Breaking News
More () »

11-year-old hacks replica Florida election information website in 10 minutes

Two kids hacked the replica election website in less than 15 minutes during a hacking event at the 26th annual DEF CON Hacking Conference.
Photo: Molly Hall | DEF CON

LAS VEGAS, Nev. -- Hacking into election information websites is apparently so easy that an 11-year-old can do it in about 10 minutes.

At the 26th annual DEF CON, a hacker convention in Las Vegas, some hacking workshops for kids and adults saw two 11-year-olds hack into a replica of a Florida state election website.

In one instance, 11-year-old Emmett hacked the election reporting section of a Florida Secretary of State website in about 10 minutes. Then, 11-year-old Audrey hacked the same replica and also tripled the number of votes on the website in about 15 minutes.

“The kids could change anything related to the vote reporting,” Molly Hall, a spokesperson with the Voting Village, said. “They worked to hack into 13 replica SoS websites that were built for battleground states based on reported vulnerabilities that were found in the real websites.”

The events were part of the convention’s Vote Hacking Village, which is in its second year. The Vote Hacking Village said, over the weekend, it hosted thousands of hackers, more than 100 election officials and about 50 kids identifying and exploiting various vulnerabilities within electronic election systems.

The Vote Hacking Village was just one of 28 different hacking villages at DEF CON.

The village also hosted former Trump White House Cyber Czar Rob Joyce, who lauded the convention’s efforts to identify vulnerabilities in election equipment and software.

“It’s not apparent to everyone in the outside world, I think, why it’s important to break stuff, why it’s important to focus on it and find those flaws and then talk about it,” Joyce said in a statement. “There was some discussion among the states about whether we should be doing the Election Hacking Village or not...Believe me, there are people who are going to attempt to find flaws in those machines whether we do it here publicly or not.”

Some of the systems up for hacking included replicas of voter registration databases, election reporting websites and voting equipment like machines, e-polls and security appliances.

Aside from the two 11-year-olds hacking a replica election website, other specific hacks included hacking a voting machine to play GIFs and music, changing vote tallies and changing a candidate name to Kim Jong Un and giving him one billion votes.

Emmett changed one system so he was the winning candidate in a mock Florida election, Hall said.

To create these replicas of Secretary of State websites, the Voting Village said it worked with security expert Brian Markus, who is best known for adapting the Capture The Packet simulator for the U.S. Department of Defense for training and vetting cyber-security professionals. He’s also the former Senior Director of Cyber Security for Aerojet Rocketdyne and creator of the Wall of Sheep and Juice-Jacking/Video-Jacking.

“The Voting Village is confident that his security bona fides are as good as anyone securing election websites today,” Hall said. “He built the SoS websites based off of vulnerabilities that were reported after the 2016 election.”

Election Systems & Software, a leading manufacturer of voting equipment, argued that the exercises weren’t fair tests of vulnerabilities. The company said hackers in the real world would have to attempt to hack remotely and do their worst to get past additional security hurdles.

In a letter sent to customers and first reported by the Wall Street Journal, the company said hackers at DEF CON “will absolutely access some voting systems’ internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords and other security measures that are in place in an actual voting situation.”

The Voting Village responded to ES&S with the following statement:

"It is unfortunate that ES&S is making vague and unsupportable threats that distract from the real issue: the integrity and security of our electoral process. ES&S' unclear comments and threats towards the Voting Village seem to be designed to create questions and cast doubt in the minds of researchers and election officials, discouraging them from pursuing these vital lines of inquiry. At a time when there is significant concern about the integrity of our election system, the public needs now more than ever to know that election equipment has been rigorously evaluated and that vulnerabilities are not just being swept under the rug."

CNN reported the National Association of Secretaries of State also criticized the Voting Village, calling it a “pseudo-environment” that “in no way replicates state election systems, networks or physical security.”

When asked whether there was a concern at DEF CON and the Voting Village that the hacking workshops undermine confidence in the election system, Jack Braun, co-founder of the Voting Village and Executive Director of the Cyber Policy Initiative at the University of Chicago, said:

“Anything who thinks that by not talking about this, or just blindly saying we are secure, are the ones who are undermining the public’s faith in democracy. Since the 2016 Russian attacks on our election, only things we DO, not things we say, are going to improve the public’s faith in democracy.”

“What we at the Voting Village are doing here is identifying a bunch of stuff that election officials can do to better secure their election," Braun said.

►Make it easy to keep up-to-date with more stories like this. Download the 10News app now.

Have a news tip? Email desk@wtsp.com, or visit our Facebook page or Twitter feed.