The 2018 midterm elections have been racked with concerns that state voting systems could be vulnerable to attacks by highly skilled Russian intelligence agencies looking to alter poll results. But over the weekend, participants in a hacking conference proved that those interested in shaping the history of American democracy don’t need the backing of an authoritarian government to wreak havoc.
They don’t even need to have hit puberty.
An 11-year-old boy changed fake voting results by hacking into an exact replica of Florida’s state election website in just 10 minutes, according to the organizers of DEF CON 26, an annual hacker convention.
The competition pitted 39 kids, age 6 to 17, against one another to see who could hack into replica election systems of six swing states across the US. Thirty-five of the 39 kids completed the “exploit” and “tampered with vote tallies, party names, [and] candidate names” within 30 minutes, according to DEF CON.
The insecurity of secure connections
DEF CON participants discovered that voting systems running on expired SSL certificates, encryption keys that are intended to create secure connections, were the most vulnerable and easily hackable. DEF CON said this proved the “malleability of these systems.”
The participants also discovered more vulnerabilities in the system where citizens directly cast their votes. The kids were able to wipe the memory cards from a recreation of state voting machine interfaces (within five seconds) and either replace a voter’s ballot altogether or overload the system with fake voters to render a real voter’s ballot useless.
The Obama administration in 2016 assured voters that the integrity of the election was not compromised, though there were clear signs that the Russian government took various measures to influence the election.
“We stand behind our election results, which accurately reflect the will of the American people,” the administration said in a statement to the New York Times in November 2016.
The Senate Intelligence Committee has warned that Russia directly targeted state voting systems. “It is possible that additional activity occurred and has not yet been uncovered,” the committee said in a report on the 2016 election attacks, according to Bloomberg.
The point of the hackathon, then, goes beyond highlighting the talents of mastermind children who wanted to change candidate names to “Bob Da Builder” and “Richard Nixon’s Head.”
DEF CON also demonstrates the very real risk that somebody with technical skills and malicious intentions could directly intervene in American elections, whether they’re based in the headquarters of a Russian intelligence agency or in a basement in rural Iowa.