Tampering with voting equipment

Tina Peters used to be the clerk in Mesa County, Colorado. In 2021, in the wake of conspiracy theories around the 2020 election, she was involved in tampering with voting equipment, and she's currently serving a jail sentence over her actions. There's politics around this – President Trump has been advocating for her to be pardoned, and Governor Polis just commuted her sentence (NYT, VoteBeat).

In this piece, we will focus here on what Tina Peters actually did, and how that may have affected the security of elections in Mesa County. Just technology and facts. We leave to others the debate on appropriate punishment.

Elections in Colorado

In Colorado, 94% of voters vote by mail, roughly the same for Republicans and Democrats. On a paper ballot, voters fill out bubbles next to names of candidates they choose.

Voters then send their ballots in purpose-designed envelopes, with their signature on the envelope itself.

Once ballots are received by the county, the voter record and signature are checked against the voter registration database. Each registered voter only gets to cast one vote, of course, and if the signature is not a close-enough match, a followup “cure” process is followed to confirm the voter's identity.

Once that voter identity verification is done, the contained paper ballots are separated from their envelope to ensure ballot secrecy. The ballots are then scanned by batch tabulators. Typically, these are standard large document scanners that scan ballots at high speed, with specialized laptops provided by the voting system vendor to interpret and tabulate those ballots.

Finally, results from multiple high speed tabulators are aggregated, usually via USB drives, at the county election management server. The election management server is another laptop running specialized software. None of these laptops are ever connected to the Internet.

Software updates and trusted builds

Voting systems, like all software-based systems, occasionally need updates. But of course, the software that runs on these machines should be tightly controlled: it should always be software approved by an accredited testing lab, and only individuals authorized by the appropriate authorities should be allowed to perform these updates.

Now, how are election administrators supposed to know that they're installing the correct software? The federal certification process for voting systems has thought of that. An accredited testing lab performs a build of the software where they verify the integrity of all third-party source code, as well as the source code from the voting system vendor. The lab ensures that the very source code they reviewed is the one that makes it into this "trusted build".

In Colorado, the term "trusted build" has come to also encompass the process by which this trusted-build software is installed on voting machines by authorized individuals. When a software update is authorized by state and county officials, a copy of the Trusted Build software is obtained from the testing lab directly, and a team composed of vendor representatives and election administrators perform the software update on every relevant piece of equipment.

Different vendors implement different methods of ensuring that only authorized software is installed. In the case of Mesa County, Colorado, one of the vendor's protection mechanisms was the BIOS password. The BIOS (Basic Input Output System) is a standard component of many computers that controls basic functions of the system, for example, which device the system is allowed to boot from: the internal hard drive, an external USB drive, etc. The BIOS can also control which software is allowed to boot at all, for example using Secure Boot, a technique that verifies a digital signature on software before it is allowed to boot. The BIOS also controls additional key properties of the system, including whether it can connect to the Internet or not.

As one would expect, access to the BIOS is protected, in this case by a password, to ensure that only authorized individuals can modify these parameters. In the case of Mesa County's voting system, the BIOS password was required to perform a software update, likely to allow booting off of the external USB drive that performs the software update.

What Tina Peters did

In 2021, Tina Peters gave an unauthorized individual inappropriate access to voting equipment: (1) during the trusted build software installation process performed by state officials and vendor representatives, (2) before that trusted build process to create a copy of the election management system laptop's hard drive, and (3) after the trusted build process to create a second copy of that same hard drive. This improper access was particularly facilitated when Tina Peters explicitly ordered security surveillance cameras to be turned off during the individual's visits.

The hard drive copies, often called images, included at least the binary code for the vendor's software before and after the trusted build update, as well as potentially some credentials for accessing that laptop and possibly other components of the voting system.

Because this individual witnessed the trusted build process, they were able to see and copy the BIOS password for that laptop. With that password in hand, they were able to alter critical protections on that laptop, including its internet connectivity block.

Later, this inappropriately authorized individual shared that disk image and BIOS password with others who eventually published it online. It should now be assumed that just about anybody who wanted to was able to get a copy of the laptop's hard drive.

Potential Damage

Had this situation not been noticed by the vendor and the state, what could have been the damage?

With access to the BIOS password, which is changed rarely, it is likely that an attacker could have replaced the software on the election management system laptop and made it behave in any way they chose. That could easily have included improperly adding up the tallies from the various batch tabulators.

With access to the hard drive disk image, a capable attacker can analyze the vendor's software and potentially find flaws to later exploit. Depending on the vendor's practices in performing third-party audits and penetration testing of their system, this disk-image access by a capable attacker could reveal flaws that could then be utilized on Mesa County's voting system, as well as on other voting systems by the same vendor in other counties and in other states.

(As a side note, this is one key reason why open-source software is a good idea in voting systems – building software in the open, with the assumption that the attacker has access to the source code, inherently forces more security testing and builds more resilience against attacks.)

Thankfully, this intrusion was detected when BIOS passwords and disk images were posted on the Internet. State officials and the vendor worked together to change any revealed BIOS passwords, as well as to replace the physical equipment that had been accessed in case further unknown tampering had occurred.

The replacement of BIOS passwords and of the equipment quickly shut the door to any attacker's ability to install unauthorized software on that equipment. However, the revealed hard drive contents cannot be undone. Hopefully, the vendor is continuing to test and patch and secure their software, as they should be doing regardless. Still, this operation may have weakened other deployments of this same equipment.

Defense in Depth and Software Independence

We can clearly say that Tina Peters put Mesa County elections at serious risk, and that Mesa County elections are likely still safe and secure. How is it possible to make both of these statements simultaneously?

The key is defense in depth, a well-developed concept in system security. An attacker must break through multiple layers of defense to actually corrupt the outcome. Tina Peters' actions significantly eroded the protections provided by some, but not all, layers of a voting system's defense strategy. The physical access layer and the BIOS password layer were both compromised. However, there remain additional procedural layers of protection: corrupting the function of the election management system will be noticed when the sum of the tallies doesn't match the individual tallies generated by the batch tabulators.

Of course, the final layer of defense is that votes are cast on paper ballots. You can mess with as much of the software and hardware as you want, as long as you can audit the results from the paper ballots, elections remain safe. This is known as software independence: with paper ballots, there's always a way to recover the true tally of votes without depending on software.

Don't discount disruption

That said, one aspect of elections that Software Independence doesn't cover is the potential for disruption when some of the layers of defense are attacked. Yes, we can recover the true result by recounting the paper. And yes, even without full hand recounts, we can detect tabulation issues by running post-election statistical audits on the paper ballots.

But imagine what happens if those audits and recounts determine that there was a flaw in the voting equipment, especially because of tampering. The damage to public trust would still be tremendous, because election success depends both on truth and perception.

A serious and deliberate attack on election integrity

Putting aside the question of appropriate punishment and politics, it is clearly a fact that Tina Peters' actions constituted a very serious and deliberate attack on election integrity. Whatever the motivation, giving an unauthorized individual physical access to the voting equipment as well as access passwords is an act of enormous consequence and potential impact. Yes, the voting system remained secure in Mesa County, but that is a testament to the multi-layered security of American voting systems, not a reason to discount the transgression.