Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:00 PM
Connect Directly

Unmanaged Devices Heighten Risks for School Networks

Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.

A ransomware attack that knocked the Baltimore County Public Schools (BCPS) system offline for several days last week focused attention on the heightened threat activity directed at school networks since the pandemic forced a mass shift to distance learning this year.

A new report from Armis this week suggests that many schools may be making it easier for threat actors to execute such attacks by allowing numerous devices to connect to their network in an insecure and unmanaged fashion.

Related Content:

Pandemic Could Make Schools Bigger Targets of Ransomware Attacks

The Changing Face of Threat Intelligence

New on The Edge: SASE 101: Why All the Buzz?

Armis' report is based on recent engagements with multiple K–12 school districts around the country. In many instances, the vendor found a larger-than-expected and more-varied collection of unmanaged devices connected to the school networks.

One Arizona K–12 school district, for instance, had at least 47 videogame consoles, five Wi-Fi Pineapple devices — often used by pentesting teams — and three rogue access points on its network. Armis discovered many of the consoles were exposing the school district's network to the gaming community. The devices belonged to both students and faculty and presented a major risk because they're relatively easily exploitable if the Universal Plug and Play protocol is enabled on the gaming console, says Curtis Simpson, CISO at Armis.

The Wi-Fi Pineapples and other devices on the network similarly exposed the school district to a wide variety of external threats.

In another school district, Armis discovered as many as 239 connected building automation systems that all had a set of vulnerabilities, collectively referred to as URGENT/11, in them. The remotely exploitable vulnerabilities, which Armis discovered last year, exist in millions of devices running VxWorks and several other real-time operating systems. According to Armis, the school district's security team wasn't aware of the vulnerabilities and the fact that it had so many exploitable devices on its network.

Simpson says it's likely that such building automation system devices were present on school networks before the pandemic began. But the fact that many are left unmonitored presents a risk, especially with the heightened attention that attackers ae paying to school networks. "Attackers will often look to exploit such services or devices within this type of environment, knowing that they are rarely monitored in such a manner that would allow the school system or any other target to identify the compromise," Simpson notes. One school district in Florida had multiple smartphones serving as point-of-sale devices on its network.

Simpson says the biggest difference between school networks before the pandemic began and now is the sheer number of devices that are connected to them. "In many cases, personal devices — versus those issued by the school system — are also being used to access school system networks and services," Simpson says. "These devices are not being managed by the school system and are often missing standard controls — such as modern antivirus — to safeguard against such attacks."

Attacks on school networks such as the one on BCPS last week have surged since the pandemic forced a shift to remote learning at many school districts around the country this year. According to Microsoft, some 63% of the malware attacks that it encountered over the past 30 days have involved devices at educational institutions. A report in April by Armor showed schools and colleges being targeted much more heavily in cyberattacks this year compared with organizations in any other sector.

Security researchers have pointed to several reasons for the surge in attacker interest in school networks. Among them is the fact that school networks remain relatively easy to break into compared with other networks. In a distance-learning environment, attackers have also discovered that schools are likely to more readily accede to ransomware demands that organizations in other sectors.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.