Vanguard Cybersecurity man David Levin was arrested after exploiting and disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections website.
The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website on 19 December. Levin (@realdavidlevin) faced three third-degree felony counts of property crime. Levin was released on a US$15,000 bond.
A Florida Department of Law Enforcement official said in a statement that Levin turned himself in after an arrest warrant was issued.
"Levin used a specialist software program to obtain illegal access to the Lee County state elections website and while he had access he obtained several usernames and passwords of employees in the elections office," we're told. "Levin then went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas.
"All this was done without Levin seeking permission from the elections office."
Police seized computers from Levin's house in a February raid.
Levin detailed the SQL injection in a YouTube video shot with elections supervisor Dan Sinclair explaining how he used the Havij security tool to find the holes. He says he then used credentials stored in cleartext to login to supervisor accounts.
"This is about as sophisticated as a system was 10 years ago and this is 2016," Levin says in the video. Sinclair said Levin "did nothing wrong" and was "a whistleblower," describing his arrest as horrible.
"Dave didn't cause these problems, he only reported them," Sinclair said, adding that the elections office could not previously detect intrusions. Levin also provided defensive measures to the state about how it could fix the hole and detect further intrusions.
It is worth noting that security guy Dan Kaminsky's 2012 Whitehat hacker guide is still solid advice for bug hunters who hope to reverse the sorry state of internet security without getting arrested.