS

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Nico Sell, the co-founder of the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there. 

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

CNN:  

“Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” said Jake Braun, one of the event’s organizers.

So on Friday, almost 40 child hackers between the ages of 6 and 17 were let loose on the mock sites, and most of them were able to tamper with vote tallies, some even changing candidates names to things like “Bob Da Builder” and “Richard Nixon’s Head.”

National Association of Secretaries of State (NASSissued a statement in response, welcoming help from DEFCON participants in securing elections but also claiming their actual sites are not as vulnerable as the replicas. 

“While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”’

(…)

“To me that statement says that the secretaries of states are not taking this seriously. Although it’s not the real voting results it’s the results that get released to the public. And that could cause complete chaos,” [Sell] said. “The site may be a replica but the vulnerabilities that these kids were exploiting were not replicas, they’re the real thing.”

“I think the general public does not understand how large a threat this is, and how serious a situation that we’re in right now with our democracy,” she said.

Adults who participated in the second annual “voting village” at DEFCON took at crack at hacking voting machines. 

CNN

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. While such hacks are a cause of concern for election officials, they are increasingly looking beyond the threats against traditional election infrastructure like voting machines and voting databases and more to the threat of disinformation.

(…)

If state election boards were to be targeted in this way, where voter information or voting systems were hacked, and then a coordinated campaign to disseminate or weaponize that information were to follow on social media, it could lead to widespread confusion that could undermine the integrity of an election could ensue, some officials fear.