A Florida man has been slapped with felony criminal hacking charges after gaining unauthorized access to poorly secured computer systems belonging to a Florida county elections supervisor. David Michael Levin, 31, of Estero, Florida, was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond, officials with the Florida Department of Law Enforcement said. According to a court document filed last week in Florida’s Lee County and a video it cited as evidence, Levin logged in to the Lee County Elections Office website using the pilfered credentials of Sharon Harrington, the county’s supervisor of elections. Levin, who authorities said is the owner of a security firm called Vanguard Cybersecurity, also allegedly gained access to the website of Florida’s Office of Elections. Levin posted a YouTube video in late January that showed him entering the supervisor’s username and password to gain control of a content management system used to control leeelections.com, which at the time was the official website for the elections office. At no time did anyone from the county authorize Levin to access the site, officials said.
“Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony,” prosecutors wrote.
As ill-advised as it was for Levin to log in to the website CMS, the video raises some unsettling concerns about the security of the Lee County elections website, which is used to display voting results, verify registration status, and provide ballots for upcoming elections. In the video, Levin shows how he was able to use a SQL injection attack to obtain the user names and plain-text passwords belonging to Harrington and at least 10 other account holders. He then shows how the password for Harrington’s account allowed him to enter the CMS and move through various application menus.