Many perspectives, 1 simple etiquette

This 11 Year Old Hacked A Voting Machine in 10 Minutes

Created: 14 August, 2018
Updated: 21 November, 2022
3 min read

At DefCon, a hacker conference in Las Vegas, savvy computer programmers as young as 8 participated in a contest organized by R00tz Asylum, a non-profit organisation that promotes white hat hacking to improve cybersecurity.

Of the thirty-nine participants aged 8 - 17, thirty-five were able to exploit vulnerabilities in an exact replica of the state of Florida's voting machines, as well as replicas of the election websites of 13 battleground states.

Eleven-year-old Aubrey Jones was the first participant to break through the trivial security measures of the voting software interface, and into the underlying code that tallies votes for U.S. election candidates. She did it in 10 minutes.

Jones told BBC reporter Dave Lee, "The bugs in the code makes us to do whatever we want. We call somebody our own name if we want to, make it look like we won the election!"

Another conference goer, Bianca Lewis, aged 11, told him, "“I’m going to try and change the votes for Donald Trump. I’m going to try to give him less votes. Maybe even delete him off of the whole thing."

The National Association of Secretaries of State disagrees that the hacking contest demonstrates the vulnerability of actual voting machines, stating in a press release:

"While we applaud the goal of DEFCON attendees to find and report vulnerabilities in election systems it is important to point out states have been hard at work with their own information technology teams...Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day."

The NASS also wanted to clarify that part of the hacking contest only affected state websites' reporting of vote totals to the public, not actual vote counts:

"While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."

Still such a hack could cause enormous confusion and public unrest, especially in a close election with emotions running high, fueling conspiracy theories and damaging public trust in the integrity and legitimacy of the election results.

And also, as Vox reports, "DEF CON participants discovered that voting systems running on expired SSL certificates, encryption keys that are intended to create secure connections, were the most vulnerable and easily hackable," and alarmingly that:

"The participants also discovered more vulnerabilities in the system where citizens directly cast their votes. The kids were able to wipe the memory cards from a recreation of state voting machine interfaces (within five seconds) and either replace a voter’s ballot altogether or overload the system with fake voters to render a real voter’s ballot useless."

The fact that amateur child hackers were able to break into these voter software systems in minutes is also unsettling for the integrity of U.S. elections. What could a professional software programmer with seasoned hacking skills do to a U.S. election result, if motivated by a strong political ideology, or as a mercenary for hire by special interests with a lot of money at stake, or even the desire to disrupt an election just to create a chaotic spectacle?

That's why many voting security advocates want to see U.S. election systems give up the touch screen electronic voting machines, and go back to using paper ballots tallied by simple electronic scanning machines. Should an election result be questionable, or have a razor thin margin (as the notorious 2000 Florida presidential vote), officials can refer to the paper ballots and recount them by hand.

Voting security activist, Marilyn Marks, recently told Bloomberg that paper ballots is the way to go instead of fancy, expensive voting machines pushed by lobbyists for state election vendor profits, pointing out that, "The Department of Homeland Security has said it. Every cyber expert says it."