Saved By The Bell? Insecure Student Devices Must Be Addressed
August 14, 2020 • RBS
UPDATE 9/4/2020: We have published a curated collection of valuable (and free) resources for school districts, teachers and parents to tackle the cyber security issues raised by this post. See: Cyber Security Resources for Virtual Schooling.
In March, the 2019-20 school year ended abruptly for many school districts due to COVID-19. Teachers and parents tried to pivot, conducting virtual classes in order to make the best of a very bad situation. Unfortunately, for many schools it turned out to be quite a struggle just to figure out what technology to use. Even the choice of which video conferencing platform to use quickly led to frustration for teachers and parents as they were forced to deal with security issues such as Zoombombing.
Now, a new recipe for a cyber security disaster is brewing and may be served up to our children in the next couple of weeks. Across the nation, students, parents, and educators are preparing for another school year unlike any we’ve seen before. Some districts are opening their doors to welcome students back, while many others will be relying on remote learning.
While schools have worked hard to overcome the challenges of remote learning, there is a lurking issue that has received little attention: how to secure the millions of laptops, Chromebooks, and iPads that were previously distributed, or recently provided to children, to support the remote learning process. The 2020-21 school year may usher in a flood of vulnerable devices that could potentially compromise home and school networks alike.
No More Pencils and No More Books (For Now)
Faced with limited options for in-person schooling, many districts have opted to provide their students with devices in order to meet their educational needs. Chromebooks and tablets are popular choices for elementary school children, with more powerful Windows or Apple laptops being put in the hands of many secondary and high school students.
For students who previously had a Windows laptop provisioned, many school districts partnered with IT vendors to reconfigure the laptops to support the new year. This primarily included enabling webcams (previously turned off for privacy concerns) in order to optimize engagement and remote learning for students and teachers in 2020-21.
User ≠ Administrator
When schools “give” a device to a student it is typically loaned equipment, managed to some extent by the school (either directly or via a vendor) that provided the hardware. For Windows laptops, it usually means that administrator rights are removed from the device before it’s handed over to the student. That’s an important security control to have in place. It doesn’t take much imagination to see that it is not a good idea to grant students admin rights on any computer owned by the school and connected to the school network. However, when administrative rights are removed, this means that only school IT staff can install new software, which is a good thing, but it also means only the school IT staff or their vendor can install critical security updates.
When laptops and devices are managed this way at schools (or corporations for that matter), they only check to see if there are any updates required when connecting directly to the school network (or via a VPN). If there are security updates available, those patches will be pushed to the laptop for installation and then a reboot occurs to ensure they are applied.
Considering students have not been physically in schools since March, they have not been able to connect their laptops to the school’s network. As a result, there is a high likelihood that the laptops have not been patched for security issues in months. The end result: over the next few weeks thousands of student devices vulnerable to attack could be coming back online, connecting to home and school networks with no simple options for pushing critical patches.
While this issue may not apply to all school districts across the nation, many educators may not be aware that they are potentially facing the daunting task of patching student machines that may be woefully behind on critical security updates.
Student Laptop Technical Review
Risk Based Security recently conducted a preliminary technical risk assessment on a secondary school distributed Windows laptop from the 2019-20 school year. Immediately after boot up it was determined that Windows security patches have not been applied since February 2020.
Our suspicions on how the Windows laptop was being managed were further confirmed when we tried to manually update the laptop. Automatic updates are turned off, and it is not possible for students or parents to force the laptop to update.
Further analysis showed that other software such as Java, Adobe Reader, Adobe Flash and Adobe Shockwave Player (yes, for security professionals, you read that right: an end of life product, with a very poor security track record is installed) were also running out-of-date versions with known vulnerabilities. Even though February seems like yesterday, there have been close to 900 new vulnerabilities involving Microsoft products alone. Two recent vulnerabilities are especially concerning as they are being actively exploited by malicious actors. Another patch, confirmed missing from the reviewed laptop, fixed a security flaw that allowed attackers to gain a backdoor into the system even after the machine is updated. These three vulnerabilities alone can lead to a full compromise of a Microsoft Windows system, and one is wormable, meaning that it can easily spread.
When we saw the lack of up-to-date security patches, we were immediately concerned – especially when discovering that updating the laptop manually was not an option. This means that parents and students have to rely on the school districts to ensure that these devices are properly maintained.
What Could Go Wrong?
In a word, plenty. If your child’s school device becomes compromised by a “hacker”, there are a multitude of potentially damaging outcomes such as:
- A hacker could potentially access the student laptop and then use the device’s webcam to spy on your child and family. With many families repurposing bedrooms as makeshift learning environments this becomes even more concerning.
- Malware designed to steal computing resources, like cryptocurrency miners, could degrade performance to the point where the laptop could no longer function effectively.
- A compromised student device could be used as a launching pad to get into other family computers or sensitive data.
- Taking that a step further, the compromised student device could potentially provide an avenue for attackers to gain access to corporate machines connected to the same home network for work-from-home situations.
- With so many vulnerable student devices across the country, it could lead to a very large botnet used to conduct denial of service activities.
And the potential issues don’t end there…
Where Do We Go From Here?
In defense of school districts, very few organizations were planning for the long term effects of this global pandemic. So it makes sense that a routine patching strategy for remotely located devices isn’t fully in place. Many heavily-funded corporations with substantial Information Security and IT staff have struggled with managing so many remote machines so quickly. Unfortunately, based on the school laptop review, it seems that the patching strategy prior to the end of the 2019-20 school year left room for improvement. Although cyber security issues such as vulnerability and patch management are understandably challenging for school districts, this is a highly concerning and unacceptable situation for our children and for the networks they could ultimately expose to exploitation.
It’s no secret that children will use their laptops for non-school related activities. If your child’s device is anything like the laptop we examined, that device has little chance of fending off recent attacks currently in circulation. Without the proper updates and patching, that device is essentially a wide open door to your home network. You can hope that no one notices, but if someone wants to walk through it, they can.
Hackers will target anything that they believe to be vulnerable, especially so if there is a chance they can turn a profit from it. Back in April 2020, a data breach involving 25 California school districts was reported, where attackers stole student usernames, email addresses, names, and home addresses. If an attacker cannot sell the data, they may simply release the data on the dark web for free, or possibly leverage access to the school network to launch a crippling ransomware attack like the recent incident at Athens ISD.
At Risk Based Security we take coordinated disclosure of security issues very seriously. We spent a great deal of time debating the best way to handle the disclosure of the laptop situation outlined above. We contacted the school district that issued the reviewed laptop and provided details of our findings. We even offered to assist with addressing the situation. Considering that many schools are starting the new 2020-21 school year, we have made the decision to publish this research with the hope of raising awareness for school districts and parents. Time is very short for affected districts to make the necessary updates, especially so if laptops need to be brought on-site, or have fixes coordinated with outside vendors. It’s no easy task, and it will likely take a considerable effort to implement.
What School Districts Can Do
There will likely be tens of millions of school-provided devices being used by students across the country this year. From our limited research so far there is a mix of school-issued laptops, consisting of Google Chromebooks as well as traditional Apple and Windows devices. If the Windows laptops are anything like those we have already come in contact with, there is work that needs to be done.
We recommend school administrators consider the following as a starting point:
- Determine your school’s cyber security risks and create a security improvement plan
- It is important to specifically ask your IT staff or vendor about the issues outlined in this post. Consider asking questions like “how are we ensuring the laptops we’ve provided are safe for students,” and “what is the process for maintaining the security of these devices throughout the year?” It is important to carry the conversation further and ask about other potential security risks facing the school.
- Patching catchup and on-going remote strategy implementation
- For starters, school provided devices must have the latest security updates applied – especially so for laptops running Microsoft Windows. Older machines need to be updated, and a plan needs to be in place for new devices that are being deployed.
- The traditional “managed” approach most likely won’t work if the Windows or Apple laptops need to be directly connected to the internal school network to update.
- Secure web browser
- The majority of remote learning applications rely on using a web browser for access, so ensuring browser security is a critical first step.
- For Windows laptops we recommend using Google Chrome or Microsoft Edge (the Chromium version). We do not recommend using the older Microsoft Edge (the EdgeHTML version) or legacy Internet Explorer.
- Secure configuration (also called security hardening) is important as well as proper web filtering.
- Ensure Virus and Threat protection is enabled.
- Antivirus or Endpoint protection is very important and should be implemented on all devices (and yes, this means Apple products too).
- Chromebooks have it built-in. Microsoft ships Windows with Virus and Threat protection (previously called Defender).
- It is even more important to ensure that whatever solution is in place for your particular device is current, and is configured to update new protection signatures regularly.
- Provide cyber security awareness training for students
- The first week back will no doubt be a challenge, and just getting the new technology to work is top priority.
- We recommend that training be provided, and made mandatory for all students, to ensure they understand the issues they may face in the 2020-21 year.
- Consider cyber insurance
- Data breaches can be expensive, and liability for insecure devices is highly debated. Solid cyber insurance can substantially reduce the financial pain of an incident.
- Shopping around and consulting with a specialist can help ensure you get good coverage at a fair price.
What You Can Do As a Parent
For starters, as parents we need to remain calm, but in the case of cyber security we must always be vigilant. The main issue with unpatched Windows laptops may not even apply to your children’s school district. However, cyber security, and what is described as good cyber hygiene, should be a focus for the entire 2020-21 school year. Without it, remote learning can be quickly derailed.
We recommend parents consider the following as a starting point:
- Don’t wait, review your children’s laptops and devices as soon as possible
- Make sure that it has been recently updated with the latest security measures. Here are some links with the steps to do this for Windows, Apple, and Google Chromebooks.
- If you see that provided devices are not able to be updated, please contact your school. Reminder, educators are working hard to make sure they are prepared for teaching your children. Please be kind when raising yet another issue they must address!
- Review your home network
- Confirm your router is up-to-date and any default passwords are removed.
- Confirm that you have a firewall installed and turned on, either from your Internet Service Provider, or on your router.
- Consider Chromebooks
- If you have an old Windows laptop, and you have the ability, we recommend you consider a Chromebook as your next purchase.
- Chromebooks have security built-in and are quite easy to maintain securely.
- This doesn’t mean that Apple or Windows laptops are bad and shouldn’t be used. But for non-technical people they can be viewed as more of a challenge to maintain. Older operating systems such as Windows XP and Windows 7 should not be used.
- Speak with your children about online risks
- Understand your risks at home, and potentially to your employer
- Make sure that your work-related devices are also up to date and that sensitive company data is not easily accessible.
- Reach out to your employer if you have concerns, they should be able to assist.
Working Together To Secure Our Schools
While the single device we examined belongs to a single school district, from conversations with other security experts and parents we believe that this just one example of the cyber security issues plaguing school districts across the United States. We are by no means placing all the blame on the schools. School districts commonly struggle with small budgets and staffing shortages, which have been amplified by the current pandemic. To make matters worse, while the federal CARES Act helped secure additional supplies, it does not provide any funding for beefing up cyber security.
We understand that school districts are basically on their own to “figure things out”, including the cyber security issues that they face for the 2020-21 school year. It is a tremendous task and extremely important that we work together to ensure that the upcoming school year is a success for our children.
At Risk Based Security we want to help, and here are our current plans:
- We will continue communication with the school district that issued the laptop we reviewed and provide assistance as appropriate.
- We want to provide school districts free access to our YourCISO product. We are in the process of reconfiguring the Security Health Check to be focused on what school districts should assess, as they are getting back to school. If your district is interested, we encourage you to reach out to us directly. No strings attached.
- We are aiming to publish a security training and awareness presentation that school districts can freely use. We also have aspirations to record the presentation and publish for usage.
- We are working to collect existing material and links to other resources that may help school districts with cyber security training and content to address other issues. UPDATE: This is available now. Please see Cyber Security Resources for Virtual Schooling.
School districts and parents need to be aware of the recent vulnerabilities and patching concerns that were highlighted in this post. Let’s make sure that together, our children’s privacy and security are protected.
If you have any additional thoughts or ideas on how we can further help, or you would like to help produce material or assist, please let us know!