A hack was carried out at the DEFCON hackathon conference over the weekend by an 11-year-old boy. The boy managed to hack into an imitation Florida state voting website and change the results of the “election” in fewer than 10 minutes.
Emmett Brewer, the 11-year-old who successfully hacked the replicated Florida voting site, wasn’t the only child who got into the election systems at the conference. In total, about 50 kids ranging in age from 8 to 16 attended the conference, DEFCON said in a tweet, and around 30 of them were able to hack into the imitation election websites.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
The National Association of Secretaries of State (NASS) who manage the voting machines issued the following statement :-
As DEFCON 26 attendees begin to gather in Las Vegas this week, the National Association of Secretaries of State (NASS) would like to address the Voting Machine Hacking Village events. While we applaud the goal of DEFCON attendees to find and report vulnerabilities in election systems it is important to point out states have been hard at work with their own information technology teams, the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.
Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.
We are also concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack is also unrealistic. It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.
While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.
NASS is standing by, ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections with the shared goal of increasing voter confidence.