21 September 2014

Emery County Clerk Bruce Funk has been running elections for 23 years.
He was quite content with his optical scan system. The state of Utah thought
otherwise: On Dec. 27, Funk took delivery on 40 Diebold TSx touch-screen
machines, part of a statewide directive.

"I had concerns about Diebold," says Funk, "but I thought, 'If the state is going
to mandate it, then I guess they'll assume responsibility if anything goes wrong.'"

Not so. He soon learned that he will be responsible but the state will decide
what election system will count the votes.


Funk's concerns escalated when he heard a particularly unusual statement
by Diebold sales rep Dana LaTour.

"Some of you are going to hate my guts on Election Day," she said to the
assembly of elections officials. Later, another Diebold representative named
Drew was asked what LaTour meant when she said "Some of you are going
to hate my guts..."

"We're going to have problems on Election Day, and we're just going to have to
work through them," he said.


Shortly after Funk received his "brand new" TSx machines, Diebold helped him
do acceptance testing. Two of the 40 machines promptly failed the test. Diebold
arranged to take them away.

The remaining machines showed several defects -- crooked paper feeds that jam,
memory card bay doors that wouldn't close, parts getting stuck, coming loose, falling off.


Funk thought it might be a good idea to take a closer inventory.

He booted each machine up to check the battery. Some of the machines were
marked with little yellow dots, and he got to wondering about that, too. He studied
the screen messages, and noticed something very odd.

Most machines had about 25 MB of memory available, but some had only 7 MB of
free memory left. One had only 4 MB of available memory. For perspective, the
backup election file generated by the Diebold TSx is about 7.9 MB. Now why would
brand new voting machines have used-up memory?


This prompted Funk to seek an evaluation. He asked Black Box Voting to help
him analyze his voting system.

After several consultations, Black Box Voting determined that the nature of the
problems in Emery County might be systemic and might be national in scope.
Therefore, we arranged for and underwrote the services of Harri Hursti and
also Security Innovation, Inc.

Neither Funk nor Black Box Voting were prepared for the depth and breadth of the
problems discovered. Based on these discoveries we will begin with a series of
articles followed by concise, but more formal reports.


Hursti quickly determined the three most likely causes of the low memory problem:

1. There might be completely different software in the machines with low memory.

2. Some machines might contain different external data

3. Or, some of the machines might have been delivered with natively different
amounts of memory available.

Hursti approached issue #2 first. If the used memory was due to external data or
archived election files stored on the system, he reasoned, removing any such files
would clear the memory. He discovered that some of the machines did contain test
election data, and he deleted the extra data. This produced only a small improvement
in available memory, however.

As for issue #1, different programs on the machines -- or, the existence of something
stored in memory which is hidden, such a find would obviously be disturbing.

Issue #3, the possibility that some machines had different amounts of memory left in
their life cycle, is particularly troubling. The technology choice Diebold made -- memory
storage consisting of flash memory, which is known to degrade over time -- carries
with it a possibility that used machines will be near the end of their memory life cycle.
If such machines were delivered to Emery County as "new," this would be like buying
a "new" car with 100,000 miles already on it.

The only thing that was known about the cause of this problem was that there were
different amounts of memory. The reason remained to be discovered. In the course of
evaluating the reason for the low memory, we learned much more about the TSx.


Hursti also examined the remote communications capabilities of this system. He found
no infra-red (IrDA) ports.

"The whole thing here is that it's network aware even when RAS is not running. You're
not dialing out and it's network aware. And it's actually configured to use an Ethernet board..
.It's all the time network aware...Perhaps all you need is this Ethernet cord and a wireless
cord inserted and off you go."

Of course, the software would need to be installed for this kind of communications.
Unfortunately, we could find no way for elections officials to find out whether inappropriate
software is in the touch-screen.

"I haven't asked any 'pins' (Personal ID Number). It hasn't been hostile to me at all.
It's a very friendly guy," Hursti reports.

Hursti made a number of observations about the touch-screen, and connected it to
his laptop for further "conversation."

In the interest of brevity, we will return to this issue in a later article in this series.


It's common for polling places to have too few outlets for a bank of voting machines.
The normal cure is to set up hook the computers up in a daisy-chain configuration, with
one plug to the wall, and the rest of the plugs linking voting machines together.

Diebold's output plug falls out readily, exposing live 110 volt wall outlet power on
bare wires.

This happened on every TSx we tested, and presents a significant safety hazard for
poll workers, especially the elderly. According to Hursti, the electrocution might only
result in a burned hand, and probably wouldn't be fatal.

This is a design flaw worthy of a general recall for standard consumer and office electronics.


While analyzing the memory storage problem, Hursti discovered a critical security
hole in the foundation of the touch-screen. Then he found another in the "lobby,"
and another on the "first floor." Taken together, these present a potentially catastrophic
security hole.

These are not programming errors, but architectural design decisions.

Black Box Voting is turning the "road map" of the most dangerous security findings
over to the proper authorities. We won't let anybody sit on this for very long because
elections are looming and elections officials need to know what to do now.

A concise and more formal report will be released in a few weeks, and this will
discuss the procedures for preparing a recovery path for these security holes.


1. Source code reviews alone are NOT sufficient. Access to fully functional
systems MUST accompany source code reviews.

2. Honest election officials and citizens again take the lead in learning the truth
about voting machines. We ask for maximum public support for Bruce Funk, who
showed courage and commitment to responsible elections. The important and
effective work of Utah voting integrity advocates Kathy Dopp
(http://www.uscountvotes.org) and Jocelyn Strait should be applauded by fellow
activists. They have played an important role to inspire this study in Utah, which may
in turn assist with efforts in many other states.


Black Box Voting is a nonpartisan, nonprofit 501c(3) organization dedicated to
investigating issues of election accuracy and fairness.