Last Friday, an 11-year-old apparently managed change election results within 10 minutes. While at this year’s DEFCON, he and many other children were offered the chance to hack into a mock-up of a Secretary of State website, and did so with alacrity.
According to DEFCON spokespeople, the kids were offered 13 replicas of Secretary of State websites, with Florida being the first. 11-year-old Emmett Brewster was able to hack it inside 10 minutes.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
That’s…wow, what the heck was I doing at 11?
Emmett was one of about 50 children between the ages of 8 and 16 who took part in a kid-specific workshop at this year’s hacker conference. According to Quartz, the kids were able to manipulate various things on the mock websites, including vote counts, candidate names, and party names.
The National Association of Secretaries of State, the organization for public election officials, also issued a statement on the hack:
Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day. We are also concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack is also unrealistic.
That seems a little fussy, doesn’t it? Precisely replicating the physical environment of a voting booth isn’t exactly what these exercises are about, and focusing on that doesn’t address the flaws DEFCON attendees — and apparently at least one child — did find.
Nico Sell, founder of nonprofit r00tz Asylum, which teaches kids about white-hat hacking, told PBS NewsHour the flaws found by Emmett and other children at the event were “the real thing,” also saying:
These are very accurate replicas of all of the sites. These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.
Others have criticized DEFCON’s Voting Village, where attendees attempt to crack voting machines, for providing an unrealistic display of voting circumstance, including Election Systems and Software (ES & S), one of the major providers of election equipment. It was quick to reassure customers the machines wouldn’t actually be as physically accessible on election day as they were at DEFCON.
In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA
— Kim Zetter (@KimZetter) August 10, 2018
In response to ES & S, DEFCON officials released a statement criticizing them for avoiding the issue:
ES&S’s unclear comments and threats towards the Voting Village seem to be designed to create questions and cast doubt in the minds of researchers and election officials, discouraging them from pursuing these vital lines of inquiry. At a time when there is significant concern about the integrity of our election system, the public needs now more than ever to know that election equipment has been rigorously evaluated and that vulnerabilities are not just being swept under the rug.
If nothing else, I look forward to seeing the kids to echo the achievement of DEFCONs past by rickrolling mock election websites.