By Jen Schumann | Contributor, Rocky Mountain Voice
Election security is key to a constitutional republic by, for, and of the people. Each part of the voting system should be designed to prevent interference.
BIOS passwords are vital to this security. They are the first defense against unauthorized access to a voting machine’s core settings.
Recent concerns have arisen around how the exposure of BIOS passwords might allow bad actors to manipulate voting systems. Cyber security professionals argue this could create risks even without physical access to the machines. It’s important to consider how such exposure could disrupt elections.
The BIOS (Basic Input/Output System) controls a machine’s basic operations. It includes hardware settings and connectivity options.
In voting machines, BIOS passwords prevent unauthorized access. They keep critical settings, like wireless and network connections, disabled unless turned on by authorized users. These passwords are essential. They secure the machine from unauthorized changes and keep it isolated from external networks.
Matt Crane, Executive Director of the Colorado County Clerks Association, clarified the connection between BIOS passwords and Wi-Fi components in election machines. In a 2021 recording shared with Rocky Mountain Voice, Crane stated, “Yes, there are wireless antennas in the devices, but they’re turned off. Only the state has the passwords to the BIOS to where you can get in to turn them on precisely.”
This shows that wireless functions, though present, remain inactive unless intentionally activated by someone with BIOS access. Unauthorized activation could open a network path. It would allow interference without direct contact with the machine.
As previously reported on Rocky Mountain Voice, Heidi Ganahl conducted an audit of the 2022 election in Douglas County. Her finding show purchases, with confirmation from the county clerk’s office, or remote access capabilities in our voting system.
Ganahl’s audit led to the discovery that 12 Colorado counties still have remote Wi-Fi access capabilities in their voting systems.
Each year, hackers at DEF CON’s Voting Village probe election systems. Experts test voting machines for vulnerabilities. Launched in 2017, it offers hands-on access to various voting machines. Its goal is to expose weaknesses and promote better election security practices.
The DEF CON Voting Village participants found serious flaws in election systems. Many stem from BIOS access and security lapses.
The 2019 report found that exposed BIOS passwords could compromise election security.
Default and Weak Passwords: The report found that many voting systems used default or easy-to-guess passwords. This made it easier for unauthorized people to gain access. In some cases, administrative passwords were even publicly accessible through basic internet searches. This weak password management could allow unrestricted BIOS access. It would expose core settings to manipulation.
Network Activation Risks: Voting Village participants found that gaining BIOS access could enable dormant network features, like LAN and wireless connections. Activating network interfaces remotely comes with threat risks. It allows communication with external servers. They could then manipulate voting data or disrupt the system.
System Configuration Manipulation: In the BIOS, attackers can change startup settings. This might let unauthorized software or malware load before the OS, bypassing security protocols. The DEF CON report noted cases where users could insert malware or make unauthorized changes at the BIOS level. This created persistent access points for tampering.
DEF CON Voting Village participants aren’t the only ones who’ve raised concerns about election security.
After news that 63 of Colorado’s 64 counties’ BIOS passwords were accessible online for months, cybertech professionals on Twitter/X have aired their criticism:
@OKCyberGeek: “[Griswold] She’s ignorant and clueless. If I have the BIOS password, I own that machine.”
@jonrose182: “She posted the BIOS passwords??? Software engineer here. That means she posted the password to the root/most foundation part of the machine, making it vulnerable to all sorts of attacks.”
@RBiancoUS: “These [BIOS passwords] are more powerful than a typical password. They give access to the physical hardware like hard drives and devices.”
@ParikhClay: “Here is a video I did about a year ago. You can start at 50-second mark [and] go ’til 6 minutes. What Jena did was post BIOS password. You can easily remove the other password, log in and do WHATEVER you want to.”
The exposure of BIOS passwords raises serious security concerns. Less than a week before Election Day, the Trump campaign has called for urgent actions to be taken by Secretary Griswold.
This moment puts the electoral process on trial, pressing responsible parties to uphold a fair and secure election.
The challenge now for Griswold is to restore credibility in Colorado’s elections by identifying affected counties and directing them to adopt specific measures.