7) In order to access the JTAG connection, you must pop open the case
to the TSx tablet. Unfortunately, the case on the TSx is designed with
no security. You can open it by unscrewing 8 standard phillips head
screws, access the JTAG connector, replace the bootloader and control
the machine for the rest of its life, despite L&A tests,
reinstallations of "clean" copies via memory cards or network
connections, etc.
8) TSx machines in California -- 10,000 machines in San Diego alone --
were sent home for "sleepovers" with poll workers in back in 2004,
when they were used for the March primary election. Over 1,000
machines originally used in Solano County, Calif, are now being used
in Johnson County, Kansas. The TSx machines are now being used
throughout the states of Mississippi, Utah, in dozens of Ohio
counties, and in many high-population California counties. A case can
be made that the Diebold TSx machine will dictate control of the U.S.
congress in November.
The sleepovers broke chain of custody. The combination of unsecured
cases with the ability to quickly alter the bootloader using the JTAG
connector means these machines cannot be considered "trusted" until
proper mitigations are done.
Proper mitigations:
- The "official" bootloader needs to be sent to the ITAs for
examination, as well as provided to state voting machine examiners.
- An authentication device needs to be used to make sure that this
bootloader code, once examined by test labs, is the authentic version
of the code
- Once this is done, each of the cases needs to be opened and an
authentic clean bootloader installed using the JTAG cable.
- After this is done, the cases need to be sealed with tamper-evident
mechanisms. Note that "tamper evident" tape is quite different from
"tamper resistant" tape. Tamper evident tape should leave an indelible
mark if removed.
Note that the TSx tablet is stored inside a case, and is also seated
in the case during elections. It may be difficult to observe whether
the tablet has been opened -- even with tamper evident mechanisms --
unless it is removed from the case.
- Due to the severity of this security defect, and the deceptiveness
with which Diebold Election Systems has handled this situation, all
citizens who vote on these machines should be able to see for
themselves that the proper mitigations were done and that the case has
not been opened. This means:
a. The ITA review of the bootloader code should be done immediately
and the report should be made public.
b. The authentication methodology should be identified to the public.
c. The opening of the case and the installation of authentic, approved
bootloaders should be publicly announced and viewable by the public.
This process should be performed by public officials, not by Diebold
Election Systems.
d. The sealing of the case should be publicly viewable.
e. The case should be sealed in such a way that poll workers and the
public can verify that cases have not been opened when the machines
are deployed on election day.
In a sane world, these machines would be recalled.
to the TSx tablet. Unfortunately, the case on the TSx is designed with
no security. You can open it by unscrewing 8 standard phillips head
screws, access the JTAG connector, replace the bootloader and control
the machine for the rest of its life, despite L&A tests,
reinstallations of "clean" copies via memory cards or network
connections, etc.
8) TSx machines in California -- 10,000 machines in San Diego alone --
were sent home for "sleepovers" with poll workers in back in 2004,
when they were used for the March primary election. Over 1,000
machines originally used in Solano County, Calif, are now being used
in Johnson County, Kansas. The TSx machines are now being used
throughout the states of Mississippi, Utah, in dozens of Ohio
counties, and in many high-population California counties. A case can
be made that the Diebold TSx machine will dictate control of the U.S.
congress in November.
The sleepovers broke chain of custody. The combination of unsecured
cases with the ability to quickly alter the bootloader using the JTAG
connector means these machines cannot be considered "trusted" until
proper mitigations are done.
Proper mitigations:
examination, as well as provided to state voting machine examiners.
- An authentication device needs to be used to make sure that this
bootloader code, once examined by test labs, is the authentic version
of the code
- Once this is done, each of the cases needs to be opened and an
authentic clean bootloader installed using the JTAG cable.
- After this is done, the cases need to be sealed with tamper-evident
mechanisms. Note that "tamper evident" tape is quite different from
"tamper resistant" tape. Tamper evident tape should leave an indelible
mark if removed.
Note that the TSx tablet is stored inside a case, and is also seated
in the case during elections. It may be difficult to observe whether
the tablet has been opened -- even with tamper evident mechanisms --
unless it is removed from the case.
- Due to the severity of this security defect, and the deceptiveness
with which Diebold Election Systems has handled this situation, all
citizens who vote on these machines should be able to see for
themselves that the proper mitigations were done and that the case has
not been opened. This means:
a. The ITA review of the bootloader code should be done immediately
and the report should be made public.
b. The authentication methodology should be identified to the public.
c. The opening of the case and the installation of authentic, approved
bootloaders should be publicly announced and viewable by the public.
This process should be performed by public officials, not by Diebold
Election Systems.
d. The sealing of the case should be publicly viewable.
e. The case should be sealed in such a way that poll workers and the
public can verify that cases have not been opened when the machines
are deployed on election day.
In a sane world, these machines would be recalled.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
