Passwords that make up part of the security system for computer equipment used in Colorado elections were published in a spreadsheet on the Secretary of State’s website.
The posting of the “BIOS” passwords has led to intense scrutiny and concerns, with the state government flying and driving election staffers to all corners of Colorado to update affected machines.
The Secretary of State’s Office and other experts say the state’s election system remains secure. Secretary of State Jena Griswold has described the passwords as “partial,” and stressed that voting-system computers are protected by numerous other measures.
Additionally, BIOS passwords can only be used by people with physical access to the machines, which are kept in secure locations. There is no sign that anyone tried to use the passwords.
Colorado’s election integrity also is protected by its use of paper ballots, which creates a permanent record against which tabulations can be checked.
Here’s what we know about the machines and passwords in question, and how they are managed.
Colorado voters mark their election choices on paper ballots, which are scanned and counted using digital equipment at the offices of county clerks.
The affected passwords are for several types of machines at the clerk’s offices. The machines collectively allow county elections offices to scan, tabulate and review ballots and store vote-count data.
“They are [for] scanners, which scan the ballots and tabulate the votes; the server, which is kind of the mind of the system; and then the adjudication stations,” said Matt Crane, executive director of the Colorado County Clerks Association, and the former Republican clerk of Arapahoe County.
Adjudication stations are where bipartisan teams of election judges look over ballots that may be questionably marked. In all, a larger county might have more than a dozen affected machines.
BIOS stands for Basic Input/Output System. It’s a type of “firmware,” or low-level software that controls hardware functions. BIOS allows the computer’s operating system to “control various hardware components such as hard disks, keyboards, and display screens,” according to the computer manufacturer Lenovo.
In other words, BIOS sits at the heart of the affected computers’ functionality. Accessing a computer’s BIOS could allow you to make significant changes to how it operates, said Chris Nelson, a computer security expert with experience in voting systems.
For example, election system computers have strict limits on what kinds of devices can be plugged in through USB and other ports. But someone with access to BIOS could remove those restrictions, opening up new avenues for attacking the computer’s security features.
“You could boot up onto an operating system that you have on your thumb-drive, and from there you would … have more unfettered access to the machine,” Nelson said.
However, there’s one big limit on BIOS passwords: They can’t be used remotely. You have to be there in person to enter it into the computer, according to both Crane and Nelson.
“You have to have physical access to the machine, unsupervised physical access to the machine for a length of time,” Nelson said. That’s true of BIOS for computers in general, but especially in the election context. Election machines are not connected to the internet, and instead are operated on freestanding networks that are connected by cables. “So it’s definitely not anything that I think anyone really needs to worry about.”
In the strong majority of Colorado counties, voting machines do not even have the hardware to connect to Wi-Fi networks. In the ones where election machines still have Wi-Fi hardware, the components are disabled at the BIOS level, Crane said.
While a BIOS password is a powerful tool for a hacker, it’s just one layer of the overall security system that prevents changes to election computer systems.
Perhaps the most important layer of that system is physical security. Each county clerk’s office is required to control access to its computer systems via locked doors and surveillance cameras. The rules for physical security are set by the state and enforced via audits, Crane said.
The most dangerous combination is if someone were to somehow bypass physical security systems and know the relevant passwords.
“If you have an insider threat who actually has access to the physical components, then having those passwords becomes a hell of a lot more dangerous,” Crane said.
There is no sign that has happened here, and the Secretary of State has emphasized that her office believes the posting of the passwords was accidental.
“If you have unsupervised physical access to a voting machine, then there's going to be other bigger problems than someone else having the BIOS password,” Nelson said.
The passwords were listed in a spreadsheet that was posted on the Secretary of State’s website for several months. The passwords were in a hidden tab. But “hiding” in this context only means that they were made temporarily invisible in Excel or other spreadsheet software. The information could apparently be unveiled by anyone through basic Excel functions.
The existence of the hidden tab was first made public by Colorado’s Republican Party. Party officials have not revealed how they became aware of it.
The Secretary of State’s Office has described the passwords as “partial,” but has not clarified what that means. There are other passwords required for the election computers – namely, the passwords to unlock the Windows operating system and to open the election management software, according to Crane. Those passwords are known to local officials.
However, unlocking the computer at the BIOS level would undermine those security layers, Crane confirmed.
Each county runs its election office – but the Secretary of State is the only organization that is supposed to have the BIOS passwords for those devices.
In an interview with CPR News, Secretary of State Jena Griswold said that she herself, as an elected official, does not have access to the passwords, which are instead managed by career civil servants in her office.
It may seem curious, but it’s a security feature, Crane said. In essence, while local election officials have physical access to the equipment, they’re missing the digital keys that would allow them to make the most impactful changes.
But the recent breach raises serious questions about how state officials are managing their part of the security equation, Nelson and Crane said.
In short: Where are these passwords being stored, and how did dozens of them end up in an unprotected spreadsheet?
“The fact that clear-text passwords were stored in a spreadsheet, that's pretty crazy, and obviously you should not do that,” Nelson said. “There are a myriad of ways to store passwords securely and in some Excel spreadsheet that is also accessible to a web server is pretty nuts. So that's definitely a huge oversight.”
To read more stories from Colorado Public Radio, visit www.cpr.org.