Leaked voting machine BIOS passwords may implicate Q-friendly county clerk

By | August 11, 2021
A collage of newspaper headlines describing election fraud.
Enlarge / Sensitive BIOS passwords leaked by QAnon figure Ron Watkins have been linked to a Colorado County office run by a clerk who promotes “Stop the Steal” messaging.

Last week, Ron Watkins—conspiracy theorist, QAnon enthusiast, and former 8chan site admin—released photocopies of an installation manual for Dominion voting machines. The copied pages gave basic instructions for configuring BIOS passwords (necessary to change some system settings) and iDRAC, a standard network remote control tool (which the manual explicitly requires the administrator to disable).

The next day, Watkins released a video purporting to be from a “whistleblower” exposing Dominion’s “most egregious lie”—that Dominion can remotely administer the machines, he said. He also released several screenshots of Election Management Systems hardware his “whistleblower” had access to.

Although none of Watkins’ screenshots—which will be immediately familiar to anyone who’s ever administered enterprise-grade hardware—are as damning to the voting machines as Watkins would clearly like, they did end up causing problems for one of Watkins’ fellow travelers: county clerk Tina Peters of Mesa County, Colorado, whose office manages the machines in question.

BIOS and iDRAC and NICs, oh my!

The thrust of Watkins’ accusations is that Dominion’s Election Management Systems (EMS) voting machines are connected to the Internet and remotely controllable by Dominion itself. His grainy video, blurry screenshots, and hastily photocopied manual pages attempt to paint a picture of voting machines that are always connected to the Internet and remotely managed by Dominion.

Unfortunately for this narrative, all this leaked media really exposes is a generic set of server hardware, with explicit instructions to keep it off the Internet and lock down its remote management functions. Watkins’ video cuts together footage of Dominion CEO John Poulos telling US senators that the machines aren’t designed for Internet connectivity with footage of the EMS servers’ BIOS setup interface. The BIOS shots include configuration options for iDRAC, a Dell-specific technology for remote control of server hardware.

Curiously, Watkins also includes—although he does not address—Poulos’ statement that Dominion does not have access to the passwords necessary to access these technologies. He also leaves in the part of his “whistleblower” video in which the Dominion employee states, “[We don’t have access to] the BIOS passwords… the state is keeping them.” And he ignores the installation manual’s explicit instructions to disable iDRAC entirely.

Watkins appears intent to convince less technically savvy viewers that Dominion specifically designed these machines to be remotely managed at all times—a narrative contradicted by Dominion’s own installation procedures and the fact that the state manages BIOS passwords (which someone with physical access to the machine could use to enable iDRAC) as its own secure assets.

There’s a case to be made that voting machines shouldn’t be built from generic server hardware that includes functionality like iDRAC in the first place—but that more-reasonable case does not appear to be the one that Watkins wants to promote.

“A minor slip-up could potentially dox the whistleblower”

Watkins littered his Telegram with surreptitiously taken photos of EMS server screens—including one of a bootable Acronis partition manager showing the device’s drive layout. He captioned the image: “Individual frames need to be redacted very carefully. A minor slip-up could potentially dox the whistleblower.” (That screenshot redacts the volume name of a portable SSD connected to the EMS machine.)

Unfortunately, Watkins seems longer on advice than practice—another photo, which came with the caption “our whistleblower risked his life / his livelihood / his everything,” shows a spreadsheet of BIOS passwords for a small collection of computers, including EMS server and client systems.

It seems likely that Watkins intended the spreadsheet photo to scare his audience into either believing that anyone at all could access the EMS systems or that Dominion itself could. Instead, the photo constituted Watkins’ most serious own goal. The passwords he exposed are managed at the state level, and when the state of Colorado got wind of the leaked photo, it identified the passwords as belonging to systems managed by its own Mesa County.

Colorado secretary of state has joined the chat

In response to the leaked BIOS passwords, Colorado Secretary of State Jena Griswold issued an executive order—as reported by the Grand Junction Daily Sentinel—requiring the Mesa County Clerk and Recorder’s office to supply surveillance videos and documents showing how and to whom the BIOS passwords were leaked.

This is an order with real teeth—the BIOS passwords are protected by policy and should only be available to a few state and county election workers who have passed background checks. If Mesa County Clerk Tina Peters can’t demonstrate a proper chain of custody for how the leaked information was maintained, the county’s election systems could be decertified, resulting in an expensive, mandatory refit of the machines involved—all on the county’s dime.

Pro-Trump, anti-Biden, anti-vax

Although there’s no evidence directly implicating Peters with the leak, she makes a tempting suspect—during the 2021 Capitol insurrection, Peters blasted Twitter with a series of now-deleted tweets claiming that the 2020 presidential election was fraudulent and that she herself, as a county election administrator, had special inside knowledge about how to falsify an election.

In another since-deleted tweet, Peters makes a baseless statement that “the vaccines are troubling in the mechanics in the RNA.” In a better world, COVID vaccine fearmongering wouldn’t be related to election-machine security—but in this world, it places Peters further in Watkins’ sphere of intertwined conspiracy theories.

Pat Poblete of the Colorado Springs Gazette reports that Peters isn’t responding to Secretary of State Griswold’s order to turn over equipment, surveillance footage, and documents. Instead, Peters flew to South Dakota, where she addressed a so-called “Cyber Symposium” hosted by election conspiracy theory enthusiast and MyPillow CEO Mike Lindell.

In Peters’ absence, Griswold obtained a search warrant and sent a team to the Mesa County Clerk’s Office. On stage at Lindell’s symposium, Peters said Griswold “invade[d] my elections department today,” complaining that “we don’t know what they were doing in there” because her chief deputy clerk was not allowed to observe the search. Griswold’s own press release states that her office’s inspection team was “accompanied at all times by officials from Mesa County.”

Peters denied any personal involvement in the security breach during her remarks Tuesday night, and she hinted that she plans to release more information on Mesa County voting systems at Lindell’s symposium on Thursday.