Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 PM
Connect Directly

Unmanaged Devices Heighten Risks for School Networks

Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.

A ransomware attack that knocked the Baltimore County Public Schools (BCPS) system offline for several days last week focused attention on the heightened threat activity directed at school networks since the pandemic forced a mass shift to distance learning this year.

A new report from Armis this week suggests that many schools may be making it easier for threat actors to execute such attacks by allowing numerous devices to connect to their network in an insecure and unmanaged fashion.

Related Content:

Pandemic Could Make Schools Bigger Targets of Ransomware Attacks

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

Armis' report is based on recent engagements with multiple K–12 school districts around the country. In many instances, the vendor found a larger-than-expected and more-varied collection of unmanaged devices connected to the school networks.

One Arizona K–12 school district, for instance, had at least 47 videogame consoles, five Wi-Fi Pineapple devices — often used by pentesting teams — and three rogue access points on its network. Armis discovered many of the consoles were exposing the school district's network to the gaming community. The devices belonged to both students and faculty and presented a major risk because they're relatively easily exploitable if the Universal Plug and Play protocol is enabled on the gaming console, says Curtis Simpson, CISO at Armis.

The Wi-Fi Pineapples and other devices on the network similarly exposed the school district to a wide variety of external threats.

In another school district, Armis discovered as many as 239 connected building automation systems that all had a set of vulnerabilities, collectively referred to as URGENT/11, in them. The remotely exploitable vulnerabilities, which Armis discovered last year, exist in millions of devices running VxWorks and several other real-time operating systems. According to Armis, the school district's security team wasn't aware of the vulnerabilities and the fact that it had so many exploitable devices on its network.

Simpson says it's likely that such building automation system devices were present on school networks before the pandemic began. But the fact that many are left unmonitored presents a risk, especially with the heightened attention that attackers ae paying to school networks. "Attackers will often look to exploit such services or devices within this type of environment, knowing that they are rarely monitored in such a manner that would allow the school system or any other target to identify the compromise," Simpson notes. One school district in Florida had multiple smartphones serving as point-of-sale devices on its network.

Simpson says the biggest difference between school networks before the pandemic began and now is the sheer number of devices that are connected to them. "In many cases, personal devices — versus those issued by the school system — are also being used to access school system networks and services," Simpson says. "These devices are not being managed by the school system and are often missing standard controls — such as modern antivirus — to safeguard against such attacks."

Attacks on school networks such as the one on BCPS last week have surged since the pandemic forced a shift to remote learning at many school districts around the country this year. According to Microsoft, some 63% of the malware attacks that it encountered over the past 30 days have involved devices at educational institutions. A report in April by Armor showed schools and colleges being targeted much more heavily in cyberattacks this year compared with organizations in any other sector.

Security researchers have pointed to several reasons for the surge in attacker interest in school networks. Among them is the fact that school networks remain relatively easy to break into compared with other networks. In a distance-learning environment, attackers have also discovered that schools are likely to more readily accede to ransomware demands that organizations in other sectors.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.