Diebold voting systems critically flawed
'It is like the nuclear bomb for e-voting systems'
When Bruce Funk called in BlackBoxVoting to look at some strange memory issues with Diebold voting systems in Utah, finding the "nuclear bomb" of e-voting security was not on his agenda.
As the auditor and clerk for Emery County, a large rural bite out of the middle of Utah, Funk had noticed that the county's voting machines - provided by Diebold - were having various maintenance issues. Because Utah had adopted a requirement for a verified voter paper audit trail - essentially a printout of a person's vote - Funk needed the printers to work flawlessly. However, they frequently jammed. Moreover, electrical cords had pulled out from the machines with components attached. Those issues made Funk believe the machines may not have been new, but refurbished.
A Diebold technician told the county auditor early this year that any components with problems would have to be replaced. Funk decided to do a manual check of the systems to find any other issues and discovered that the machines had a variety of different file sizes on backup memory. Uncertain why that should be and wanting an independent opinion, he contacted the e-voting muckraking group BlackBoxVoting to come and look at one of the systems, he said.
In March, BlackBoxVoting flew in Harri Hursti, a Finnish voting-machine security expert with whom the group had frequently collaborated. Funk remembers that he was surprised by what Hursti could do with only poll-worker-level access to the machine.
"He was able to - from the keyboard that appears on the machine - create a macro that doesn't even show up that you created it, go and pickup a program through the modem, and run it," Funk said during an interview with SecurityFocus from his home in Clawson, Utah. "I was thinking that this was not right."
As Hursti got more familiar with the machine, he and members of BlackBoxVoting, who were videotaping the process, became more concerned, Funk said.
"It became so serious, that my concern about memory was minor," he said. "They told me that the information that they'd found had to go to certain federal agencies and certain things had to be done before the issues were made public."
Officials in Utah apparently were not concerned with the security of the systems, but with what they considered a breach in authorization. State officials and representatives of Diebold told Funk that he had cost the county more than $40,000 in damages because Diebold technicians would have to return to the county and recertify the systems, according to transcripts of the public parts of an April meeting in Emery County published by BlackBoxVoting.
"The reason that we’re here today is because Mr. Funk, on his own, has gone outside that system and compromised the integrity of not only Emery County’s elections, but also the State of Utah and any other jurisdiction of the United States that is using this equipment, simply because he wouldn’t call and ask these questions that these people and the Lieutenant Governor’s staff know the answers to," said Utah's State elections director, Michael Cragun, according to the transcript. "It seems to me it’s inappropriate to be in this meeting now answering these questions he should have asked before he compromised the integrity of this system."
The officials asked for Funk's resignation, which he gave verbally at the meeting.
"They basically said that they have people that want to have you removed," Funk said. "This whole weight fell on me and I said, 'I'm so tired, just let me out.'"
By the next morning, he decided to fight the process, but he was informed that a verbal agreement to resign was enough, he said. Calls to both Diebold and the office of the governor of Utah by SecurityFocus were not returned.
Meanwhile, Funk maintains that he did what the county's voters elected him to do: Look out for their interests in a fair election process.
"Basically, (Utah officials) tried to portray BlackBoxVoting as some radical organization, and they portrayed me as a renegade villain," he said. "They don't want this to come out, but it needs to come out at a national level."
Sponsored: The Nuts and Bolts of Ransomware in 2016