By BRIAN PORTER | Rocky Mountain Voice
More than 600 BIOS passwords for voting system components in 63 of the state’s 64 counties were publicly shared in a file on Secretary of State Jena Griswold’s website, a news release email from the Colorado Republican Party reads.
An unnamed state official “discretely removed” the passwords on Thursday, Oct. 24, the release states.
“The passwords were not encrypted or otherwise protected – this means they were available for public consumption,” the Colorado Republican Party’s email reads.
The file may have been posted publicly since August, with the amended file posted Oct. 24.
BIOS passwords allow access for “knowledgeable users to fundamentally manipulate systems and data” and to remove trace evidence of doing so, the Colorado Republican Party email states. Neither county clerks nor commissioners have access to these highly confidential files, they say.
“We hear all the time in Colorado from Secretary Griswold and Gov. Polis that we represent the ‘Gold Standard’ for election integrity, a model for the nation,” Colorado Republican Party Chairman Dave Williams said in a statement in the email. “One can only hope that, by the secretary of state posting our most sensitive passwords online to the world, [this] dispels that myth.”
A bad actor would “still need access either physically or remotely to the systems,” in order for there to be a breech, the email reads, and the Colorado Republican Party indicates it is unclear whether passwords were used while publicly available.
“It’s shocking really. At best, even if the passwords were outdated, it represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office,” Williams said.
The Colorado Republican Party’s email indicates the discovery could have “far-reaching implications, putting the entire Colorado election results for the vast majority of races, including the tabulation for the Presidential race in Colorado, in jeopardy.”
A letter Williams filed with Griswold seeks a 24-hour response to the following:
- “Confirmation that all passwords disclosed have since been changed or were otherwise not current at any point while made public;”
- “Confirmation that all new passwords, their storage, and management meet best practices for password strength and encryption, unlike those publicly disclosed;”
- “Confirmation that all systems are running the current software as necessary for proper certification, as the hidden pages also provided software certification concerns;”
- “If the passwords were current at any point while public, confirmation that, to the best of your knowledge, the election systems have not been accessed physically or remotely by any unauthorized person or persons, including any individuals otherwise authorized to access the systems but not the system BIOS;”
- “Understanding that with BIOS access it may be difficult or impossible to identify if a system has been indeed compromised, provide confirmation or a detailed plan as to how all exposed systems still or will meet the certification requirements of a “trusted build” before any votes are counted by those systems in this election; and”
- “Provide a list of any and all other steps your team has or is taking to address these vulnerabilities, including when any steps still pending will be completed.”
The letter was additionally sent to U.S. Attorney General Merrick Garland, acting U.S. Attorney for the District of Colorado Matt Kirsch, the chairman of the Federal Election Commission, Gov. Polis, Colorado Attorney General Phil Weiser, all county commissioners and county clerks, and Colorado party chairs.
“While some may attempt to characterize this letter as a fringe or partisan issue, we are confident that you understand the critical nature of having released these ‘skeleton key’ passwords to the world,” Williams concludes the letter. “As such, we fully expect that you will gladly and forthrightly provide us with all that we are asking, using the same standard and diligence you are applying in Mesa County and understanding that best practices would be for you to already have those steps completed or in process.”
Read the full statement from the Colorado Republican Party and the letter sent by Williams to Griswold.