Reports of kids effortlessly finding security flaws in state election websites at Def Con, a prominent hacking conference that was held this month in Las Vegas, were likely misleading, ProPublica is reporting. Indeed, the most widely circulated stories from this year’s conference had to do with the 40 children between the ages of 6 and 17 whom organizers set loose on replicas of election board websites. The kids were reportedly able to change the names of candidates and an 11-year-old was even able to crack a mock-up of the Florida secretary of state’s website and change the results within 10 minutes.
Election experts are now telling ProPublica that there are a number of reasons not to believe these hacks augur critical flaws in our actual voting system. For one, these websites display the results of an election, but they are not actually involved in tabulating the votes. The tabulation system is in fact housed separately from the election board websites, in part to prevent tampering. In addition, adults reportedly coached the kids to look for certain vulnerabilities in the mock-up websites, and organizers gave them cheat sheets.
Jake Braun, a co-organizer of the event, even told ProPublica that the replica websites were actually designed to be vulnerable to a common hack called an SQL injection attack. Still, he argues that the point of the exercise was to draw attention to the fact that many of these sites are in fact vulnerable SQL attacks, and that the coaching is beside the point. He told ProPublica, “We want elections officials to start putting together communications redundancy plans so they have protocol in place to communicate with voters and the media and so on if this happens on election day.” Election experts countered that states are aware of the flaw and are putting safeguards in place to prevent it from being exploited.
While it appears that the hubbub over kids being able to hack into these websites was overblown, the lax security of our election infrastructure is still an urgent issue facing the upcoming midterms. Another event that attracted media attention at Def Con featured adult hackers successfully tampering with tabulations in voting machines, an exercise that does not seem at the moment to have had the same sort of issues that the one with the kids did. Several midterm candidates and the Democratic National Committee have already been targeted by phishing campaigns. And a security research this month found that passwords, encryption keys, and other information from more than 6 million voter registration records were vulnerable to anyone who cared to look. Yet, Republicans in the House and Senate have voted down requests for more security funding in the run up to the midterm elections, despite warnings from intelligence officials. Who knows if a six-year-old could really breach our election systems—but there’s still a good chance that more mature hackers are going to try.