Child’s Play: Hacking America’s Elections in Battleground States
* Updated to reflect the contests' results
Imagine teams of kids under sixteen hacking away at America’s midterm elections. They are looking for unprotected systems to break into, on a mission to turn found vulnerabilities into a guide on how to protect our election infrastructure. While for many of us this may seem counterintuitive, it is exactly the challenge turned global competition that kids at DEF CON’s r00tz Asylum embarked on this week.
DEF CON is the world’s largest hacker gathering, bringing together the best security minds from around the globe. For nearly a decade, kids and their parents have been part of the r00tz conference where hackers young and old share their expertise to help raise the next generation of cyber security experts we now so desperately need. Notably, girls represent almost half of the kids attending r00tz every year who are excited about math, hardware hacking, cryptography, and social engineering.
So why election hacking? Last year, the Voting Machine Hacking Village debuted at DEF CON. Within the first five minutes, ‘white hats’ drawn to the challenge of finding the vulnerabilities in vote counting devices had succeeded. The results were included in DEF CON’s report on vulnerabilities in the US election infrastructure. This year, the next generation of hackers, the r00tz kids, has joined the effort to call attention to just how insecure some of our voter registration and other election processes are.
With all the attention on election security following the 2016 Presidential cycle, our political infrastructure is almost as insecure as it was two years ago according to recent reports. Of course, some vulnerabilities are hard to fix in time for the upcoming midterms, including the divisive public discourse making us susceptible to manipulation. Yet the hardware and software security issues we can solve. And r00tz’s hacker kids were eager to learn how to protect the elections from both script-kiddies and nation-state adversaries.
Less than 90 days away from the next elections, as more states accommodate an increasingly digital population and many election functions move online, state and local websites remain easy targets to breach. To help secure the digital infrastructure interfacing with the public during the elections, young hackers have taken a run at breaking into replicas of the Secretary of State websites for several battleground states including Florida, Iowa, Michigan, New Hampshire, Ohio, Pennsylvania, Virginia, and Wisconsin.
While compromising the websites of state and local election offices may not be a difficult task for the experienced adult hackers who came to Las Vegas for DEF CON 26, watching kids breach the clones of these components of the US national infrastructure have certainly helped raise awareness on election security.*
In this two-day competition at r00tz, the hacker teams were given targets that look and function like the real-life web portals used by the top battleground states to report votes (other functions of live SoS websites include voter registration, publishing of information about early voting and polling locations).
Mentors drawn from the public and private sectors, including information security and political campaign experts, coached the young white-hat hackers on ethics and the election process so they better understand their targets and the significance of each function they carry in the elections. With that, the teams began exploring the live copies of the sites of the Secretaries of State to break down the security features that protect them.
This competition focused on using SQL injections (basic attack) against replicas of the sites that report (not count) votes. The r00tz kids were able to see what the real-world implications of poor coding practices seen across the web, including the public facing portals where election results are shared on the election day, may be. Clearly, if these or similar attacks were to happen in real life, no actual votes would be changed, but they would create chaos and mistrust by simply misreporting the count and generating rumors and misinformation. And that was something kids have learned first hand.
The winners of the Hack the Election competition received awards in several categories including the fastest hacker and the most creative exploit. The two 11 year old r00tz attendees have managed to get into the replicas of FL SoS page to change the vote count and the candidates' names in 10 and 15 minutes respectively.
We hope this contest will empower the r00tz kids to pursue their interest in hunting security bugs in critical public systems. For every kid passionate about technology, this competition was designed to be a hands-on educational opportunity to see just how essential security is in every website and app, and also how impactful each young white-hat hacker can be in protecting these important national systems. After all, hacking America’s elections should never be child’s play.