4th of July: Unredacted Hursti reports released
Black Box Voting : From BBV:: BBV - 4th of July Fireworks: Unredacted Hursti reports, photos released
Posted by Bev Harris on Monday, July 03, 2006 - 02:54 pm:
States and local jurisdictions did not take sufficient action to mitigate risks.
Black Box Voting has provided the following to VoterAction.org for its litigation. This will become a public record via the litigation filed by Lowell Finley. Because public officials who have received the unredacted reports have failed to take this risk seriously and arrange for appropriate mitigations, and because Black Box Voting believes this information is of critical public interest for pending litigation and citizen actions, we are releasing it publicly now.
HERE'S AN INFORMAL SYNOPSIS OF THE UNMITIGATED RISKS IN THE DIEBOLD TSX:
A huge risk to the integrity of elections is a contaminated bootloader. Here's why: If you own the bootloader, you own the machine. The source code for the TSx, along with the technical data package, have been publicly released since 2003. Estimates are that it would take approximately three months for a reasonably skilled programmer to design a working malicious bootloader.
You cannot clean a maliciously designed bootloader with the mitigations performed so far by state officials (replacing programs via memory cards).
HERE ARE SOME SPECIFIC PROBLEMS WITH THE DIEBOLD BOOTLOADER:
1) It appears not to have been examined by the Independent Testing Authorities (ITAs). Therefore, we don't even know whether the original bootloader contains malicious code.
2) There appears to be no authentication procedure when installing "clean versions" to ensure that the code is the same as that which was examined by the ITAs (and in this case, the ITAs didn't even examine it).
3) There is no forensic test that will reveal a malicious bootloader
4) Because of the design of the Diebold TSx machine, a malicious bootloader can be installed at any time from factory installation to the election itself. Once a bootloader is contaminated, it can control the machine permanently.
A contaminated bootloader, especially in combination with other security issues in the TSx, has the potential to allow manipulation on an election-by-election basis, at any time during the election cycle and even years in advance of the election.
5) The Diebold TSx machine's motherboard contains a JTAG connection which can be used to take control of the motherboard. Although you cannot reliably clean a malicious bootloader by reinstalling it with a memory card, you can install a pristine version using the JTAG cable.
However, there appears to be no pristine version of the bootloader, since it has never been examined by the ITAs.
6) Unfortunately, the JTAG connector can be used to overwrite a so-called authentic and proper bootloader with a malicious one. Thus, even if a so-called pristine bootloader is installed via the JTAG connector, the same connector can be used to replace that one with a new one at any time.
7) In order to access the JTAG connection, you must pop open the case to the TSx tablet. Unfortunately, the case on the TSx is designed with no security. You can open it by unscrewing 8 standard phillips head screws, access the JTAG connector, replace the bootloader and control the machine for the rest of its life, despite L&A tests, reinstallations of "clean" copies via memory cards or network connections, etc.
8) TSx machines in California -- 10,000 machines in San Diego alone -- were sent home for "sleepovers" with poll workers in back in 2004, when they were used for the March primary election. Over 1,000 machines originally used in Solano County, Calif, are now being used in Johnson County, Kansas. The TSx machines are now being used throughout the states of Mississippi, Utah, in dozens of Ohio counties, and in many high-population California counties. A case can be made that the Diebold TSx machine will dictate control of the U.S. congress in November.
The sleepovers broke chain of custody. The combination of unsecured cases with the ability to quickly alter the bootloader using the JTAG connector means these machines cannot be considered "trusted" until proper mitigations are done.
- The "official" bootloader needs to be sent to the ITAs for examination, as well as provided to state voting machine examiners.
- An authentication device needs to be used to make sure that this bootloader code, once examined by test labs, is the authentic version of the code
- Once this is done, each of the cases needs to be opened and an authentic clean bootloader installed using the JTAG cable.
- After this is done, the cases need to be sealed with tamper-evident mechanisms. Note that "tamper evident" tape is quite different from "tamper resistant" tape. Tamper evident tape should leave an indelible mark if removed.
Note that the TSx tablet is stored inside a case, and is also seated in the case during elections. It may be difficult to observe whether the tablet has been opened -- even with tamper evident mechanisms -- unless it is removed from the case.
- Due to the severity of this security defect, and the deceptiveness with which Diebold Election Systems has handled this situation, all citizens who vote on these machines should be able to see for themselves that the proper mitigations were done and that the case has not been opened. This means:
a. The ITA review of the bootloader code should be done immediately and the report should be made public.
b. The authentication methodology should be identified to the public.
c. The opening of the case and the installation of authentic, approved bootloaders should be publicly announced and viewable by the public. This process should be performed by public officials, not by Diebold Election Systems.
d. The sealing of the case should be publicly viewable.
e. The case should be sealed in such a way that poll workers and the public can verify that cases have not been opened when the machines are deployed on election day.
IN A SANE WORLD, THESE MACHINES WOULD BE RECALLED.
According to recent PBS coverage, the reason NASED and/or the EAC have given for failing to require a recall of the Diebold TSx is that it would involve a lot of litigation and trouble.
It would not, of course, require litigation if Diebold initiated it.
Also, when you pop the tablet casing open, you can also pop out the modem and install another device in place of the approved modem. You can also insert an SD card wireless card in the slot.
Problems with sealing the case after delivery:
- Elections officials don't know if the legitimate modem or a wireless modem is inside the case
- Elections officials don't know if there is an SD wireless card in the slot
- The only way to find out is to open the case, which invalidates the warranty
HERE ARE THE UNREDACTED HURSTI REPORTS:
IS THE CONFIGURATION GUIDE:
HERE IS THE SOURCE CODE (Diebold will claim it is
"old" of course)
closeup (Section E4)
of SD card slot:
of modem (underneath it are piggyback
unfortunately we did
not get a photo of them)
HERE IS THE FIRST BATCH OF PHOTOGRAPHS:
Small versions will be uploaded in a day or two and will be appended to this.
THE SYNOPSIS OF THE BOOTLOADER ISSUE WAS WRITTEN BY BEV HARRIS AFTER CAREFUL REVIEW OF THE VIDEOTAPES AND INTERVIEWS WITH HARRI HURSTI AND SECURITY INNOVATION. IF YOU SPOT ANY TECHNICAL CORRECTIONS OR SEE A STATEMENT THAT REQUIRES FURTHER QUALIFICATION, PLEASE NOTIFY US AND WE WILL EVALUATE AND ISSUE AN APPROPRIATE CLARIFICATION OR CORRECTION IF WARRANTED.
Permission to reprint granted, with link to http://www.blackboxvoting.org
* * * * *
Black Box Voting is a nonpartisan, nonprofit 501c(3)
elections watchdog group funded entirely by citizen
donations. To support our work, click to http://www.blackboxvoting.org/donate.html
or mail to: Black Box Voting
330 SW 43rd St Suite K
Renton WA 98055
To sign up for the
National Hand Count Registry click here:
Use this link to go directly to full article: