An 11-year-old successfully hacked a replica website for the Florida Secretary of State and changed election results in less than 10 minutes during a hacking convention in Las Vegas, according to event organizers.
The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe and left to youngsters to infiltrate.
The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups.
All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.
Nearly 40 hackers from 6 to 17 years old attempted to hack replicate websites in 6 swing states during the DEFCON hacking event on Friday and Saturday.
More than 30 hackers were able to complete an exploit. The quickest exploit was done in under 10 minutes by 11-year-old Emmett Brewer.
The hackers were able to successfully tamper with vote tallies, party names, candidate names, and total vote counts were changed to numbers including “12 billion.” One hacker also changed a candidate’s name to “Bob Da Builder.”
The children were able to change vote tallies so that they numbered 12 billion, and rewrite party names as well as the names of candidates. Kids being kids, these latter changes included “Bob Da Builder” or “Richard Nixon’s Head” – we spotted the Futurama fan there.
On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.
Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver’s license numbers.
Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.
More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds and had a music player and CD ripper program built in. It is believed this music stuff was left lying around in unused and unallocated space on the disk.
Number one question at
@VotingVillageDC this week: given how insecure voting systems are, what should we do? The overwhelming consensus among experts: 1 – Paper ballots (precinct-counted optical scan) 2 – Mandatory risk-limiting audits 3 – More resources to protect back-end systems