Hacking the US mid-terms? It's child's play
Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy.
“I’m going to try and change the votes for Donald Trump,” she tells me.
“I’m going to try to give him less votes. Maybe even delete him off of the whole thing.”
Fortunately for the President, Bianca is attacking a replica website, not the real deal.
She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”.
Its aim is to send out a dire warning: the voting systems that will be used across America for the mid-term vote in November are, in many cases, so insecure a young child can learn to hack them with just a few minute’s coaching.
"These are the websites that are very important because they report the election results to the public,” explained Nico Sell, the founder of R00tz Asylum.
“They also tell the public where to go to vote. You could imagine if either of these two things were changed, the chaos that would ensue.”
Hacking the real websites would be illegal. So instead, Ms Sell’s team created 13 sites that mimicked the real websites, gaping vulnerabilities and all, for 13 so-called “battleground" states - parts of the country where the vote is expected to be tight.
Over the course of a day, 39 kids aged between 8 and 17 took the challenge - 35 of them succeeded in bypassing the trivial security. Pranks ensued. At one time the site told us 12 billion votes had been cast. Later, we were told that candidate “Bob Da Builder” was the victor.
The first competitor to break in was 11-year-old Audrey Jones. It took her 10 minutes.
“The bugs in the code makes us [able] to do whatever we want,” she tells me.
"We call somebody our own name if we want to, make it look like we won the election!”
The contest was part of the kids' zone at Def Con, the annual hacking conference in Las Vegas. This year it was attended by more than 300 eager children, trying everything from lock picking to soldering. At one table I meet two-year-old Catherine Sabonis, happily picking apart a debit card reader. Organisers tell me around half of the attendees are girls.
This year is the first time election hacking has been a theme, one which was inspired by similar hacks being carried about by adult attendees at 2017’s show.
While the hacks learnt here wouldn’t change actual vote counts - even if carried out for real - they could alter how the vote results were displayed on official websites. It doesn’t take much imagination to picture the furore that would be caused were an official election website to declare the wrong candidate the winner.
The fallibility of these systems has been of concern since 2016’s presidential election, and in some cases well before that. Each state in the US is able to come up with its own system, and with budgets tight, many are relying on poorly secured databases and voting machines that run software that’s well over a decade old.
‘Our democracy is at risk'
Last month, Congress voted along party lines and rejected an amendment put forward by the Democrats. It would have injected $380m into boosting voting security during 2019, renewing a grant of the same amount approved in a previous budget.
A heated session culminated in supporters of the amendment chanting “USA! USA!” in the House - but it wasn’t enough to win over Republican votes.
“We need to take this threat really seriously,” says Ms Sell. “The Secretary of State websites should not be this vulnerable. These are known vulnerabilities. It’s something that we as a society need to gather together and fix, because our democracy is at risk.”
Taking a brief break from hacking, Bianca hands me a sticker with her social media persona on it. I promised I’d give it a plug. I ask her if she’s worried about the lack of security on the websites she’d been attacking, with great success, throughout the day.
“We should have it way [more] secure,” she says. “Russians are out there, people."
Follow Dave Lee on Twitter @DaveLeeBBC
Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370