I Just Hacked a State Election. I'm 17. And I'm Not Even a Very Good Hacker.

By River O'Connor, Politico

21 August 18

It took a lot less than you'd think for myself and my fellow teens to steal the midterms.

t took me around 10 minutes to crash the upcoming midterm elections. Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board’s database, I was able to shut down the website that would tally the votes, bringing the election to a screeching halt. The data were lost completely. And just like that, tens of thousands of votes vanished into thin air, throwing an entire election, and potentially control of the House or Senate—not to mention our already shaky confidence in the democratic process itself—into even more confusion, doubt, and finger-pointing.

I’m 17. And I’m not even a very good hacker.

I’ve attended the hacking convention DEF CON in Las Vegas for over five years now, since I was 11 years old. While I have a good conceptual understanding of how cyberspace and the internet work, I’ve taken only a single Python programming class in middle school. When I found out that the Democratic National Committee was co-sponsoring a security competition for kids and teens, however, my interest in politics fed into curiosity about how easy it might be to mess with a U.S. election. Despite that limited experience, I understood immediately when I got to Las Vegas this year why the professionals tend to refer to state election security as “child’s play.”

The Voting Machine Village at DEF CON, the aforementioned competition where attendees tackled vulnerabilities in state voting machines and databases, raised plenty of eyebrows among election boards and voting machine manufacturers alike. It’s a hard pill to swallow for the public, too: No one wants to believe that—after waiting in a lengthy line, taking time off from work or finding a babysitter in order to vote—their ballot could be thrown away, or even worse, altered.

Consequently, people started to take notice as reports came in from both the intelligence community and organizations like the DNC about the ease with which a foreign power could potentially do such a thing. Since electronic voting was introduced in the early 2000s, leaders in both Washington and our state capitals have repeatedly failed to keep up with rapid advances in information technology and cybersecurity.

The replica state election websites used in this year’s competition were built on MySQL, a database management system that stores data in simple tables containing columns and rows. By inputting a command into the search bar to see all the website’s tables, I could then see all of its data, including vote tallies, candidate names and tables of basic website functions. Once someone has that kind of access, they can do plenty of damage. First, the organizers instructed us to double candidates’ vote tallies. Then, with the assistance of volunteers, some of us easily changed the names of candidates or even their parties, or inflated the vote tallies to ridiculously high, Putinesque numbers.

The entirety of the hacking came down to entering no more than two lines of code: the first to display all columns and rows for the site, the second to alter the vote tally. Of the few dozen participants, most completed the very simple hack assigned by the instructors. About a quarter figured out how to rename or delete other candidates and their parties from the list.

But even after doing something as relatively tame, from a computer science perspective, as messing around with a few numbers, I wanted to see how much damage I could do without the competition’s instructions or staff assistance. First, I wrote down the IP address of the server hosting the competition, no different than the first step a foreign agent would take. Then, I accessed the DEF CON-hosted website from a secure Wi-Fi spot and Googled a list of common MySQL commands. The whole thing, from search to shutdown, took me less than five minutes.

To take down the entire website, all I needed to do was enter a command to drop the table—to remove it from the database entirely, in other words. This caused the page to return an execution error, which took a reset of the website’s host server to fix. Essentially, I had crashed the website, similar to the denial of service attacks more familiar to the public, but more direct and even more effective.

This is where the staff got a little bit confused, as the instructions had told us only how to change the number of votes. I had to crash the website again, right in front of them, before they believed I had anything to do with it.

The fact that someone as untrained as myself could theoretically bring an election to a screeching halt with nothing but a quick Google search should be a wake-up call. While inflating Gary Johnson’s vote tally to over 90 billion is good for a laugh, a more malicious agent—not to mention a team of well-funded and highly skilled hackers—could do real damage. A close congressional race could be flipped by the addition of a few hundred extra votes, the installation of malware, stolen security credentials, or the shutdown of a website during the final tally, like my escapade last week. The possibility, or even the likelihood, of such an event is precisely why the chief security officer of the Democratic National Committee, Bob Lord, interviewed me and my fellow competition participants to see what kind of defense those without experience could potentially develop.

I didn’t quite know what to expect when I started the competition, but I know it shouldn’t have been that easy. Someone with my skills wouldn’t have stood a chance against a professionally protected website. Anyone with a Wi-Fi-enabled device could theoretically have done what I did to the mock election database.

Unfortunately, the people who have the power to do something about this issue are in denial. But that doesn’t change the facts on the ground. America is supposed to set a world standard for free and open elections—the idea of “one person, one vote” is part of our identity. The failure to address such a widespread and well-documented effort by foreign powers to compromise that principle puts our democracy, and our position of leadership, at risk.

I’m still not particularly interested in a tech career, but one day I hope to be in a position to prevent something like this from happening in real life. After the competition, both the staff and the competitors agreed—we need a tech-literate government with the resources and the will to secure our elections. Or at least one that can stop a 17-year-old with basic command line skills and 10 free minutes between classes from electing Gary Johnson president-for-life.