Dozens of kids hack election site replicas in just minutes
They changed candidate names and vote counts.
The Def Con hacker conference has been demonstrating how vulnerable voting machines are to hacks through its Voting Village, wherein adults are given the chance to compromise various models of voting devices. But this year, Def Con also let kids get in on the game, opening up replicas of states' election websites to children aged eight to 16. The event, put on by r00tz Asylum and supported by the University of Chicago and the Democratic National Committee, showed just how vulnerable these sites are to attack.
On the first day of the event, 39 children tried to hack into the site replicas and 35 were able to do so in under half an hour. The fastest exploit was completed in under 10 minutes by an 11-year-old boy. "It's not surprising that these precocious, bright kids would be able to do it because the websites that are on the internet are vulnerable, we know they are vulnerable," University of Pennsylvania Professor Matt Blaze, who helped organize the Voting Village, told PBS NewsHour. "What was interesting is just how utterly quickly they were able to do it."
The event gave out awards to three age group categories for fastest exploit, most innovative, most social engineering and youngest exploiter. Those that cracked the sites changed candidates' names -- to Kim Jong Un, Bob Da Builder and Tonald Drump, for example -- and altered vote tallies. A portion of the $2,500 in prize money was furnished by the DNC.
Here's the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
Here's the roundup of the Def Con Voting Machine Hacking Village discoveries, Day 2! @defcon #VotingVillage pic.twitter.com/YncpPxuGnT
— DEFCON VotingVillage (@VotingVillageDC) August 12, 2018
The National Association of Secretaries of State released a statement about the results, saying it believed the replica websites made for an unrealistic exercise. "It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols," the organization wrote. "While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."
But Blaze told PBS NewsHour that the replicas used in the contest were in many cases more rigorously protected than actual secretary of state-run election websites. And Nico Sell, co-founder of r00tz Asylum, said changing reported voting results is still a problem even if the actual tallies aren't affected. "To me that statement says that the secretaries of states are not taking this seriously," she said to PBS NewsHour. "Although it's not the real voting results it's the results that get released to the public. And that could cause complete chaos. The site may be a replica but the vulnerabilities that these kids were exploiting were not replicas, they're the real thing."