Florida officials downplay 11-year-old’s election hack
They say mock site had few security measures
SAN FRANCISCO – The state of Florida is disputing reports that an 11-yearold hacker was able to gain access to a replica of its state election website, leading the hacking convention that arranged the stunt to offer to break in for real.
This is the second year of a dedicated election hacking track at DefCon, a hacker convention held every year in Las Vegas. Last year, hackers got into voting machines in less than a day. This year, 50 kids as young as 8 took part in the attempt, and around 30 were able to hack into the imitation election websites.
It took 11-year-old Emmett Brewer of Austin, Texas, 10 minutes to break in and gain access.
“These websites are so easy to hack we couldn’t give them to adult hackers – they’d be laughed off the stage,” Jake Braun, a former White House liaison for the Department of Homeland Security, said in an interview with ABC News. Braun said the conference invited younger hackers to DefCon because it would be a “waste of time” showcasing experts hacking these sites.
State election officials said the exploit wasn’t as damning as it was portrayed.
In a statement to USA TODAY, the Florida Department of State, which oversees elections, said the mock site used by DefCon likely had few, if any, security measures in place and, thus, was not a real-life scenario as it did not take into account state-of-the-art security measures the department uses to prevent hacking attempts from being successful.
The Department further noted that the mock site was only used to publish preliminary, unofficial results and was not connected to vote-counting equipment and thus couldn’t change actual election results.
In response, Braun said that the group had been clear that the sites the children attempted to hack into were replica websites, not the real ones.
However, he also noted that the cybersecurity community is very aware that it is impossible to defend a website from a determined nation-state attack.
“What’s more disconcerting is that none of the guidelines for election security that have come out since 2016 say anything about what state and local election officials should do if the most vulnerable component of the voting infrastructure, their website, was hacked on Election Day,” he told USA TODAY.
To truly prove that Florida’s election website is as strong as the state says it is, Braun offered to have the group’s adult hackers try to hack into it.
“If we can’t get in, we will give (the Florida secretary of State) huge props and tweet out to all our followers that we couldn’t hack his site. Or, if they are successful in hacking his website, we will still give him huge props on Twitter for taking security seriously and we will share all found vulnerabilities so that Florida can improve the security of their elections,” he said.
In a statement, the National Association for Secretaries of State questioned the hacking village events, claiming they don’t realistically portray a scenario where these machines could be accessed.
“Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day,” NASS said.
Meanwhile, ES&S – the company that provides election equipment across the U.S. – emailed customers assuring their machines were safe, Buzzfeed reports.
“Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” the email read.