close
close
darbo

What are the Colorado voting machine BIOS passwords?

Posted on by Nargang
What are the Colorado voting machine BIOS passwords?

The passwords that are part of the security system for computer equipment used in Colorado elections have been published in a spreadsheet on the Secretary of State’s website.

The posting of the “BIOS” passwords led to intense scrutiny and concern, with the state government flying and driving election staff to all corners of Colorado to update the affected machines.

The Secretary of State’s office and other experts say the state’s election system remains secure. Secretary of State Jena Griswold described the passwords as “partial” and pointed out that voting computers are protected by numerous other measures.

Additionally, BIOS passwords can only be used by people with physical access to the machines, which are kept in secure locations. There is no sign that anyone tried to use the passwords.

The integrity of Colorado elections is also protected by the use of paper ballots, which creates a permanent record against which tabulations can be verified.

Here’s what we know about the machines and passwords in question and how they’re managed.

What types of cars are affected?

Colorado voters mark their election choices on paper ballots, which are scanned and counted using digital equipment at county clerks’ offices.

The affected passwords are for several types of office devices. The machines collectively allow county election offices to scan, tabulate and review ballots and store vote count data.

“They are (for) scanners, which scan the ballots and tabulate the votes; the server, which is a kind of mind of the system; and then the adjudicator positions,” said Matt Crane, executive director of the Colorado County Clerks Association and former Arapahoe County Republican clerk.

Adjudication stations are where bipartisan teams of election judges review ballots that may be questionably marked. In total, a larger county could have more than a dozen cars affected.

What can you do with a BIOS password? Lots, if you can get to the computer.

BIOS stands for Basic Input/Output System. It is a type of “firmware” or low-level software that controls hardware functions. The BIOS allows the computer’s operating system to “control various hardware components such as hard drives, keyboards, and display screens.” according to computer manufacturer Lenovo.

In other words, the BIOS is at the heart of the functionality of the affected computers. Accessing a computer’s BIOS can allow you to make significant changes to how it operates, said Chris Nelson, a computer security expert with experience in voting systems.

For example, election system computers have strict limits on the types of devices that can be connected via USB and other ports. But someone with access to the BIOS could remove these restrictions, opening new avenues for attacking the computer’s security features.

“You can boot into an operating system that you have on the thumb drive, and from there you would … have more unlimited access to the machine,” Nelson said.

However, there is one big limitation to BIOS passwords: they cannot be used remotely. You have to be there in person to enter it into the computer, according to both Crane and Nelson.

“You have to have physical access to the car, unsupervised physical access to the car for a period of time,” Nelson said. This is also true for computer BIOS in general, but especially in the electoral context. The voting machines are not connected to the Internet, but are operated on independent networks that are connected by cables. “So it’s definitely not something I think anyone needs to worry about.”

In the vast majority of Colorado counties, voting machines don’t even have hardware to connect to Wi-Fi networks. In those election machines that still have Wi-Fi hardware, the components are disabled at the BIOS level, Crane said.

What stops someone from using a BIOS password?

While a BIOS password is a powerful tool for a hacker, it is only one layer of the overall security system that prevents changes to election computer systems.

Perhaps the most important layer of that system is physical security. Each county clerk is required to control access to his computer systems through locked doors and surveillance cameras. Rules for physical security are set by the state and enforced through audits, Crane said.

The most dangerous combination is if someone were to somehow bypass the physical security systems and know the relevant passwords.

“If you have an insider threat that actually has access to the physical components, then having those passwords becomes much more dangerous,” Crane said.

There’s no sign that happened here, and the secretary of state emphasized that her office believes the posting of the passwords was accidental.

“If you have unsupervised physical access to a voting machine, then there are going to be bigger problems than someone else having the BIOS password,” Nelson said.

How were the BIOS passwords posted?

The passwords were listed in a spreadsheet that was posted on the Secretary of State’s website for several months. Passwords were in a hidden tab. But “hiding” in this context just means they’ve been made temporarily invisible in Excel or other spreadsheet software. The information could seemingly be revealed by anyone through basic Excel functions.

The existence of the hidden tab was first made public by the Colorado Republican Party. Party officials did not disclose how they became aware of this.

The Secretary of State’s office described the passwords as “partial,” but did not clarify what that meant. There are other passwords required for election computers — namely, the passwords to unlock the Windows operating system and open the election management software, according to Crane. These passwords are known to local officials.

However, unlocking the computer at the BIOS level would undermine those layers of security, Crane confirmed.

Why does the Secretary of State have the BIOS passwords?

Each county runs its elections office – but the Secretary of State is the only organization that should have the BIOS passwords for those devices.

In an interview with CPR NewsSecretary of State Jena Griswold said she herself, as an elected official, does not have access to the passwords, which are instead handled by career civil servants in her office.

It may seem curious, but it’s a security feature, Crane said. Essentially, while local election officials have physical access to the equipment, they lack the digital keys that would allow them to make the most important changes.

But the recent breach raises serious questions about how state officials are handling their part of the security equation, Nelson and Crane said.

In short: Where are these passwords stored, and how did dozens of them end up in an unprotected spreadsheet?

“The fact that clear-text passwords were stored in a spreadsheet, that’s pretty crazy, and obviously you shouldn’t do that,” Nelson said. “There are a multitude of ways to store passwords securely, and in some Excel spreadsheets that are also accessible to a web server is pretty crazy. So it’s definitely a huge oversight.”

The breach has county officials questioning the data practices of Griswold’s office, Crane said.

“If something like this happened to a county, the secretary of state would come in and be pretty tough (to) make sure it never happens again,” Crane said.

The most upsetting part, he added, is that the secretary of state’s office knew about the breach for almost a weekbut the clerks learned about it from the state Republican Party.

“Something like this is happening and … I need to hear about it from a state political party,” Crane said. “It’s unthinkable that it went the way it did.

Griswold’s office did not respond to an emailed list of questions Thursday afternoon.

Bente Birkeland contributed to the reporting of this article.