Will the vulnerabilities be addressed in time for the midterms?
At the DEFCON hacking conference in Las Vegas, kids aged 8-16 had the chance to hack into simulated US election systems — and they found it alarmingly quick and easy.
Emmett Brewer, an 11-year-old Texan, was able to access a duplicate of Florida’s state election website in under 10 minutes. Once inside, he changed the vote tallies in the site to award himself 239 billion votes in less than five minutes. An 11-year-old girl was able to perform the same hack in about 15 minutes.
A 17-year-old from Washington went farther, using easily Googled shutdown commands to completely crash a midterm election simulation. All vote counts were lost, and the website presented an execution error. It took him 10 minutes. “And I’m not even a very good hacker,” he said.
These election vulnerabilities were on show at DEFCON 26, an annual hacking conference in Las Vegas. This year, organizers launched the Voting Machine Village, and invited youth attendees to manipulate candidate names and vote totals in hardware and software used in several battleground states. About 50 kids participated in the Village, and they found plenty of vulnerabilities.
In the Diebold TSX machine, widely deployed in hundreds of counties and cities nationwide (including the swing states of Pennsylvania, Ohio, Wisconsin and Virginia), hackers found SSL certificates that expired in 2013 which means each machine is subject to all vulnerabilities in that software cataloged in the past five years. One hacker was able to upload a Linux OS to a Diebold TSX and then programmed the machine to play gifs and music.
The Diebold Express Poll 5000 was found to be even more vulnerable (again). That machine’s memory cards are easily accessible at the top of the machine, and another market-purchased card with alternative information and vote tallies can be inserted in its place. Switching the two cards can be done in less than five seconds. Once removed, the original cards can be accessed by a hacker to collect unencrypted supervisor passwords and voters’ personal data. Voter information gathered included home addresses, drivers’ license numbers, and the last four digits of Social Security Numbers. In the most embarrassing cases, the unencrypted password was “Password.”
All told, Voting Machine Village co-organizer Nico Sell said that more than 30 children were able to hack into other states’ website duplicates in half an hour or less.
“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”
In response to the event’s widespread publicity, the National Association of Secretaries of State (NASS) issued a statement re-confirming their states’ election security.
“While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results,” NASS said in a statement. They added that they welcome cooperation from the hacker community to eliminate any vulnerabilities.
The good news is that Brewer, the 11-year-old hacker from Texas, is on board with increasing voter security and confidence.
"I'm just trying to help the world," he said.