The research, conducted by the company’s Advanced Threat Research team, discovered the bug in the Netop Vision Pro Education software, which is used by some 3 million teachers and students across 9,000 school systems globally, including in the U.S. The software allows teachers to monitor and control how students use school-issued computers in real time, block websites and freeze their computer screens if they’re found to be off task.
“This speaks to the power of responsible disclosure and ‘beating the bad guys to the punch’ in terms of providing vendors insights to the flaws in their products and an appropriate time period to produce fixes,” Doug McKee, McAfee’s principal engineer and senior security researcher, and Steve Povolny, the company’s head of advanced threat research, said in an emailed statement.
Netop, which bills its products as a way to “keep students on task, no matter where class is held,” did not immediately respond to requests for comment.
“We do believe this bug is highly likely to be exploitable, and a determined attacker may be able to leverage the attack” to breach the system.
A student monitoring company that thousands of schools used during remote and hybrid learning to ensure students were on task may have inadvertently exposed millions of kids to hackers online, according to a report released Monday by the security software company McAfee Enterprise.
This is the second time in less than a year that McAfee researchers have found vulnerabilities in Netop’s education software — glitches that hackers could exploit to gain control over students’ computers, including their webcams and microphones. It’s unclear whether the software had been breached by anyone other than the researchers. In a $4 billion deal over the summer, McAfee Corp. sold off the business-focused McAfee Enterprise to focus on consumer cybersecurity.
While the research comes as many U.S. students return to classrooms for in-person learning, cyberattacks targeting K-12 school districts — already an issue before the pandemic — have worsened throughout it. In the last month, educational organizations were the target of more than 5.5 million malware attacks, according to Microsoft Security Intelligence. In fact, educational organizations accounted for nearly two-thirds of such attacks globally. Publicly disclosed computer attacks against schools hit a record in 2020.
To conduct the research, McAfee relied on a free trial of Netop to analyze the program’s underlying code using an automated testing technique called “fuzzing,” in which they provided the software with malformed data to cause a crash. As a result, they found a bug in the way the program transmits digital images of students’ screens to teachers that could be exploited to attack children with malware, ransomware, collect their personal information or to access the computers’ webcams.
In March, McAfee researchers uncovered four “critical issues” in Netop’s monitoring software that allowed hackers to “gain full control over students’ computers.” Among the issues, researchers discovered that communications between teachers and students through the service were unencrypted, meaning they weren’t protected by a code that blocks unauthorized access. In a blog post, McAfee explained how the Netop vulnerabilities compromised student privacy, noting that while the company’s monitoring software “may seem like a viable option for holding students accountable in the virtual classroom, it could allow a hacker to spy on the contents of the students’ devices.”
“If a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment,” the blog post explained. “The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.” Multiple education technology companies have experienced hacks and other digital vulnerabilities during the pandemic. In July 2020, for example, hackers targeted the company ProctorU, which provides a live proctoring service to help prevent cheating, and published the personal information of more than 444,000 students to an online forum.
Privacy and civil rights groups have raised concerns for years about the risks posed by student surveillance tools, including issues related to cybersecurity and privacy. Perhaps most famously, a suburban Philadelphia school district reached a $610,000 court settlement in 2010 after educators used computer webcams to surveil students at home without their knowledge. Earlier this month, The 74 published an in-depth investigation about how another student surveillance company, Gaggle, subjects children to relentless digital surveillance as it monitors students’ online activity — both in classrooms and at home — in search of keywords that could indicate problematicor potentially harmful behaviors. Among other concerns, privacy advocates argue that schools’ broad collection of student information could make youth vulnerable to data breaches.
McAfee says it notified Netop of its initial findings in December 2020 and the company rectified “many of the critical vulnerabilities” by February 2021. The security giant alerted Netop to the latest bug in June and the company has worked “towards effective mitigations,” according to McAfee, but has not yet announced a permanent fix.