A Bored Student Hacked His School’s Systems. Will the Edtech Industry Pay Attention?
This week on the podcast we’re talking about cybersecurity at schools—and how secure, or in some cases how vulnerable, the tech systems in school systems are these days.
We’re focusing on a pretty unusual story about Bill Demirkapi, who had a pretty odd hobby while he was in high school in Lexington, Massachusetts. While many kids might play video games or just goof around when they get bored, Demirkapi decided to go poke around in some of the computer systems that his school uses.
Specifically, he tried to get into some of the learning and student management systems built by Blackboard and Follett, which are two of the most widely used edtech systems in the country. Essentially these are the computer systems that store grades and the student records of his school.
He said he’s long been interested in computers, and thought it would be “cool” to be a hacker like he had seen in Hollywood movies. He even has a motto, posted prominently on his blog about security issues, that says he wants to break anything and everything.
So what was the student able to see when he tried out his hacking skills on his own school?
When he started poking around these systems built by Blackboard and Follett, he found that he was able to access millions of records, things from test grades to medical records, what they eat for lunch, all kinds of things. Some of what he was able to find actually surprised him.
Listen to the story on this week’s EdSurge On Air podcast. You can follow the podcast on the Apple Podcast app, Spotify, Stitcher, Google Play Music or wherever you listen. Or read a transcript below, lightly edited for clarity.
Bill Demirkapi: I saw a little over 34,000 immunization records on Blackboard’s database, and it was concerning to see how much data the school had on a database, and what they trusted Blackboard with.
EdSurge: The student reported the security holes to both companies. At least he tried to. In the case of Follett, Demirkapi didn’t feel like he was heard when he sent his initial emails. So when he didn’t hear anything back, he took things a little bit further.
Demirkapi: What I found was one of the improper access control vulnerabilities allowed me to add something called a “group resource.” A group resource is something that whenever you logged into [Follett’s] Aspen [student information system], there’d be a list of group resources. I think schools could use this to add useful links, like the student handbook or the school calendar. But I found out that I could actually add my own group resource as a student. So what I did was I added one of these group resources and said, “Hey, hello. My name is Bill Demirkapi.” And I said, “At Follett Corporation, there’s no security.”
This week’s podcast is brought to you by Edgility Consulting:
A full service national executive search and talent consulting firm, Edgility helps clients find, hire and support the talent they need to make a difference in the lives of youth. Put us to work for you.
Learn more at www.edgilityconsulting.com.
It turns out it actually got a little bit farther than I expected. Basically, whenever you logged in, you would see that if you’re in my district. The school administration wasn’t that happy with it—understandably. And yeah, I did get suspended for two days for creating a major disturbance.
Blackboard didn’t respond either, which also frustrated him.
Demirkapi: No vendor had ever just ignored me or left me on the spot. Although that’s actually a reality in the real world, I didn’t know that. So I felt a little bit disrespected, too. I said, “Your Blackboard security commitment says you’re going to do this, this and this. You’ve only done step one. You know, this is kind of disrespectful to me because I’m doing your IT department’s job for them and for free. I want to keep searching, but you’re not showing me the respect that I deserve. And this is absurd.” I even sent them a screenshot that I caught them red-handed.
At some point, Demirkapi went to his school administration and they set up calls with the companies. And that’s when he got more of a response from company officials, since at that point it was a customer—the school officials—who were complaining.
Wired Magazine, which is where we first heard about the story, reached out to both companies. Follett said they appreciated his help, but also stated that the security flaw that he found would not have given him access to the data of other students other than his own. But that’s not what Demirkapi says. He says he probably could have accessed more data.
Blackboard also downplayed the incident and said that there was no evidence that anyone other than Demirkapi had exploited the flaw that he had found, so no one else to their knowledge was able to see the data.
To understand how unusual or how common this all is, we reached out to Doug Levin, a K-12 cybersecurity researcher, to learn a little bit more about how common or common-place these incidents are. We first asked how often he finds security flaws in edtech products.
Doug Levin: I’m seeing a new incident reported about a public school at least every couple of days. Since I’ve been tracking from 2016 forward, I have identified nearly 600 incidents that have occurred of varying severity. An incident is not the same from place to place. Some involve thousands of students or teachers and others may affect a small number, but those are only the ones I know about. I strongly suspect there may be 10 to 20 times more incidents that are occurring that are not made publicly available.
As we look around the world today, we’re seeing major companies and governments involved in these conversations, talking about things like our election systems. Just now, we were talking about the CEO of Twitter [Jack Dorsey] who appears to have had his account compromised.
When major technology companies are having these issues, when the federal government is having these issues, it’s not surprising that schools are also affected by these issues. And schools have fewer resources to defend themselves. So it’s not surprising. It is common. Unfortunately, it appears to be becoming more common. At least, we’re talking about it more.
One might think student data is something lots of people would care about—especially parents. So why hasn’t this gotten more attention? Levin says companies might actually do more if the schools that are their actual customers would push back and push harder on the issue.
Levin: The thing that’s challenging right now is there hasn’t been a strong enough market signal to suggest that those companies that [invest in security] are getting rewarded. It’s the right thing to do. People should have greater confidence in those companies. But buyers are making decisions about what platforms to use for all sorts of reasons. And security right now is not high enough up on the priority list for buyers.
And we asked Levin what he thought of Demirkapi’s case in particular.
Levin: There’s a couple of aspects of Bill’s story that I think are interesting. One is this notion of student hackers and students applying their technology skills and expertise against their own school systems, or in some ways advocating on their behalf with the tools at their disposal.
Hacking is really about trying to figure out how things work, seeing if you can break them, seeing if you could make them behave the way that you want and to get what you want out of those systems. So it makes sense that students who are using more and more technology in schools want to understand how that technology works. If there are ways that it can work better for them, even if they’re sort of gaming the system, that makes all the sense in the world.
Students have varying degrees of maturity when they go after this. They do these sorts of things. Certainly I’ve covered a number of stories where students have successfully changed their grades or wiped out their lunch balances or defaced their school websites or social media accounts. But there are lots of ways that schools have been affected by students doing this.
The second aspect of Bill’s story that I thought was really interesting was his focus on school vendors and their security and that disclosure process. If you find a security vulnerability in an edtech product, what do you do? This is a big thorny question in the cybersecurity world writ large. So there’s a lot of conversation about what responsible disclosure looks like, and how companies that are treating security seriously should respond.
Companies probably don’t want to encourage all these students out there to break into their systems. But Levin is saying they could do more to be open to this kind of tip from the outside.
It’s worth noting that even Bill himself, who just started college, admits that even when he was doing this, he wasn’t always the most mature in his approach.
Demirkapi: Well, believe it or not, I don’t think my school was entirely wrong in what they did. If I were a school official, I would have suspended me as well, to be honest. But there were a few things that I think they did wrong in the sense that they weren’t exactly following the student handbook themselves.
There are a few things that I think they went a little bit out of the lines there, but still I think that I definitely should have had some sort of punishment and I was ready for that before I did publish the group resource. I knew that there was no way the school was going to take this lightly.
But I think that the responsibility should be more on the education companies and that they have, for example, a security contact. Even if they’re not paying people to report bugs to them, there should be a way to get in touch with the right department and hopefully they don’t ignore people who report issues to them.
In my case, I’m not trying to be the evil person trying to steal people’s information. But in reality, it can be hard for a school to tell my intent. Honestly, I don’t think I’m qualified to give an opinion on what school officials should do and what’s right for them to do, just because I’m a student. I’m what, 18 years old. I think that’s up to other people to decide. But I do think that there should be a little bit more flexibility.
Maybe one day Demirkapi will be one of the people running security at a tech company. He’s currently studying cybersecurity and hopes to go into the field after he graduates.