Students scramble after security breach wipes 13,000 devices

Students scramble after security breach wipes 13,000 devices
Getty Images

Students in Singapore are scrambling after a security breach wiped notes and all other data from school-issued iPads and Chromebooks running the mobile device management app Mobile Guardian.

According to news reports, the mass wiping came as a shock to multiple students in Singapore, where the Mobile Guardian app has been the country’s official mobile device management provider for public schools since 2020. Singapore’s Ministry of Education said Monday that roughly 13,000 students from 26 secondary schools had their devices wiped remotely in the incident. The agency said it will remove the Mobile Guardian from all iPads and Chromebooks it issues.

Second breach in 4 months

Also on Monday, Mobile Guardian revealed its platform had been breached in a “security incident that affected users globally, including on the North America, European, and Singapore instances. This resulted in a small percentage of devices to be unenrolled from Mobile Guardian and their devices wiped remotely. There is no evidence to suggest that the perpetrator had access to users’ data.”

In response to the breach, Mobile Guardian has halted services, a move that prevents users from logging in to the Mobile Guardian Platform. Students will also experience restricted access on their devices as a result.

Mobile Guardian representatives didn’t respond to questions, including if the company has identified the means used to breach its platform, if it has identified the attackers, or received any ransom demands.

The breach is at least the second one to hit Mobile Guardian this year. In April, a compromise of the company’s user management portal affected 127 schools in Singapore. The portal is used for account licensing, providing technical support and other administrative tasks. It has access to users’ names, email addresses, school names, and whether the user is a parent or school employee. In all, data for 67,000 parents and 22,000 school staff was accessed.

According to the Singapore Ministry of Education:

On 12 April, MG received an email that an unauthorized individual had gained access to MG’s management portal. This email was considered a phishing email, until MG received a subsequent email on 16 April. In the second email, the individual showed evidence of access to MG’s management portal and attempted to solicit money in exchange for keeping silent that the individual had been able to access MG’s management portal. MG acted on this second alert, and worked to establish the extent of access and customers affected. This included suspending all administrative accounts that could be used to access MG’s management portal.

MOE was notified by MG on 17 April late night of this incident, as well as the enhanced security measures implemented by MG on its management portal. MOE learned from MG’s preliminary investigations that an unauthorized individual had gained access to a support account on MG’s management portal. MG’s assessment was that the unauthorized individual could have used the compromised account to view the information of customers based in the United States and Asia Pacific region, including Singapore.

The agency said that the breach was “primarily attributed to poor password management practice, and not the result of the unauthorized individual exploiting vulnerabilities in MG’s systems.”

On Tuesday, a Reddit user published an email purportedly sent to Mobile Guardian reporting a “critical” vulnerability involving improper access control. The user said the vulnerability allows the unauthorized reading and modification of “all data in Mobile Guardian systems” and requires only three minutes to exploit.

Mobile device management software allows businesses and schools to remotely monitor and manage entire fleets of devices used by employees or students. Mobile Guardian bills itself as a “complete mobile device solution” that runs on Android, Windows, iOS, ChromeOS, and macOS platforms and provides device management, parental monitoring and control, secure web filtering, classroom management, and communications.

The outage has rippled across social media platforms. An image posted on Reddit shows dozens of devices piled on a table. “This is a picture, taken at one random moment, of the sheer number of iPads sitting on the table of a school’s IT department, that need to be wiped out and re-setup after yesterday’s Mobile Guardian glitch,” the user wrote. Similar threads can be found here and here.

https://arstechnica.com/?p=2041407