MILWAUKEE – An 11-year-old boy managed to hack into a replica of Florida’s election results website in 10 minutes during a hackers convention and change names and tallies, organizers said, stoking concerns about security ahead of nationwide votes.
The boy was the quickest of 35 children, ages 6 to 17, who all eventually hacked into copies of the websites of six swing states during the three-day Def Con security convention held last weekend, event organizers said on Twitter this week.
The event during one of the world’s largest security conventions was meant to test the strength of U.S. election infrastructure and details of the vulnerabilities would be passed on to the states, it added.
“We see a lot of value in doing things like this. We think it’s important,” said Jeanette Manfra, assistant secretary of cybersecurity and communications at the U.S. Department of Homeland Security, in an interview. “The idea is, when we find things here, how do we connect them with the actual vendors and make sure that we are closing this loop back to a coordinated vulnerability disclosure process.”
The National Association of Secretaries of State — who are responsible for tallying votes — said it welcomed the convention’s efforts, but added that the actual systems used by states would have additional protections.
“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the association said.
The hacking demonstration came as concerns grow about election system vulnerabilities before mid-term state and federal elections.
Def Con held its first voting village last year after U.S. intelligence agencies concluded the Russian government used hacking in its attempt to support now U.S. President Donald Trump’s 2016 candidacy. Moscow has denied the allegations, but Trump’s national security team warned two weeks ago that Russia has launched “pervasive” efforts to interfere in the November polls.
“These vulnerabilities … would, in an actual election, cause mass chaos,” said Jake Braun, one of the voting village organizers. “They need to be identified and addressed, regardless of the environment in which they are found.”
Participants at the convention were able to change party names and add as many as 12 billion votes to candidates, the event said. “Candidate names were changed to ‘Bob Da Builder’ and ‘Richard Nixon’s head,’ ” the convention tweeted Tuesday.
The convention linked to what it said was the Twitter account of the winning boy — named there as Emmett Brewer from Austin, Texas. A screenshot posted on the account showed he had managed to change the name of the winning candidate on the replica Florida website to his own and gave himself billions of votes.
Participants had the chance to hack into more than five types of voting machines from manufacturers including Elections Systems & Software and Dominion Voting. Verified Voting, an advocacy group that helped organize the hacking village, said that some of the voting machine models being tested are still used to tally votes across the United States.
One system, the Dominion Premier/Diebold AccuVote TSx system, is used in 20 states and 23,784 precincts, according to Verified Voting.
Last year a Danish researcher figured out how to take control of a touchscreen voting system used through 2014 in a remote hack that organizers said could work from up to 1,000 feet away.
The convention’s voting village also aimed to expose security issues in other systems, such as digital poll books and memory-card readers.