At DEF CON, the Voting Machine Hacking Village (VMHV) and most of the other villages were filled primarily with adult white hat hackers. This year, R00tz Asylum, a non-profit organisation that teaches kids to become ethical hackers, took over the Milano III Ballroom of Caesars Palace and set up a space exclusively for kids (aged 7-17) to get in on the DEF CON action. There were stations set up across the room dedicated to various hacking activities in which kids could take part. This year, among the stations was one inspired by the VMHV called “Election Hacking”. In the several months leading up to DEF CON, Brian Markus and his cybersecurity firm, Aries Security, created replicas of the Secretary of State (SOS) websites for 12 battleground states to be used in Election Hacking activities. The kids who decided to join were sat down on laptops that were opened up to the replica websites and given paper handouts walking them through how to perform a SQL injection, a common type of hack.
I spent most of my time in Vegas helping facilitate the election hacking station of R00tz Asylum. We managed to attract a lot of computer savvy kids and the vast majority of our kids were able to complete the hack. Some managed to do it in under 15 minutes. There were about five facilitators including myself guiding the kids throughout. We tried not to hold their hands too much, especially in the early minutes so that they could try it out for themselves. Many didn’t need our help and it was exciting to see them so engaged. I remembered when I first learned how to do an SQL injection in high school and I could sense the joy that I had felt in many of the kids. The websites contained the 2016 presidential election results. I gathered and sanitised all the relevant data for each of the swing states and provided it to Brian Markus and his team. The kids tampered with all sorts of things. They managed to gain access to the website’s table schemas and change vote tallies, candidate names, and more. My personal favourite was the addition of a candidate named Tonald Drump with 2 billion votes.
The goal of Election Hacking, and you may have already seen this is the news, was to demonstrate a common vulnerability in many websites today, the omission of sanitising input into website search bars. But more importantly, the goal was to show just how feasible it is for kids and consequently beckon us to imagine how feasible an attack on the United States’ SOS sites could be for a trained “black hat” hacker. There’s been a lot of concern about either internal or external forces looking to interfere in the nation’s democratic processes and now it’s crunch time for ensuring that systems are protected from those who wish to do it harm.