Tulsi Gabbard Says a Teen Hacked a Replica of Florida's Election System. She's Wrong

Election security is a real issue, but Gabbard is not helping by getting the facts wrong about a hack that was demonstrated at Def Con 2018.
Image: Photo by Sean Rayford/Getty Images

The threat of Russian hacking and election interference is very much a presence in the lead up to the 2020 presidential elections. And Hawaii Rep. and presidential candidate Tulsi Gabbard has been one of the more outspoken candidates when it comes to that danger.

On Friday, Gabbard went on HBO's Real Time with Bill Maher and sounded the alarm once again.

“We have to take seriously the security of our elections because of the vulnerabilities that exist—still now—that really have the ability to undermine our democracy,” Gabbard said.


She then said that America's election security is in such a vulnerable state that a teenage hacker managed to compromise a “replica” of Florida's election system.

“There’s a hacking conference that’s held every year in Las Vegas where I think a 14 or 15-year old-girl from Florida hacked into a replica of Florida’s election system in less than 15 minutes,” she said.

This talking point gets people's attention about election security, but it's also factually wrong. A teenager did not hack a replica of Florida's election system.

Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Gabbard was talking about the Def Con hacking conference, and specifically about an event held last year: a hacking competition for young hackers where organizers set up look-alikes of election websites and asked the participants to hack them. Organizers gave participants “clones” of state election websites with vulnerabilities inserted by the organizers. In particular, the sites were designed to be vulnerable to SQL injection attacks, one of the most ancient—and yet still very common—hacks ever.

Moreover, in the real world, these election websites don’t actually tabulate votes. Hacking one of these websites on election day could theoretically cause some temporary confusion, but it will not change the results of an election. These were not the real elections systems deployed in Florida or anywhere else in the country. These were systems intentionally made more vulnerable in an attempt to help participants crack the competition. But this hasn’t stopped anyone from taking it too seriously, and misjudge the competition’s significance. Unfortunately several media outlets such as TIME magazine, ran with exaggerated and misleading headlines spreading disinformation that Gabbard is now helping spread even more.


Last Friday wasn’t the first time Gabbard wrongly stated that teenager hacked a replica of Florida's election system. In September of last year during the Joe Rogan podcast, Gabbard made the same point referencing the Def Con competition, again without realizing that it was just a simulation, and its results shouldn’t necessarily be taken as an indictment of real elections systems.

It’s great that some candidates are taking election hacking as a serious issue. But if candidates like Gabbard want to champion this issue and take it seriously, they need to get their facts right.

As Motherboard contributor Kim Zetter has reported for years, voting machines and computer systems used in the election have serious vulnerabilities that should be addressed before it’s too late, but mischaracterizing the nature and results of a Def Con event will not help the case.

Gabbard’s presidential campaign did not immediately respond to a request for comment.

Subscribe to our new cybersecurity podcast, CYBER.