An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.
Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states.
The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.
Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.
Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.
“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”
Sell said the idea for the event began last year, after adult hackers were able to access similar voting sites in less than five minutes.
“So this year we decided to bring the voting village to the kids as well,” she said.
In a statement regarding the event, the National Association of Secretaries of State said it is “ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections.” But the organization expressed skepticism over the hackers’ abilities to access the actual state websites.
“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” it read. “While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”’
But Sell said the exercise the children took part in demonstrates the level of security vulnerabilities found in the U.S. election system.
“To me that statement says that the secretaries of states are not taking this seriously. Although it’s not the real voting results it’s the results that get released to the public. And that could cause complete chaos,” she said. “The site may be a replica but the vulnerabilities that these kids were exploiting were not replicas, they’re the real thing.”
“I think the general public does not understand how large a threat this is, and how serious a situation that we’re in right now with our democracy,” she said.
Matt Blaze, a professor of computer and information science at the University of Pennsylvania who helped organize the “hacking village,” said that thousands of adults including voting security experts also tried to access voting machines and other voting software currently being used in U.S. elections today to become “more knowledgeable about voter technology.”
He also noted that the children who participated in their own challenge last week were dealing with replicas that were in many cases created to be even more formidable to access than the actual websites used by secretaries of states across the nation.
“It’s not surprising that these precocious, bright kids would be able to do it because the websites that are on the internet are vulnerable, we know they are vulnerable,” he said. “What was interesting is just how utterly quickly they were able to do it.”