vulnerabilities of hacking the "memory card' by developing procedures
for protecting the memory card from physical access. The mitigations
have revolved around placing tamper-evident security tape over the
access doors to the memory card slots, and even putting seals on the
doors covering the touchscreen unit itself. Then many localities send
the units home with poll workers sometimes weeks prior to the election.
Whether it is one day or three weeks, the TSx units are exposed to
physical access either by the poll worker, a family member or friend,
or even someone sneaking into the house or garage. Since there is no
background screening of poll workers, it would easy for someone will
malicious intent to become a poll worker. No matter the motive nor the
source of the attack, an attack can be accomplished. Election officials
claim that sleepovers are safe because of the seals in place. The
following analysis will show that on the TSx it is possible to access
the memory card electronically in seconds or minutes. There are two
methods neither of which require opening the case or the doors covering
the memory card ports.
ACCESSING THE TOUCH SCREEN
When the TSx is delivered to the poll worker it has two doors that
cover the touch screen. There are two holes at the top center of the
doors that offer a point where a lock or physical seal can be affixed.
At first glance it appears that the doors cannot be opened without
breaking the seal. Some jurisdictions place a seal on the case to show
if it has been opened. If that is the case then it would appear that
access to the modem would not be possible, nor access to the serial
port. But to save time and money in manufacturing Diebold has provided
an even easier method to access the electronic circuitry of the TSx.
This method does not require breaking any seals, or removing the bottom
half of the case.
There are two access ports that are accessible if the doors are removed
from in front of the touch screen itself. If the tablet containing the
touch screen is tilted forward there is a standard 9-pin serial port on
the back. There is also a non-standard in-line 9-pin serial port in the
slot where the supervisor card is normally inserted. Both access points
allow a person to connect a PC or other form of computer to the
internal circuitry on the TSx. In fact, there are adapters that will
allow the connecting of a USB device to the serial port.
REMOVING THE DOORS
The pictures attached show the hinge points by which the doors are
connected to the case. As you can see, the hinge is nothing more that
an extended tab that is at each outside edge of the doors. On the tab
is a little "knob" that is approximately 1/4" in diameter and
approximately 3/16" tall. The case has a hole at the top and bottom
that is approximately the same diameter. The door is installed by
lifting outwards on the "tab" just enough for it to slip into the hole.
The process for removing the door just reverses that procedure. You
will see a TSx that has had its doors removed so it could be used for
downloading memory cards at election central. They also remove the
doors so they can use the TSx to encode voter access cards at election
If someone wanted to access the touchscreen tablet itself all they
would need to do would be to lift the tabs outwards top and bottom on
one side and then on the other. At that point the two doors can be
lifted off and the seal will still be intact. Then the tablet can be
tilted forward and the serial port can be accessed. If the person has
the correct adapter they also could insert a card or connection to the
in-line 9-pin serial port. The person can then reach over to the left
side of the unit and depress the gray unmarked button just below the
bottom memory card door. Pushing in that button powers up the unit. The
switch behind that gray plastic is identical to the main power switch
that is behind the top memory card access door. Upon power up the WinCE
automatically looks for downloads.
The TSx units are delivered to poll workers already in "Election Mode".
In that mode the database in the memory card is vulnerable to the
Hursti I attack. The Flash memory, registry, and WinCE are also all
vulnerable to change. A virus or other contaminating program can also
be placed upon the memory card. That memory card is then downloaded and
eventually its contents, including the virus, can then be in the
central tabulating computer.
The doors are then re-attached and all seals are intact, mission
Using this method is close to the "perfect crime". The audit trail in
the TSx we know can be altered. We also know that the chance of anyone
actually being able to trace back the origin of an introduced virus is
virtually zero, even if anyone actually even tried.
In every examination to date of a voting system where security was
being investigated, and the actual physical machine was examined, they
have found major vulnerabilities. It is time all voting systems that
have been deployed and are being used be closely examined by security
TSx with doors closed and physical seal in place. Notice thin tab at
top right of the door.