How a security pro’s ill-advised hack of a Florida elections site backfired

Share this…

Whistleblowing is overshadowed when SQL injection gives way to unauthorized access. A Florida man has been slapped with felony criminal hacking charges after gaining unauthorized access to poorly secured computer systems belonging to a Florida county elections supervisor.

David Michael Levin, 31, of Estero, Florida, was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond, officials with the Florida Department of Law Enforcement said. According to a court document filed last week in Florida’s Lee County and a video it cited as evidence, Levin logged into the Lee County Elections Office website using the pilfered credentials of Sharon Harrington, the county’s Supervisor of Elections. Levin, who authorities said is the owner of a security firm called Vanguard Cybersecurity, also allegedly gained access to the website of Florida’s Office of Elections.

Levin posted a YouTube video in late January that showed him entering the supervisor’s username and password to gain control of a content management system used to control, which at the time was the official website for the elections office. At no time did anyone from the county authorize Levin to access the site, officials said.

“Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony,” prosecutors wrote.

Unsettling concerns

As ill-advised as it was for Levin to log in to the website CMS, the video raises some unsettling concerns about the security of the Lee County elections website, which is used to display voting results, verify registration status, and provide ballots for upcoming elections. In the video, Levin shows how he was able to use a SQL injection attack to obtain the user names and plain-text passwords belonging to Harrington and at least 10 other account holders. He then shows how the password for Harrington’s account allowed him to enter the CMS and move through various application menus.

According to Dan Sinclair, a Lee County resident who is candidate running against Harrington for the Elections Supervisor post, Levin used a separate SQL injection attack to obtain plain-text passwords for the state’s Office of Elections website, but never used them to log in. Sinclair told Ars that Levin discovered the vulnerabilities on his own and then notified Sinclair of the findings. Sinclair said Levin is declining to speak to reporters pending the outcome of the case filed against him. Ars was unable to reach Levin directly.

Officials at the Lee County Elections Office told Ars that, contrary to the claims of Levin and Sinclair, the security of the all elections systems—including voter registration, vote tabulations, and website—were never at risk. The server that was vulnerable to Levin’s SQL injection attack, they said, had been retired in October. At the time of Levin’s attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn’t vulnerable to the attack, they said. Similarly, the CMS Levin logged into had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging into it didn’t have the ability to post new pages to the site or to access voter data or tabulation systems, they said.

Ultimately, the picture that emerges from the hack and the resulting arrest provides cautionary tales for the entire cast of characters. An elected official charged with ensuring the security of her department’s computer systems allowed servers operated by her office to remain vulnerable to hacks that are so common that even unskilled script kiddies can carry them out with aplomb. As anyone with even a passing familiarity of network security knows, hackers are often able to pivot from low-level systems to more sensitive ones. And even if the unauthorized access in this case couldn’t be escalated, the hacks can give rise to the appearance of insecurity, which is never good for democracy, especially in a state like Florida, where confidence in voting systems is already lacking.

But it’s equally problematic for Levin to have posted a video showing him using pilfered credentials to log into a system he had no authorization to access. Levin’s commendable deed in blowing the whistle on lax security practices in Lee County’s Elections Office has been overshadowed by actions of his own doing and very well may result in him having a criminal record for the rest of his life.