Emery County Clerk Bruce Funk has been running elections for 23 years. He was quite content with his optical scan system. The state of Utah thought otherwise: On Dec. 27, Funk took delivery on 40 Diebold TSx touch-screen machines, part of a statewide directive.
"I had concerns about Diebold," says Funk, "but I thought, 'If the state is going to mandate it, then I guess they'll assume responsibility if anything goes wrong.'"
Not so. He soon learned that he will be responsible but the state will decide what election system will count the votes.
Funk's concerns escalated when he heard a particularly unusual statement by Diebold sales rep Dana LaTour.
"Some of you are going to hate my guts on Election Day," she said to the assembly of elections officials.
Later, another Diebold representative named Drew was asked what LaTour meant when she said "Some of you are going to hate my guts..."
"We're going to have problems on Election Day, and we're just going to have to work through them," he said.
Failures right out of the gate
Shortly after Funk received his "brand new" TSx machines, Diebold helped him do acceptance testing. Two of the 40 machines promptly failed the test. Diebold arranged to take them away.
The remaining machines showed several defects -- crooked paper feeds that jam, memory card bay doors that wouldn't close, parts getting stuck, coming loose, falling off.
Taking a closer look
Funk thought it might be a good idea to take a closer inventory.
He booted each machine up to check the battery. Some of the machines were marked with little yellow dots, and he got to wondering about that, too. He studied the screen messages, and noticed something very odd.
Most machines had about 25 MB of memory available, but some had only 7 MB of free memory left. One had only 4 MB of available memory. For perspective, the backup election file generated by the Diebold TSx is about 7.9 MB. Now why would brand new voting machines have used-up memory?
Time to get a more in depth evaluation
This prompted Funk to seek an evaluation. He asked Black Box Voting to help him analyze his voting system. BBV arranged for and underwrote the services of Harri Hursti and a Massachusetts-based company specializing in security, Security Innovation, Inc.
Quite a bit was learned about the system. The information has been organized into a series of news-style reports which will be followed by a concise formal report.
Part I
Hursti quickly determined the three most likely causes of the low memory problem:
- There might be completely different software in the machines with low memory.
- Some machines might contain different data
- Or, some of the machines might have been delivered with natively different amounts of memory available.
Hursti approached
issue #2 first. If the used memory was due to data or archived election files stored on the system, he reasoned, removing any such files would clear the memory. He discovered that some of the machines did contain test election data, and he deleted the extra data. This produced only a small improvement in available memory, however.
As for issue #1, different programs on the machines -- or, the existence of something stored in memory which is hidden, such a find would obviously be disturbing.
Issue #3, the possibility that some machines had different amounts of memory left in their life cycle, is particularly troubling. The technology choice Diebold made -- memory storage consisting of flash memory, which is known to degrade over time -- carries with it a possibility that used machines will be near the end of their memory life cycle. If such machines were delivered to Emery County as "new," this would be like buying a "new" car with 100,000 miles already on it.
The only thing that was known about the cause of this problem was that there were different amounts of memory. The reason remained to be discovered. In the course of evaluating the reason for the low memory, we learned much more about the TSx.
Is there an infra-red port for remote communications?
There have been Internet reports that an infra-red communications port exists on the Diebold touch-screens. The concern was that this port would be used to achieve remote access into the machines.
Hursti examined the remote communications capabilities of this system. He found no infra-red (IrDA) ports.
Hursti did make several notations about networking capabilities.
"It's network aware even when RAS is not running. You're not dialing out and it's network aware. And it's actually configured to use an Ethernet board...It's all the time network aware...Perhaps all you need is this Ethernet card and a wireless card inserted and off you go."
Of course, the right software would also need to be installed to enable communications.
"I haven't been asked any 'pins' (Personal ID Number). It hasn't been hostile to me at all. It's a very friendly guy."
Hursti made a number of observations about the touch-screen, and connected it to his laptop for further "conversation."
A later article in this series will transcribe some of the exploration process of the touchscreen networking functions. The testing was videotaped.
A "Shocking" discovery
It's common for polling places to have too few outlets for a bank of voting machines. The normal cure is to set up hook the computers up in a daisy-chain configuration, with one plug to the wall, and the rest of the plugs linking voting machines together.
Diebold's output plug falls out readily, exposing live 110 volt wall outlet power on bare wires.
This happened on every TSx we tested, and presents a significant safety hazard for poll workers, especially the elderly. According to Hursti, the electrocution might only result in a burned hand, and probably wouldn't be fatal.
This is a design flaw worthy of a general recall for standard consumer and office electronics.
Diebold: Down for the count?
Like Timex, this company takes a licking but keeps on ticking.
However, while analyzing the memory storage problem, Hursti discovered a critical security hole in the foundation of the touch-screen. Then he found another in the "lobby," and another on the "first floor." Taken together, these appear to present a potentially catastrophic security hole.
These are not programming errors, but architectural design decisions.
The "road map" of the most troubling security findings are being turned over to the proper authorities. After this, the information will be made public. We won't let anybody sit on this for very long because elections are looming and elections officials need to know what to do now.
A recovery path for these security holes is possible. The remediation of the problem will be described as well, first to the appropriate authorities and shortly after, to the general public.
Two things learned
- Source code reviews alone are NOT sufficient. Access to fully functional systems MUST accompany source code reviews. The scientists who performed the recent California testing reportedly were not allowed to examine a working system, and were only allowed to look at the source code. Examining the working machinery provided information that is unlikely to be discovered in a source code review.
- Honest election officials and citizens have again taken the lead in learning the truth about voting machines. At this time it is appropriate to urge maximum public support for Bruce Funk, who showed courage and commitment to responsible elections. The important and effective work of Utah voting integrity advocates Kathy Dopp (http://www.uscountvotes.org) and Jocelyn Strait should be applauded by fellow activists. They have played an important role to inspire this study in Utah, which may in turn assist with efforts in many other states.