This week on the podcast we’re talking about cybersecurity at schools—and how secure, or in some cases how vulnerable, the tech systems in school systems are these days.
We’re focusing on a pretty unusual story about Bill Demirkapi, who had a pretty odd hobby while he was in high school in Lexington, Massachusetts. While many kids might play video games or just goof around when they get bored, Demirkapi decided to go poke around in some of the computer systems that his school uses. Specifically he tried to get into the security of some of the learning and student management systems built by Blackboard and Follett, which are two of the most widely-used edtech systems in the country.
Essentially these are the computer systems that store grades and the student records of his school.
He said he’s long been interested in computers, and thought it would be “cool” to be a hacker like he had seen in Hollywood movies. He even has a motto, posted prominently on his blog about security issues that says he wants to break anything and everything.
So what was the student able to see when he tried out his hacking skills on his own school?
When he started poking around these systems built by Blackboard and Follett, he found that he was able to access millions of records, things from test grades to medical records, what they eat for lunch, all kinds of things. Some of what he was able to find actually surprised him.
Listen to the story on this week’s EdSurge On Air podcast. You can follow the podcast on the Apple Podcast app, Spotify, Stitcher, Google Play Music or wherever you listen. Or read a transcript below, lightly edited for clarity.
Bill Demirkapi: I saw a little over 34,000 immunization records on Blackboard’s database, and it was concerning to see how much data the school had on a database, and what they trusted Blackboard with.
EdSurge: The student reported the security holes to both companies. At least he tried to. In the case of Follett, Demirkapi didn’t feel like he was heard when he sent his initial emails. So when he didn’t hear anything back, he took things a little bit further.
Demirkapi: What I found was one of the improper access control vulnerabilities allowed me to add something called a “group resource.” A group resource is something that whenever you logged into [Follette’s] Aspen [system at a school], there’d be list of group resources. I think schools could use this to add useful links like maybe the student handbook or the school calendar. But I found out that I could actually add my own group resource as a student. So what I did was I added one of these group resources and said, “Hey, hello. My name is Bill Demirkapi.” And I said, “At Follett Corporation, there’s no security.”
This week’s podcast is brought to you by Edgility Consulting:
A full service national executive search and talent consulting firm, Edgility helps clients find, hire and support the talent they need to make a difference in the lives of youth. Put us to work for you.
Learn more at www.edgilityconsulting.com.
It turns out it actually got a little bit farther than I expected. Basically, whenever you logged in, you would see that if you’re in my district. The school administration wasn’t that happy with it—understandably. And yeah, I did get suspended for two days for creating a major disturbance.
Blackboard didn’t respond either, which also frustrated the student.
No vendor had ever just ignored me or left me on the spot. Although that’s actually a reality in the real world, I didn’t know that. So I was a little bit disrespectful, too. I said, “Your Blackboard security commitment says you’re going to do this, this and this. You’ve only done step one. You know, this is kind of disrespectful to me because I’m doing your IT department’s job for them and for free. I want to keep searching, but you’re not showing me the respect that I deserve. And this is absurd.” I even sent them a screenshot that I caught them red-handed.
So at some point, the student went to his school administration and they set up calls with the companies. And that’s when he got more of a response from company officials, since at that point it was a customer, the school officials who were complaining.
Wired Magazine, which is where we first heard about the story, reached out to both companies. Follett said they appreciated his help, but also stated that the security flaw that he found with that flaw, he really never could have found the data of other students other than his own, but that’s not what Bill says. Bill says that he was probably going to be able to access more data.
Blackboard also downplayed the incident and said that there was no evidence that anyone other than Bill had exploited the flaw that he had found, so no one else to their knowledge was able to see the data.
To understand how unusual or how common this all is, we reached out to Doug Levin who is a K-12 cybersecurity researcher to learn a little bit more about how common or common-place these incidents are. We first asked how often he finds security flaws in ed tech products.
Doug Levin: I’m seeing a new incident reported about a public school at least every couple of days. Since I’ve been tracking from 2016 forward, I have identified nearly 600 incidents that have occurred of varying severity. Right? So an incident is not the same from place to place. Some involve thousands of students or teachers and others may affect a small number, but those are only the ones I know about.
I strongly suspect there may be 10 to 20 times more incidents that are occurring that are not made publicly available. So as we look around the world today, we’re seeing major companies and governments, there’s lots of conversations about our election systems. Right? Before we got on the line together, we were talking about the CEO of Twitter appears to have had his account compromised.
You know, when major technology companies are having these issues, when the federal government is having these issues, it’s not surprising that schools are also affected by these issues and schools have fewer resources to defend themselves. So it’s not surprising. It is common. Unfortunately, it appears to becoming more common. At least, we’re talking about it more. So unfortunately, it’s not as rare as we would hope.
You might think student data is something lots of people would care about—especially parents. Why hasn’t this gotten more attention?
Levin says that companies might actually do more if the schools who are their actual customers would push back and push harder on the issue.
Levin: The thing that’s challenging right now is there hasn’t been a strong enough market signal to suggest that those companies that do that are getting rewarded. I mean it’s the right thing to do. People should have greater confidence in those companies. But buyers are making decisions about what platforms do you use for all sorts of reasons. And security right now is not, it’s not high enough up on the list for enough buyers.
And we asked Levin what he thought of Bill’s case in particular.
There’s a couple of aspects of Bill’s story that I think are interesting. One is this notion of student hackers and students applying their technology skills and expertise against their own school systems or really in some ways advocating on their behalf with the tools at their disposal.
Hacking is really about trying to figure out how things work, seeing if you can break them, see you could make them behave the way that you want and to get what you want out of those systems. So it makes all the sense in the world for students who are using more and more technology in schools to want to understand how that technology works and if there’s ways that it can work better for them, even if they’re sort of gaming the system, makes all the sense in the world.
Students have varying degrees of maturity when they go after this. They do these sorts of things. Certainly I’ve covered a number of stories where students have successfully changed their grades or wiped out their lunch balances or deface their school websites or social media accounts. But there’s lots of ways that schools have been affected by students doing this and reacted to that. That’s one aspect.
The second aspect of Bill’s story that I thought was really interesting was his focus on school vendors and their security and that disclosure process, right? If you go look and then you find a security vulnerability in an ed tech product, what do you do? So this is a big thorny question in the cybersecurity world writ large. So there’s a lot of conversation about what responsible disclosure looks like and what companies that are treating security seriously, how they respond and how they should respond.
So companies probably don’t want to encourage all these high school students out there to break into their systems. But it sounds like Levin is saying they could do more to be open to this kind of tip from the outside.
It’s worth noting that even Bill himself who just started college admits that even when he was a kid and he was doing this, he wasn’t always the most mature in his approach.
Demirkapi: Well, believe it or not, I don’t think my school was entirely wrong in what they did. The whole group resource thing I would have… If I was a school official, I would have suspended me as well to be honest. I don’t think it was… I don’t know about… There were a few things that I think they did wrong where in the sense that they weren’t exactly following the student handbook themselves.
You know, there’s a few things that I think they went a little bit out of the lines there, but still I think that I definitely should have had some sort of punishment and I was ready for that before I did publish the group resource. I knew that there was no way the school was going to take this lightly. But I think that the responsibilities should be more on the education companies like the software companies that, they have, for example, a security contact. Even if they’re not paying people to report bugs to them, there should be a way to get in touch with the right department and hopefully they don’t ignore people who report issues to them.
So I really think that for schools, in my case, my school, they of course had their moments where I think that they did wrong, but overall, just understanding that not everyone is… You know. In my case, I’m not trying to be the evil person trying to steal people’s information. But in reality, I think that it can be hard for a school to tell my intent. Honestly, I don’t think I’m qualified to give an opinion on what school officials should do and what’s right for them to do just because I’m a student. I’m what, 18 years old. I think that’s up to other people to decide. But I do think that there should be a little bit more flexibility.
Maybe one day Demirkapi will be one of the people running security at a tech company. He’s currently studying cybersecurity and hopes to go into the field after he’s done with school.