17 October 2014

Emery County Clerk Bruce Funk has been running elections for 23 years. He was quite content with his optical scan system. The state of Utah thought otherwise: On Dec. 27, Funk took delivery on 40 Diebold TSx touch-screen machines, part of a statewide directive.

"I had concerns about Diebold," says Funk, "but I thought, 'If the state is going to mandate it, then I guess they'll assume responsibility if anything goes wrong.'"

Not so. He soon learned that he will be responsible but the state will decide what election system will count the votes.

"YOU'RE GOING TO HATE MY GUTS ON ELECTION DAY"

Funk's concerns escalated when he heard a particularly unusual statement by Diebold sales rep Dana LaTour.

"Some of you are going to hate my guts on Election Day," she said to the assembly of elections officials. Later, another Diebold representative named Drew was asked what LaTour meant when she said "Some of you are going to hate my guts..."

"We're going to have problems on Election Day, and we're just going to have to work through them," he said.

FAILURES RIGHT OUT OF THE GATE

Shortly after Funk received his "brand new" TSx machines, Diebold helped him do acceptance testing. Two of the 40 machines promptly failed the test. Diebold arranged to take them away.

The remaining machines showed several defects -- crooked paper feeds that jam, memory card bay doors that wouldn't close, parts getting stuck, coming loose, falling off.

TAKING A CLOSER LOOK

Funk thought it might be a good idea to take a closer inventory.

He booted each machine up to check the battery. Some of the machines were marked with little yellow dots, and he got to wondering about that, too. He studied the screen messages, and noticed something very odd.

Most machines had about 25 MB of memory available, but some had only 7 MB of free memory left. One had only 4 MB of available memory. For perspective, the backup election file generated by the Diebold TSx is about 7.9 MB. Now why would brand new voting machines have used-up memory?

TIME TO GET A MORE IN DEPTH EVALUATION

This prompted Funk to seek an evaluation. He asked Black Box Voting to help him analyze his voting system.

After several consultations, Black Box Voting determined that the nature of the problems in Emery County might be systemic and might be national in scope. Therefore, we arranged for and underwrote the services of Harri Hursti and also Security Innovation, Inc.

Neither Funk nor Black Box Voting were prepared for the depth and breadth of the problems discovered. Based on these discoveries we will begin with a series of articles followed by concise, but more formal reports.

PART I

Hursti quickly determined the three most likely causes of the low memory problem:

1. There might be completely different software in the machines with low memory.

2. Some machines might contain different external data

3. Or, some of the machines might have been delivered with natively different amounts of memory available.

Hursti approached issue #2 first. If the used memory was due to external data or archived election files stored on the system, he reasoned, removing any such files would clear the memory. He discovered that some of the machines did contain test election data, and he deleted the extra data. This produced only a small improvement in available memory, however.

As for issue #1, different programs on the machines -- or, the existence of something stored in memory which is hidden, such a find would obviously be disturbing.

Issue #3, the possibility that some machines had different amounts of memory left in their life cycle, is particularly troubling. The technology choice Diebold made -- memory storage consisting of flash memory, which is known to degrade over time -- carries with it a possibility that used machines will be near the end of their memory life cycle. If such machines were delivered to Emery County as "new," this would be like buying a "new" car with 100,000 miles already on it.

The only thing that was known about the cause of this problem was that there were different amounts of memory. The reason remained to be discovered. In the course of evaluating the reason for the low memory, we learned much more about the TSx.

IS THERE AN INFRA-RED PORT FOR REMOTE COMMUNICATIONS?

Hursti also examined the remote communications capabilities of this system. He found no infra-red (IrDA) ports.

"The whole thing here is that it's network aware even when RAS is not running. You're not dialing out and it's network aware. And it's actually configured to use an Ethernet board.. .It's all the time network aware...Perhaps all you need is this Ethernet cord and a wireless cord inserted and off you go."

Of course, the software would need to be installed for this kind of communications. Unfortunately, we could find no way for elections officials to find out whether inappropriate software is in the touch-screen.

"I haven't asked any 'pins' (Personal ID Number). It hasn't been hostile to me at all. It's a very friendly guy," Hursti reports.

Hursti made a number of observations about the touch-screen, and connected it to his laptop for further "conversation."

In the interest of brevity, we will return to this issue in a later article in this series.

A "SHOCKING" DISCOVERY

It's common for polling places to have too few outlets for a bank of voting machines. The normal cure is to set up hook the computers up in a daisy-chain configuration, with one plug to the wall, and the rest of the plugs linking voting machines together.

Diebold's output plug falls out readily, exposing live 110 volt wall outlet power on bare wires.

This happened on every TSx we tested, and presents a significant safety hazard for poll workers, especially the elderly. According to Hursti, the electrocution might only result in a burned hand, and probably wouldn't be fatal.

This is a design flaw worthy of a general recall for standard consumer and office electronics.

DIEBOLD: DOWN FOR THE COUNT?

While analyzing the memory storage problem, Hursti discovered a critical security hole in the foundation of the touch-screen. Then he found another in the "lobby," and another on the "first floor." Taken together, these present a potentially catastrophic security hole.

These are not programming errors, but architectural design decisions.

Black Box Voting is turning the "road map" of the most dangerous security findings over to the proper authorities. We won't let anybody sit on this for very long because elections are looming and elections officials need to know what to do now.

A concise and more formal report will be released in a few weeks, and this will discuss the procedures for preparing a recovery path for these security holes.

TWO THINGS WE HAVE LEARNED ALREADY:

1. Source code reviews alone are NOT sufficient. Access to fully functional systems MUST accompany source code reviews.

2. Honest election officials and citizens again take the lead in learning the truth about voting machines. We ask for maximum public support for Bruce Funk, who showed courage and commitment to responsible elections. The important and effective work of Utah voting integrity advocates Kathy Dopp (http://www.uscountvotes.org) and Jocelyn Strait should be applauded by fellow activists. They have played an important role to inspire this study in Utah, which may in turn assist with efforts in many other states.

---
Black Box Voting is a nonpartisan, nonprofit 501c(3) organization dedicated to investigating issues of election accuracy and fairness.