{"id":25061,"date":"2024-11-02T11:25:00","date_gmt":"2024-11-02T17:25:00","guid":{"rendered":"https:\/\/dh.durangoherald.com\/tj\/what-are-colorados-voting-machine-bios-passwords\/"},"modified":"2024-11-02T17:25:00","modified_gmt":"2024-11-02T17:25:00","slug":"what-are-colorados-voting-machine-bios-passwords","status":"publish","type":"post","link":"https:\/\/dh.durangoherald.com\/tj\/what-are-colorados-voting-machine-bios-passwords\/","title":{"rendered":"What are Colorado\u2019s voting machine BIOS passwords?"},"content":{"rendered":"

\"The
The posting of voting machine \u201cBIOS\u201d passwords has led to intense scrutiny and concerns, with the state government flying and driving election staffers to all corners of Colorado to update affected machines. (AP Photo\/John Bazemore, File)<\/span>onset<\/span><\/figcaption><\/figure>\n

Passwords that make up part of the security system for computer equipment used in Colorado elections were published in a spreadsheet on the Secretary of State\u2019s website.<\/p>\n

The posting of the \u201cBIOS\u201d passwords has led to intense scrutiny and concerns, with the state government flying and driving election staffers to all corners of Colorado to update affected machines.<\/p>\n

The Secretary of State\u2019s Office and other experts say the state\u2019s election system remains secure. Secretary of State Jena Griswold has described the passwords as \u201cpartial,\u201d and stressed that voting-system computers are protected by numerous other measures.<\/p>\n

Additionally, BIOS passwords can only be used by people with physical access to the machines, which are kept in secure locations. There is no sign that anyone tried to use the passwords.<\/p>\n

Colorado\u2019s election integrity also is protected by its use of paper ballots, which creates a permanent record against which tabulations can be checked.<\/p>\n

Here\u2019s what we know about the machines and passwords in question, and how they are managed.<\/p>\n

What kinds of machines are affected?<\/div>\n

Colorado voters mark their election choices on paper ballots, which are scanned and counted using digital equipment at the offices of county clerks.<\/p>\n

The affected passwords are for several types of machines at the clerk\u2019s offices. The machines collectively allow county elections offices to scan, tabulate and review ballots and store vote-count data.<\/p>\n

\u201cThey are [for] scanners, which scan the ballots and tabulate the votes; the server, which is kind of the mind of the system; and then the adjudication stations,\u201d said Matt Crane, executive director of the Colorado County Clerks Association, and the former Republican clerk of Arapahoe County.<\/p>\n

Adjudication stations are where bipartisan teams of election judges look over ballots that may be questionably marked. In all, a larger county might have more than a dozen affected machines.<\/p>\n

What can you do with a BIOS password? A lot, if you can reach the computer.<\/div>\n

BIOS stands for Basic Input\/Output System. It\u2019s a type of \u201cfirmware,\u201d or low-level software that controls hardware functions. BIOS allows the computer\u2019s operating system to \u201ccontrol various hardware components such as hard disks, keyboards, and display screens,\u201d according to the computer manufacturer Lenovo.<\/p>\n

In other words, BIOS sits at the heart of the affected computers\u2019 functionality. Accessing a computer\u2019s BIOS could allow you to make significant changes to how it operates, said Chris Nelson, a computer security expert with experience in voting systems.<\/p>\n

For example, election system computers have strict limits on what kinds of devices can be plugged in through USB and other ports. But someone with access to BIOS could remove those restrictions, opening up new avenues for attacking the computer\u2019s security features.<\/p>\n

\u201cYou could boot up onto an operating system that you have on your thumb-drive, and from there you would \u2026 have more unfettered access to the machine,\u201d Nelson said.<\/p>\n

However, there\u2019s one big limit on BIOS passwords: They can\u2019t be used remotely. You have to be there in person to enter it into the computer, according to both Crane and Nelson.<\/p>\n

\u201cYou have to have physical access to the machine, unsupervised physical access to the machine for a length of time,\u201d Nelson said. That\u2019s true of BIOS for computers in general, but especially in the election context. Election machines are not connected to the internet, and instead are operated on freestanding networks that are connected by cables. \u201cSo it\u2019s definitely not anything that I think anyone really needs to worry about.\u201d<\/p>\n

In the strong majority of Colorado counties, voting machines do not even have the hardware to connect to Wi-Fi networks. In the ones where election machines still have Wi-Fi hardware, the components are disabled at the BIOS level, Crane said.<\/p>\n

What\u2019s stopping someone from using a BIOS password?<\/div>\n

While a BIOS password is a powerful tool for a hacker, it\u2019s just one layer of the overall security system that prevents changes to election computer systems.<\/p>\n

Perhaps the most important layer of that system is physical security. Each county clerk\u2019s office is required to control access to its computer systems via locked doors and surveillance cameras. The rules for physical security are set by the state and enforced via audits, Crane said.<\/p>\n

The most dangerous combination is if someone were to somehow bypass physical security systems and know the relevant passwords.<\/p>\n

\u201cIf you have an insider threat who actually has access to the physical components, then having those passwords becomes a hell of a lot more dangerous,\u201d Crane said.<\/p>\n

There is no sign that has happened here, and the Secretary of State has emphasized that her office believes the posting of the passwords was accidental.<\/p>\n

\u201cIf you have unsupervised physical access to a voting machine, then there’s going to be other bigger problems than someone else having the BIOS password,\u201d Nelson said.<\/p>\n

How were the BIOS passwords posted?<\/div>\n

The passwords were listed in a spreadsheet that was posted on the Secretary of State\u2019s website for several months. The passwords were in a hidden tab. But \u201chiding\u201d in this context only means that they were made temporarily invisible in Excel or other spreadsheet software. The information could apparently be unveiled by anyone through basic Excel functions.<\/p>\n

The existence of the hidden tab was first made public by Colorado\u2019s Republican Party. Party officials have not revealed how they became aware of it.<\/p>\n

The Secretary of State\u2019s Office has described the passwords as \u201cpartial,\u201d but has not clarified what that means. There are other passwords required for the election computers \u2013 namely, the passwords to unlock the Windows operating system and to open the election management software, according to Crane. Those passwords are known to local officials.<\/p>\n

However, unlocking the computer at the BIOS level would undermine those security layers, Crane confirmed.<\/p>\n

Why does the Secretary of State\u2019s Office have the BIOS passwords?<\/div>\n

Each county runs its election office \u2013 but the Secretary of State is the only organization that is supposed to have the BIOS passwords for those devices.<\/p>\n

In an interview with CPR News, Secretary of State Jena Griswold said that she herself, as an elected official, does not have access to the passwords, which are instead managed by career civil servants in her office.<\/p>\n

It may seem curious, but it\u2019s a security feature, Crane said. In essence, while local election officials have physical access to the equipment, they\u2019re missing the digital keys that would allow them to make the most impactful changes.<\/p>\n

But the recent breach raises serious questions about how state officials are managing their part of the security equation, Nelson and Crane said.<\/p>\n

In short: Where are these passwords being stored, and how did dozens of them end up in an unprotected spreadsheet?<\/p>\n

\u201cThe fact that clear-text passwords were stored in a spreadsheet, that’s pretty crazy, and obviously you should not do that,\u201d Nelson said. \u201cThere are a myriad of ways to store passwords securely and in some Excel spreadsheet that is also accessible to a web server is pretty nuts. So that’s definitely a huge oversight.\u201d<\/p>\n

To read more stories from Colorado Public Radio, visit www.cpr.org<\/em><\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

posting of voting machine \u201cBIOS\u201d passwords has led to intense scrutiny and concerns, with the state government flying and driving election staffers to all corners of Colorado to update affected machines. (AP Photo\/John Bazemore, File)onset Passwords that make up part of the security system for computer equipment used in Colorado elections were published in […]<\/p>\n","protected":false},"author":1,"featured_media":25062,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[],"tags":[120,266,28,265],"naviga_topic":[],"class_list":["post-25061","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-colorado","tag-election","tag-headlines","tag-politics"],"acf":[],"author_name":"dh_admin","_links":{"self":[{"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/posts\/25061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/comments?post=25061"}],"version-history":[{"count":0,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/posts\/25061\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/media\/25062"}],"wp:attachment":[{"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/media?parent=25061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/categories?post=25061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/tags?post=25061"},{"taxonomy":"naviga_topic","embeddable":true,"href":"https:\/\/dh.durangoherald.com\/tj\/wp-json\/wp\/v2\/naviga_topic?post=25061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}