Colorado scrambles to change voting-system passwords after accidental leak
BIOS passwords on website
“The goal is to complete the password updates by this evening,” government says.
Colorado Secretary of State Jena Griswold holds press conference with Matt Crane, Executive Director of the Colorado County Clerks Association, at her office in Denver on Thursday, October 24, 2024. Credit: Getty Images | Hyoung Chang
The Colorado Department of State said it accidentally posted a spreadsheet containing “partial passwords” for voting systems. The department said there is no “immediate security threat” because two passwords are needed for each component, but it is trying to complete password changes by the end of today. There were reportedly hundreds of BIOS passwords accessible on the website for over two months before being removed last week.
A government statement issued Tuesday said the agency “is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems. This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted.”
Secretary of State Jena Griswold told Colorado Public Radio that “we do not think there is an immediate security threat to Colorado elections, in part because partial passwords don’t get you anywhere. Two unique passwords are needed for every election equipment component. Physical access is needed. And under Colorado law, voting equipment is stored in secure rooms that require secure ID badges. There’s 24/7 video cameras. There’s restricted access to the secure ballot areas, strict chain of custody, and it’s a felony to access voting equipment without authorization.”
Griswold said her office learned about the spreadsheet upload at the end of last week and “immediately contacted federal partners and then we began our investigation.”
The department’s statement said the two passwords for each component “are kept in separate places and held by different parties” and that the “passwords can only be used with physical in-person access to a voting system.” Additionally, “clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee.”
The department also cited “strict chain of custody requirements that track when a voting systems component has been accessed and by whom,” and it said that each “Colorado voter votes on a paper ballot, which is then audited during the Risk Limiting Audit to verify that ballots were counted according to voter intent.”
Goal is to change all passwords by this evening
Griswold described the upload as an accident and said the mistake was made by a civil servant who no longer works for the department. “Out of an abundance of caution, we have people in the field working to reset passwords and review access logs for affected counties,” she said.
Gov. Jared Polis and Griswold, who are both Democrats, issued a joint update about the password changes today. The Polis administration is providing support “to complete changes to all the impacted passwords and review logs to ensure that no tampering occurred.”
“The Secretary of State will deputize certain state employees, who have cybersecurity and technology expertise and have undergone appropriate background checks and training,” the statement said. “In addition to the Department of State Employees and in coordination with county clerks, these employees will only enter badged areas in pairs to update the passwords for election equipment in counties and will be directly observed by local elections officials from the county clerk’s office. The goal is to complete the password updates by this evening and verify the security of the voting components, which are secured behind locked doors by county clerks.”
Griswold said she is “thankful to the Governor for his support to quickly resolve this unfortunate mistake.” Griswold told Colorado Public Radio that her department has no reason to believe the passwords were posted with malicious intent, but said that “a personnel investigation will be conducted by an outside party to look into the particulars of how this occurred.”
GOP slams Griswold
The Colorado Republican Party criticized Griswold this week after receiving an affidavit from someone who said they accessed the BIOS passwords on the publicly available spreadsheet three times between August 8 and October 23. The file “contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties” before being removed on October 24, the state GOP said.
The affidavit described how to reveal the passwords in the VotingSystemInventory.xlsx file. It said that right-clicking a worksheet tab and selecting “unhide” would reveal “a dialog box where the application user can select from one, several, or all four listed hidden worksheets contained in the file.” Three of these worksheets “appear to list Basic Input Output System (BIOS) passwords” for hundreds of individual voting system components, the affidavit said.
The state GOP accused Griswold of downplaying the security risk, saying that only one password is needed for BIOS access. “BIOS passwords are highly confidential, allowing broad access for knowledgeable users to fundamentally manipulate systems and data and to remove any trace of doing so,” the GOP said. The “passwords were not encrypted or otherwise protected,” the GOP said.
State GOP Chairman Dave Williams said the incident “represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office.” He also claimed the breach could put “the entire Colorado election results for the vast majority of races, including the tabulation for the Presidential race in Colorado, in jeopardy unless all of the machines can meet the standards of a ‘Trusted Build’ before next Tuesday.”
US Rep. Lauren Boebert (R-Colo.) and other Republicans called on Griswold to resign. Griswold said she would stay on the job.
Griswold: “I’m going to keep doing my job”
Republicans in the state House “and Congresswoman Lauren Boebert are the same folks who have spread conspiracies and lies about our election systems over and over and over again,” Griswold told Colorado Public Radio. “Ultimately, a civil servant made a serious mistake and we’re actively working to address it.” Griswold added, “I have faced conspiracy theories from elected Republicans in this state, and I have not been stopped by any of their efforts and I’m going to keep on doing my job.”
Colorado previously had a voting-system breach orchestrated by former county clerk Tina Peters of Mesa County, who was sentenced to nine years in prison in early October. Peters, who promoted former President Donald Trump’s election conspiracy theories, oversaw a leak of voting-system BIOS passwords. Griswold said after the Peters conviction that “Tina Peters willfully compromised her own election equipment trying to prove Trump’s big lie.”
Testimony from the Peters case was cited in the GOP’s criticism of Griswold this week. “In the Tina Peters trial, a senior State official even testified that release of these passwords in a single county represented a grave threat. Here, they have been released for the whole state,” the state GOP said.
The Trump campaign called on Griswold to halt the processing of mail ballots and re-scan all mailed ballots that were already scanned.
Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.
Colorado scrambles to change voting-system passwords after accidental leak Read More »
