close
close

What are Colorado’s voting machine BIOS passwords?

Posted on by Larry
What are Colorado’s voting machine BIOS passwords?

Passwords that are part of the security system for computer equipment used in Colorado elections have been published in a spreadsheet on the Secretary of State’s website.

The posting of the “BIOS” passwords has sparked intense scrutiny and concerns, with the state government flying and driving election staffers to all corners of Colorado to update the affected machines.

The Secretary of State’s Office and other experts say the state’s election system remains secure. Foreign Minister Jena Griswold described the passwords as “partial” and emphasized that voting system computers are protected by numerous other measures.

Additionally, BIOS passwords can only be used by people with physical access to the machines, which are kept in secure locations. There are no signs that anyone has tried to use the passwords.

Colorado’s election integrity is also protected by the use of paper ballots, which creates a permanent record against which the tabulations can be audited.

Here’s what we know about the machines and passwords in question, and how they’re managed.

What types of machines are involved?

Voters in Colorado mark their election choices on paper ballots, which are scanned and counted using digital equipment at county clerks’ offices.

The affected passwords apply to different types of machines at the registry. The machines allow county elections offices to collectively scan, tabulate and view ballots and store vote count data.

“They are (front) scanners, which scan the ballots and tabulate the votes; the server, which is kind of the ghost of the system; and then the arbitration offices,” said Matt Crane, executive director of the Colorado County Clerks Association, and the former Republican clerk of Arapahoe County.

Legal offices are where bipartisan teams of election judges review ballots that may be questionably marked. In total, a larger county may have more than a dozen affected machines.

What can you do with a BIOS password? A lot, if you can reach the computer.

BIOS stands for Basic Input/Output System. It is a type of ‘firmware’ or low-level software that controls hardware functions. BIOS allows the computer’s operating system to “control various hardware components, such as hard drives, keyboards, and displays,” according to computer manufacturer Lenovo.

In other words, the BIOS is the core of the functionality of the affected computers. Accessing a computer’s BIOS allows you to make significant changes to its operation, says Chris Nelson, a computer security expert with experience in voting systems.

For example, election system computers have strict limits on what types of devices can be connected via USB and other ports. But someone with access to the BIOS could override those restrictions, opening up new opportunities to attack the computer’s security features.

“You could boot into an operating system that’s on your USB drive, and from there you would have… more unfettered access to the machine,” Nelson said.

However, there is one major limit to BIOS passwords: they cannot be used remotely. You have to be there in person to enter it into the computer, Crane and Nelson said.

“You have to have physical access to the machine, unattended physical access to the machine for a period of time,” Nelson said. This applies to BIOS for computers in general, but especially in the election context. Election machines are not connected to the Internet, but are used on free-standing networks connected by cables. “So it’s definitely not something that I think anyone really needs to worry about.”

In the vast majority of Colorado counties, voting machines don’t even have the necessary hardware to connect to WiFi networks. In those where election machines still have Wi-Fi hardware, the components are disabled at the BIOS level, Crane said.

What’s stopping someone from using a BIOS password?

While a BIOS password is a powerful tool for a hacker, it is only one layer of the overall security system that prevents changes to election computer systems.

Perhaps the most important layer of that system is physical security. Each county clerk’s office must control access to its computer systems through locked doors and surveillance cameras. Physical security rules are set by the state and enforced through audits, Crane said.

The most dangerous combination is if someone were to somehow bypass physical security systems and know the relevant passwords.

“If you have an insider threat that actually has access to the physical components, then having those passwords becomes a lot more dangerous,” Crane said.

There are no signs that anything happened here, and the Secretary of State has emphasized that her office believes the posting of the passwords was accidental.

“If you have unsupervised physical access to a voting machine, there are going to be other bigger problems than someone else having the BIOS password,” Nelson said.

How were the BIOS passwords posted?

The passwords were listed in a spreadsheet that was on the minister’s website for months. The passwords were in a hidden tab. But “hide” in this context just means that they are temporarily made invisible in Excel or other spreadsheet software. The information can apparently be revealed by anyone via standard Excel functions.

The existence of the hidden tab was first made public by the Republican Party of Colorado. Party officials have not revealed how they learned about this.

The State Department has described the passwords as “partial,” but has not clarified what that means. There are other passwords required for the election computers, namely those to unlock the Windows operating system and to open the election management software, Crane said. These passwords are known to local officials.

However, unlocking the computer at the BIOS level would undermine these layers of security, Crane confirmed.

Why does the State Department have the BIOS passwords?

Each province runs its elections office, but the Secretary of State is the only organization that should have the BIOS passwords for those devices.

In an interview with CPR NewsSecretary of State Jena Griswold said that as an elected official, she herself does not have access to the passwords, which are instead managed by career officials in her office.

It may seem strange, but it is a security feature, Crane said. While local election officials have physical access to the equipment, they essentially lack the digital keys that would allow them to make the most impactful changes.

But the recent breach raises serious questions about how state officials are handling their part of the security equation, Nelson and Crane said.

In short: where are these passwords stored and how did dozens of them end up in an unsecured spreadsheet?

“The fact that passwords were stored in clear text in a spreadsheet, that’s pretty crazy, and obviously you shouldn’t do that,” Nelson said. “There are countless ways to store passwords securely, and in some Excel spreadsheets that are also accessible to a web server, that’s pretty crazy. So that is certainly a big mistake.”

The breach is causing county clerks to question Griswold’s office’s data practices, Crane said.

“If something like this happened to a county, the secretary of state would come in and be pretty heavy-handed to make sure it never happens again,” Crane said.

Most troubling, he added, is that the Secretary of State’s office was aware of the breach for almost a weekbut the clerks heard about it from the Republican Party.

“Something like this happens and… I have to find out from a state political party,” Crane said. “It is simply unthinkable that it happened this way.

The Office of the Secretary of State did not answer specific questions about its data policy on Thursday, but provided general information and commentary to CPR News.

“We are communicating with the clerks involved. This does not pose an immediate security risk to Colorado’s elections. Out of an abundance of caution, our team has been on site to update passwords,” spokesperson Kailee Stiles wrote.

Bente Birkeland contributed to this article.

Editor’s note: This article was updated on October 31, 2024 at 9:38 PM with comments from the Office of the Secretary of State.