Passwords written on sticky notes

4 times students compromised school cybersecurity

For many students school can be a tough time, and we’ve all heard stories about bored or frustrated kids compromising school cybersecurity to change grades. Sometimes the students are celebrated, and other times it ends in them being expelled from school, or even prosecuted. 

Of course, these acts of compromising school security are against the law. In 1986, the Computer Fraud and Abuse Act (CFAA) was enacted as an amendment to the first federal computer fraud law, to address hacking. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization.

And the sentences are not mild. Accessing a computer to defraud and obtain value (such as raising your grades) could end in a five-year prison sentence!

Here are four times school cybersecurity failed, and students got up to no good:

1. Rickrolling an entire school district

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

In a personal blog the student wrote:

“I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

Now, that is high-level rickrolling! And he was lucky enough to find an understanding audience. The director stated that because of its guidelines and documentation, the district would not be pursuing discipline. In fact, they thanked the rickroller for their findings and asked them to present a debrief to the tech team.

2. Guilty until proven innocent

A Canadian student at Tufts University veterinarian school was expelled for an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.

Since her visa was no longer valid after she got expelled, she had to leave the US immediately. With tens of thousands of dollars in student debt and no prospect of her becoming a veterinarian, her life was in shambles. 

She provided Tufts with information about her whereabouts at the times of the alleged hacks, but her alibis were dismissed. She scanned her MacBook Air—the source of the alleged hacks—and that showed that it was itself compromised. Within minutes, several malicious files were found, chief among which were two remote access trojans (RATs).

Like any private university, Tufts can discipline and expel a student for almost any reason. So they did not have to prove she was guilty, she had to prove without any reasonable doubt that she was innocent, and she was unable to convince them.

3. 12-year-olds pwn their school district

The hack started small, in seventh grade, when the students bypassed their middle school’s internet filters to watch YouTube during lunch. But by the time Jeremy Currier and Seth Stephens were caught more than two years later, their exploits had given them extraordinary reach into the computer network of the Rochester Community Schools. They literally had access to everything. The boys were even using district servers to mine for cryptocurrency.

As a consequence, the district expelled both of them, then referred them to the county sheriff’s office. Their long-term employment prospects should have been bright, with many organizations looking for skilled cybersecurity workers. Sadly, the boys are unlikely to be eligible for many of those public-sector positions as it’s now unlikely they will be able to pass a background check and get security clearance.

4. Homecoming queen rigs contest, allegedly

When Emily Grover was named homecoming queen, her school accused her and her vice principle mother of hacking students’ accounts to sway the election.

The pair allegedly used the mother’s login to the school computer system to harvest student IDs and birthdates. These were then used to cast 246 fake votes on Election Runner—a third-party app used by the school to run the election—from the mother’s cell phone and a computer at her home.

The duo claim to be innocent and refused a no-jail plea agreement, despite facing a maximum penalty of 16 years in jail.

Grover was forbidden from graduating with her class and received a letter from the University of Western Florida saying she was no longer welcome there.

The crime and the consequences

One thing all these cases have in common is basic security lapses at the educational institutions involved: Plaintext passwords in log files, passwords on sticky notes, and wide open networks.

But even if the door is left open, it is still illegal to enter.

Should you find such an open door, warn your IT staff about it and don’t take advantage of it. Getting caught could do a lot more damage than a bad grade or only being the runner-up in a homecoming queen contest.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.