At DEFCON 26, the world’s largest hacking convention that recently took place in Las Vegas, an 11-year-old boy managed to hack a replica of the Florida state election website and change voting results in less than 10 minutes. Organizers of the event said that at least 30 children were able to hack similar replica websites in under a half hour, including an 11-year-old girl who completed the job in just under 15 minutes.
One of the attractions of the event was the “DEFCON Voting Machine Hacking Village,” which allowed kids as young as 8 to take a shot at stealing a simulated election.
Nico Sell, co-founder of the non-profit r00tz Asylum, told the PBS NewsHour that these kids were able to hack sites that were exactly like those used for official elections in the United States.
“These are very accurate replicas of all of the sites. These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society,” Sell says.
Sell said that when they first tried a similar challenge last year, adult hackers were able to crack the websites in under five minutes.
“So this year we decided to bring the voting village to the kids as well,” she said.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
However, the government is not ready to admit that they are using such vulnerable technology to conduct their elections.
The National Association of Secretaries of State issued a statement saying that they were “ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections.”
However, they also claimed that it is not possible to replicate an actual government election website.
“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols. While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote-counting equipment and could never change actual election results,”’ the statement read.
In other words, they claim that they will still be able to retain the actual results, even if a legitimate election website happens to be tampered with. Sell pointed out that the response from election officials shows that they either don’t understand or don’t care about the chaos that can be caused by false election results being published, even if they are corrected after the fact.
“To me, that statement says that the secretaries of states are not taking this seriously. Although it’s not the real voting results it’s the results that get released to the public. And that could cause complete chaos. The site may be a replica but the vulnerabilities that these kids were exploiting were not replicas, they’re the real thing. I think the general public does not understand how large a threat this is, and how serious a situation that we’re in right now with our democracy,” she said.
Furthermore, Matt Blaze, a professor at the University of Pennsylvania and one of the organizers of the “hacking village,” said that these replica websites were actually designed to be more difficult to hack than the official government sites.
“It’s not surprising that these precocious, bright kids would be able to do it because the websites that are on the internet are vulnerable, we know they are vulnerable. What was interesting is just how utterly quickly they were able to do it,” he said.
Adult hackers were also able to break into actual voting machines during the convention.
It has long been an open secret that election websites and even voting machines are extremely vulnerable to hacking. In fact, a study at the Argonne National Laboratory in Illinois developed a hack to manipulate voting machines just before the 2012 elections.
The researchers who developed the hack were actually able to hijack a Diebold Accuvote TS electronic voting machine, one of the most popular voting systems at the time.
Two of the lead researchers in the study were able to demonstrate a number of different ways that voting machines could be hacked. They used a $1.29 microprocessor and a circuit board that costs about $8, along with a $15 remote control.
They demonstrated that the cheap hack worked from over a half-mile away.
“When the voter hits the ‘vote now’ button to register his votes, we can blank the screen and then go back and vote differently and the voter will be unaware that this has happened. Spend an extra four bucks and get a better lock, you don’t have to have state-of-the-art security, but you can do some things where it takes at least a little bit of skill to get in,” Johnson said.
As far as how easy the hack is, Johnson told Popsci that “I’ve been to high school science fairs where the kids had more sophisticated microprocessor projects.”