Please Follow us on Gab, Minds, Telegram, Rumble, Gettr, Truth Social, Twitter
On Tuesday, the Colorado GOP issued a press release about election system BIOS passwords that were publicly available on the Colorado Secretary of State’s website.
According to a new press release from the Secretary’s Office, “The Colorado Department of State is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems. This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted.”
A public Microsoft Excel spreadsheet, entitled “Voting Systems Inventory - 2024,” was posted on on the “Voting Systems” page of coloradosos.gov – the “authoritative source” for “trusted information” about Colorado elections.
According to the sworn affidavit provided by the Colorado GOP, from at least August 8, 2024 through October 24, 2024, the spreadsheet included hidden columns that stored, among other equipment details, the BIOS passwords for at least 600 individual pieces of election equipment across 63 of 64 Colorado counties.
To access these hidden columns, a user needs only right-click on the worksheet name “Inventory” and select, “Unhide.” The user can then choose to display four new worksheets including a worksheet called “Clean_Formulas.”
The “Clean_Forumulas” spreadsheet included a column for “BIOS Password,” and there were BIOS passwords listed for over 600 devices. There are more than 2,000 devices listed in total. The remaining devices listed did not contain a value in the “BIOS Password” column.
On October 24, 2024, the spreadsheet was allegedly removed from the Secretary of State’s office, and it has been replaced with an updated version that does not contain hidden worksheets. This file is still available on the website as depicted in the image above.
The Secretary’s press release attempts to assure the public that this breach isn’t an issue, but when similar information was posted online in August 2021, the affected machines were decertified and had to be replaced.
We have many questions. For example, when was the file with the hidden worksheets first posted? How many times was the file downloaded, and by whom? What was the trigger for removing and replacing the file? Who removed and replaced the file? Who put it there in the first place? The Department states that they notified CISA, and that they are “working to remedy this situation.” What is the situation? What remedies?
Clerks we spoke to said they did not receive any communication from the Secretary’s office about a potential password reset. Clerk’s cannot access the passwords, only a representative of the Secretary’s Office or the vendor has that information. Are passwords updated remotely without the Clerk’s knowledge of such an event taking place? Should remedying the situation occur without the knowledge of the local Clerks? The counties pay for the equipment.
Further, how does this potential breach impact the 2024 election? The contest is underway in all Colorado counties, including the 63 of 64 implicated by this security breach. How can the Secretary assure the public that this doesn’t pose an immediate threat to the public? Do we just need to take her word for it?
How will CO election equipment be assessed – and by whom – to determine whether any unauthorized access or use of BIOS passwords took place?
From a historical standpoint, prior to 2019, county officials controlled access to voting system BIOS passwords. What was the largest breach that occurred under that model, and how does the history of decentralized county control and security compare to the current model where access is centralized in the Secretary’s office?
In Tina Peters’ trial, Jessi Romero testified under oath that election BIOS passwords are confidential and kept under lock and key. At the time he made those statements in court, it appears that BIOS passwords were publicly accessible on the Colorado Secretary of State website – no lock and key required, just a quick right click.
We will continue to monitor this story.
Please Follow us on Gab, Minds, Telegram, Rumble, Gettr, Truth Social, Twitter