Sun, Aug 26, 2018 - Page 7 News List

Election hacking child’s play at Las Vegas conference

Changing votes to affect US elections might be difficult, but at Def Con in Las Vegas, children as young as 11 had no trouble using other means that could affect the democratic process

By Alex Hern  /  The Guardian, Las Vegas

Illustration: Constance Chou

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections.

The good news is that hacking the US midterms — actually changing the recorded votes to steal the election for a particular candidate — might be harder than it seems, and most of foreign political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far.

The bad news is that it does not really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records might be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

“The most vulnerable part of election infrastructure is the Web sites,” security expert Jake Braun said.

Braun, a former White House liaison on cybersecurity, is one of a small group of volunteer IT professionals who have been testing the security — or lack thereof — of the US voting infrastructure every year at the Def Con hacking conference, where he cofounded the Voting Village, a sort of conference-within-a-conference.

Unlike a voting machine, Web sites represent a compelling target, because they are, by their nature, connected to the Internet at all times, Braun said.

Whether they are used for voter registration, online campaigning or announcing the results at the end of the election, they can be used to sow havoc.

“We know that Russia has done this before,” Braun said. “They did it in the Ukraine, where they hacked Ukrainian election results on the [Ukrainian] government Web site. Fortunately, the Ukrainians caught it and shut the Web site down, but then the Russians announced that their candidate had won on [English-language news channel] RT, when he hadn’t.”

Disarray ensued, and the Russian press had a foothold from which to begin spreading the allegation that the winner of the election was not legitimate.

Unfortunately for Braun, unlike voting machines, there is not a lot of interest in testing the security of the various states’ election Web sites.

“It’s really important, it’s a huge vulnerability, but the adult down in the Village wouldn’t find this interesting, because they could do it in two minutes,” he said.

Instead, Braun turned to Rootz, another Def Con staple, where the children of attendees experience their own mini hacking convention.

Armed with facsimiles of the Web sites of 13 battleground states and a child-friendly guide to basic hacking techniques, the kids were set loose on critical infrastructure and proceeded to tear it apart.

“It took an 11-year-old girl 10 minutes to do it and she was the first one,” he said.

After that, the convention cycled to a new state’s Web site every 30 minutes and another child would break it in less than 15 minutes, over and over.

At the point I arrived in the room, the Web site for the state of Colorado was being projected on the wall, declaring that the candidate for the “Comnnunism” party, Kim Jong-un, had won the state’s election with 1 quadrillion votes.

The runner-up, rapper Lil Pump, apparently standing for the Democratic party, had just under 46 million votes.

As the number of flaws discovered by Def Con attendees, young and older, mounts, the US government has taken an interest.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top