Cracking a Diebold - In 4 minutes and 12 Dollars

Intro

!How It is Supposed to Work\nThe memory card sits in a recessed slot exposed on the outside of the computer ( not unlike how many laptop computers, ~PDAs and video games have a card/cartrige slot). If it were not for a metal "security" flap covering the slot it you could pull it right out and replace it without any tools. \n\n[img[http://static.flickr.com/82/232907143_347fd445aa.jpg][http://www.blackboxvoting.org/accuvote-memory-door-in-out.jpg]\n\nThe cover plate is anchored in place by a single Bolt about which it can pivot. In legitmate use, someone wanting to insert the memory cards pivots it out of the way. When the plate is covering the card slot, it's held loosely in position by spring tension and retaining post a drilled hole in the plate lines up with. So to move the plate out of position you bend it's right side slightly away from the unit so the hole clears the retaining post, then twist it away. \n\n[img[http://static.flickr.com/80/232907136_d36d072070.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-put-in.jpg]]\n\nThis cover plate is obviously sort of an after thought since the retaining post is not actually a post, but simply the head of another exposed Bolt that fortuitously happend to be in the right place. Indeed even the bolt that the plate pivots on is actually another bolt that happened to be on the other side of the slot. \n\n//So far, there's no actual security, since the plate is not in any way locked in place. //\n\n!The Fig Leaf\nThe actual security comes from a tag placed through the retaining post/bolt. When the tag is in place the plate cannot be bent to clear the retain post, without breaking the plastic tag. Tags are not meant to prevent anyone from actually accessing it but to provide nominally irreversable tamper evidence that an access happened after the fact. One could imagine replacing the Tag with something sturdier like a metal lock, but [[The Backdoor]] we now show would work the same.\n\n[img[http://static.flickr.com/82/232922974_b718b5a234.jpg?v=0][http://www.blackboxvoting.org/accuvote-sealed.jpg]]\n\nThe tag is the orange doo-dad clipped through the head of the bolt. The pictured one is an actual tag used by King County (WA) retrieved from the trash. Since it was used it was broken (as part of it's normal usage cycle) when it was removed. For this demo let's pretend it's intact and hold it in place with a rubberband. \n\n//As you will see, the tag, intact or not, will never be disturbed, by [[The Backdoor]]//\n

!How easy is it to hardware hack a Voting Machine?\nA couple of untrained 54-year old women from Black Box Voting bought $12 worth of tools and in four minutes penetrated the memory card seals, removed, replaced the memory card, and sealed it all up again without leaving a trace.\n\n[[The Experiment]] on an actual Diebold voting machine shows that the seals do nothing whatever to protect against access by insiders after testing, and the seals also are worthless in jurisdictions like Washington, Florida, California, and many other locations where voting machines are sent home with poll workers for days before the election.\n\n@@Just [[ClickHere|Diebold's Security Design]] to read this photo essay sequentially, or use the [[left sidebar|MainMenu]] to navigate.@@\n\n\n\n\n----\nThis Wiki was created by Charlie Strauss at [[Verified Voting New Mexico| http://vvnm.org]] based on material excerpted from an e-mail sent out by Bev Harris at [[http://BlackBoxVoting.org|http://blackboxvoting.org]] with permission for public redistribution and excerpting.\n\nIt's a [[TiddlyWiki|http://tiddlywiki.com]], so feel free to edit it yourself (in Firefox) and redistribute as long as you retain the original attribution to vvnm.org and blackboxvoting.org.

Several observations can be made: \n*This flaw is serious, is not hypothtical, and has been known for over a year.\n*Vendors and voting officials have not rushed to fix this, and instead continue to allow Voting Machine "sleep-overs" in which machines are taken home by individuals prior to elections.\n*While this particular problem might be addressed by new tags and hardening the armoring, this will happen only in hindsight, and reluctanly, by Diebold.\n\nThe last point is perhaps the most telling. These systems do not appear to have been designed with security in mind. And perhaps worse, when the obvious potential for card swaping became clear to the vendor their quicky-fix was a half measure of the metal modesty panel supported on some conveniently placed bolt heads. Indeed the fact that one can still take the lid off with four screws, and access anything and everything, let alone the vital data cartridge, shows how little concern has been placed on security even now. The obstancy of vendors and some public officials to even acknowleging these simple hacks should make any reasonable person wonder about what else might be wrong and certainly to not take assurances of due dilligence on faith. \n\n\n//If the even the most outwardly obvious hardware security is so cavalier, what lurks in the secret software?//\n----\n\n\n\nVisit http://blackboxvoting.org for more info or just to thank Bev Harris for exposing this flaw.\n\n\n\n\n\n

Insert an allen wrench into the left retaining bolt.\n\n[img[http://static.flickr.com/81/232909281_921a7d63c1.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-door-inside-nut.jpg]]\n\ngrab the nut with a pliers to hold it while you take out the bolt.\n\n[img[http://static.flickr.com/87/232909283_0cfb8be69e.jpg?v=0][http://www.blackboxvoting.org/accuvote-remove-memorycard-door.jpg]]\n\nThe next step is to [[Swing Cover Plate]].

![[Intro]]\n![[Diebold's Security Design]]\n![[The Backdoor]]\n![[The Experiment]]\n[[Remove Cover]]\n[[Loosen the left Bolt]]\n[[Swing Cover Plate]]\n[[Pop out memory card]]\n!//[[Lessons Learned]]

Grab it with your fingers and pull.\n\n[img[http://static.flickr.com/92/232907134_42e08c237d.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-out.jpg]]\n\n\n//Notice that the Tag is undamaged by these operations, leaving no tamper evidence we have clear access to the memory card.//\n\nNow you can replace the card with a new one and "seal" it back up. And we're done! \n\nSo what are the [[Lessons Learned]] from this four minute experiment?\n\n----\n\n\n\n

The cover of the Diebold unit is held on by four exposed screws. \n[img[http://static.flickr.com/84/232927169_4eb02da35c.jpg?v=0][http://www.blackboxvoting.org/accuvote-screws.jpg]] [img[http://static.flickr.com/85/232927170_c20631bfbe.jpg?v=0][http://www.blackboxvoting.org/accuvote-unscrew-case.jpg]]\nremove these and the top comes off, revealing the inside... \n[img[http://static.flickr.com/97/232907137_94d040ca3b.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-unfasten.jpg]]\nand, importantly, the nuts that hold the cover plate pivot bolt. Here the allen wrench is already inserted into the bolt.\n\nThe next step is to [[Loosen the left Bolt]].

In 4 minutes and 12 Dollars

Cracking a Diebold

With the bolt pulled free, we can see the cover plate is loose. It's still retained by the post on the right and the tag. \n[img[http://static.flickr.com/98/232907139_64dbc20e59.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-seal-cracked.jpg]]\n\n But remember this is symetric. Just pivot it about the retaining post. \n\n[img[http://static.flickr.com/89/232907133_69d1a2982b.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-opened.jpg]]\n\n\nAnd finally [[Pop out memory card]]

!To recap: \nIn the designed use, the metal flap pivots about a bolt on one end to allow access, and is nominally held in its slot shielding position by a retaining post that is symetrically placed on the opposite end of the plate from the pivot point. \n[img[http://static.flickr.com/80/232907136_d36d072070.jpg?v=0][http://www.blackboxvoting.org/accuvote-memory-card-put-in.jpg]]\n\n!Hmmmm.... Symmetrical....\nSo by symmetry, if the anchor/pivot bolt were removed then one could instead pivot the plate about the retaining post in order to expose the slot. This would leave the tag or lock unmolested, but give clear access to the memory card in the slot.\n\nSo all we have to do is unscrew the pivot bolt. In principle this could be done from the outside of the unit if one worked carefully. Making it slightly tricky is that the bolt is held by a nut on the inside that is not fixed in poition. Thus when you loosen it, the nut will turn freely inside the case and hinder unscrewing it further. You could work around this by lightly prying the bolt with a screwdriver to give outward tension on the bolt as it unscrewed, also taking care to not let the nut drop free inside.\n\nBut that would take two handed dexterity. Diebold apparently wanted to make sure a one-armed person could hack the machine so they provided another methods for removing the bolt. Simply remove the cover of the machine. Now you can hold nut directly with a wrench. Problem solved. (Dr. Kimble Beware.)\n\nWill this work? Let's see [[The Experiment]]

The investigators bought a phillips scredwiver, and allen wrench and pair of pliers at the supermarket. A cresent wrench would have been a better idea, since pliers are not really made for holding nuts, though they get the job done. A slighly more clever person might work through a paper towel to avoid leaving any scratches that, to a foresnsic specialist, might suggest forced entry. Plastic or rubberized tools would also work.\n\nSo the details are:\n*Details\n**[[Remove Cover]]\n**[[Loosen the left Bolt]]\n**[[Swing Cover Plate]]\n**[[Pop out memory card]]\n\n\n\n