An 11-Year-Old Hacker Changed Presidential Election Results

Written by Jason Simpkins
Posted August 16, 2018 at 8:00PM

Cyberattacks may seem like a relatively new phenomenon, but last weekend, DEF CON, the world’s largest hacker conference, had its 26th annual gathering.

Hackers, of course, are notoriously young, but you might be surprised just how young…

Amid the hacker’s Shangri-La, one large room, a “Voting Village”, was set aside for kids aged 8 to 16. It was filled with computers displaying 13 imitation election websites set up to register vote tallies.

Of the roughly 50 children in the room, 30 were able to hack into the websites and change the results.

And they did it quickly.

Audrey, an 11-year-old girl, figured it out in just a few minutes, hacking her way into a replica of the Florida secretary of state’s website and rigging the count to make it look like Libertarian candidate Darrell Castle won Florida’s presidential vote in 2016.

“It took maybe a minute or so, because I’m a fast typer,” she told BuzzFeed News. “You can [subtract] points, you can do whatever you want.”

While such an attack wouldn’t change actual votes, altering the reported vote tally could still wreak havoc on Election Day.

Imagine for instance, if on November 9, 2016, the Federal Election Commission came out and said that Donald Trump didn’t actually win; that despite what you saw reported on television, and on the Internet, Hillary Clinton was actually elected president.

There’d be mayhem. It’d take months of recounts and litigation to sort out. And even after all the dust had settled, half the country would still believe they got hosed.

It would undermine our democracy. And that is exactly what Russia wants.

Make no mistake, the DEF CON hacking convention isn’t just fun and games. It’s not just hacking for sport. It’s a serious effort to expose flaws and vulnerabilities in our most vital electronic systems.

That’s why the kids who assailed the Voting Village were instructed to use a simple database hacking tactic called SQL injection. It’s the same tool Russian hackers used when targeting state voter registration databases in the summer of 2016, and against Ukraine in 2014.

Now, when notified of the breaches, government officials and the corporations in charge of voting machines got their hackles up. (Of course they would. It’s embarrassing.)

They’re quick to point out that the environment in which hackers are allowed to access networks directly (the way they were at DEF CON) isn’t realistic because there’s security in place to keep that from happening.

But such objections bring little comfort, because vendors have storied track records of lying about vulnerabilities they deemed unlikely to cause problems in the real world.

A top-secret NSA report that leaked last year showed Russian military hackers tried to trick employees of VR Systems, a Florida-based e-voting vendor, into downloading computer-hijacking malware right before the 2016 election.

As recently as last month, the company denied any breach had occurred. But, in fact, the hacking attempt worked. The NSA estimated that at least one employee of the company “likely” had their email account compromised. And Special Counsel Robert Mueller confirmed as much in his indictment of 12 Russian military officers last July.

That’s a problem, since VR Systems sells digital pollbook software used to verify eligible voters. It has customers in eight states, including North Carolina and Virginia.

And that’s not all.

In July, the top maker of electronic voting machines in the country admitted that it installed backdoor remote-access software on many of its products. This software is dangerous because it lets people access computer networks from off-site areas.

And not only was it installed, but the company in question, Election Systems & Software (ES&S), lied about it.

Prior to admitting the mistake, a company spokesperson had assured cybersecurity expert Kim Zetter, as well as fact checkers for the New York Times, that ES&S never installed remote-access software on any election system it sold.

Again, this proved to be false, as remote-access software was installed on the election-management computer at the election office of Pennsylvania’s Venango County. This was the machine that was used to tally official election results and program voting machines.

And it was corrupt.

That’s a heck of a lot worse than changing the vote count on a website.

It’s like “leaving ballot boxes on a Moscow street corner,” as Senator Ron Wyden put it.

It doesn’t stop there, either.

Back at DEF CON, one hacker took control of a Diebold TSX voting machine — versions of which are in use in at least some areas of 20 states — and turned it into a jukebox that played music from its speakers while displaying an Illuminati logo.

The year prior, conference attendees found new vulnerabilities for all five voting machines and a single e-poll book of registered voters.

“We know these systems are wildly insecure, and there’s been precious little evidence of these vulnerabilities so far being exploited in real elections,” says Matt Blaze, a veteran election security researcher who helped organize the Voting Village. “I think we’ve been very lucky, and I think there’s a little bit of a ticking time bomb here.”

Nevertheless, Congress has rejected additional funding to combat election threats.

Both the House and Senate shot down appropriation bills for state election security over the summer. And the President of the United States is reluctant to even admit this problem is real.

Ticking time bomb, indeed.

This year’s election could expose just how fragile and unprepared American Democracy is.

And it could highlight the growing need for next-generation cyberdefenses like the ones offered by my latest recommendation for The Wealth Warrior.

Check that report out here if you haven’t already.

Fight on,

Jason Simpkins Signature

Jason Simpkins

follow basic@OCSimpkins on Twitter

Jason Simpkins is Assistant Managing Editor of the Outsider Club and Investment Director of The Wealth Warrior, a financial advisory focused on security companies and defense contractors. For more on Jason, check out his editor's page. 

*Follow Outsider Club on Facebook and Twitter.

Comments

Investing in Marijuana Without Getting Burned