Colorado Secretary of State site showed partial passwords for voting systems
KDVR Fox 31
DENVER (KDVR) — Colorado's Republican party accused the Colorado Secretary of State's Office of "quietly" removing a publicly accessible spreadsheet from the office's website that "contained BIOS passwords for election systems in 63 of the 64 counties in Colorado."
The GOP said in its release that there were over 600 "BIOS" passwords that were not encrypted or protected, and were open to the public for anyone who knew where to look. BIOS, or Basic Input/Output System, is how a computer's operating system knows how to operate.
The Colorado Secretary of State spokesperson told FOX31 that the spreadsheet included "partial passwords to certain components of Colorado voting systems," and said the sheet had been improperly included in a hidden tab of the website. The office said the partial passwords leaked do "not pose an immediate threat to Colorado's elections, nor will it impact how ballots are counted."
"It goes without saying how significant this is," the Colorado GOP wrote to the Secretary of State's Office. "We can only imagine that, since the discovery last week, you and your staff have been working tirelessly to remedy these vulnerabilities."
Secretary of State outlines layers of election security
The Secretary of State's Office told FOX31 that many layers of security are built into Colorado elections, including two unique passwords for "every election equipment component," and said the passwords are kept separately and by different parties.
The office spokesperson also said that passwords can only be used with physical, in-person access to a voting system.
"Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access," the spokesperson said. "That ID badge creates an access log that tracks who enters a secure area and when."
Additional security measures noted by the spokesperson include:
- 24/7 video camera recording of all election equipment
- Requirements for clerks to maintain restricted access to secure ballot areas
- Requirements for clerks to only share access information with background-checked individuals
- Restrictions on secure areas to allow only authorized people in a secure area unless supervised by an authorized and background-checked employee.
"There are also strict chain of custody requirements that track when a voting systems component has been accessed and by whom," the spokesperson told FOX31. "It is a felony to access voting equipment without authorization."
Demands for assurances that Colorado elections are safe
The Secretary of State's Office said that every Colorado voter uses a paper ballot, which is audited during the Risk Limiting Audit to verify that ballots were counted according to the voters' intents. The office also said that it took "immediate action" when it became aware of the password access, and informed the Cybersecurity and Infrastructure Security Agency.
"The Department is working to remedy this situation where necessary," the Secretary of State's Office said in a statement.
The Colorado Republican Party called on the Secretary of State's Office to provide a series of assurances in writing to the GOP and the public, including:
- Confirmation that the passwords have been changed or were not current at any point while publicly accessible
- Confirmation that all new passwords have been properly stored and meet best practices for strength and encryption of the passwords, "unlike those publicly disclosed"
- Confirmation that all systems are running the current software necessary for certifications, as the GOP claims the hidden pages "provided software certification concerns"
- Confirmation that election systems have not been accessed physically or remotely by unauthorized parties if the passwords were current at any point during their publication
The Colorado Republicans also asked for confirmation or a plan regarding how the "exposed systems" will or still meet the certification requirements of a "trusted build," noting that a breach by a party with BIOS access may be difficult or impossible to identify. Trusted builds, according to the Colorado Department of State, have been "confirmed to perform with adequate security measures."
Colorado Republican Party Chairman Dave Williams called the possible exposure of the election systems passwords "shocking."
“We hear all the time in Colorado from Secretary Griswold and Governor Polis that we represent the 'Gold Standard' for election integrity, a model for the nation,” said Dave Williams, Chairman of the Republican Party of Colorado. “One can only hope that by the Secretary of State posting our most sensitive passwords online to the world dispels that myth.”
Votes are already being tabulated in Colorado. Results will be inaccessible until polls close at 7 p.m. on Nov. 5.
Colorado election resources
Every active registered voter in the state will receive a ballot in the mail. Voters can choose to mail in their ballot, return it to a drop box, or vote in person.
- Track the status of your ballot using BallotTrax.
- Register to vote or update your registration at the Colorado Secretary of State’s website.
- Find a polling location or ballot drop box.
Ballots must be received by county clerks' offices by 7 p.m. on Election Day, Nov. 5.