An 11-Year-Old at a Hacking Convention Demonstrates Ability to Hack and Change Florida Vote in 10 minutes
The second annual DEFCON Voting Village took place over a weekend at the end of July in Las Vegas, during the 29th annual DEFCON security convention. Computer experts and hackers meet annually to discuss and show off the latest and greatest computer security systems and practices. The Voting Village allow hackers to work on various “in use” and “not in use” voting machines, and see if and how they can hack them. It has been known for some time that our computer voting across the country is woefully lacking in state-of-the-art security, mostly because of a lack of financing and upgrading of our elections system. There’s a lot of money in elections—just not in the machines that count the votes.
BuzzFeed News explains that a dummy election was held using the machines, and then hackers were given the chance to monkey with the results. The basic idea in hacking these machines is to offer up opportunities for improvements in security. If you know the vulnerabilities in your machines, you can hopefully fix those before the next election.
If you can’t read the small picture there, they gave out awards for all kinds of things (i.e. fastest, most innovative, etc.); and they gave out awards for the youngest winners in a hacking contest of replica government elections websites as well. An 11-year-old was able to hack the dummy Florida secretary of state website.
In another area of DEFCON, organizers set up a semicircle of computers preloaded with copies of secretaries of states’ websites to allow young children to try to alter the appearance of a vote result. While such an attack wouldn’t change actual votes, simply changing the appearance could cause havoc on Election Day, and reflects a tactic Russia did employ in Ukraine in 2014.
Notably, the kids were instructed to use a simple database hacking tactic called SQL injection, the same tool the US has said Russian hackers used when targeting state voter registration databases in the summer of 2016.
The 11-year-old, named Audrey, told BuzzFeed News that it was easy and once inside she could do just about anything she wanted. Florida’s secretary of state gave a statement to BuzzFeed reiterating that the website was not connected to the voting machines in any way.
One of the criticisms of the event is that hackers are given full access to the machines, which can include figuring out how to open those machines physically, in order to perform a hack—something that is less likely to happen in real life, officials say. Of course, when you consider the stories that come out every few weeks showing that our voting machines may have much bigger and accessible security flaws that are easily exploitable remotely, I don’t find much reassurance in the critics’ assessments.