The challenges of government and enterprise IT security have been documented in a multitude of reports over the years, but what is the state of IT security within American schools?
At the DEF CON 27 conference in Las Vegas, 18-year-old Bill Demirkapi detailed how he discovered multiple vulnerabilities within several different software applications used in his school, including Blackboard's Community Engagement software and Follett's Student Information System. He started finding the issues when he was 16 years old and continued his research until he graduated in spring 2019.
The bugs ranged in severity and type and included SQL injection, as well as XML inclusion vulnerabilities. While the bugs varied the ultimate impact, Demirkapi said that he could have taken personally identifiable information or even changed his grades.
"I knew that there was a lot of schools using the software," Demirkapi said. "My method of finding vulnerabilities was...really inadequate and nonprofessional. It was just looking at pages and trying to mess with the parameters."
Among the simple flaws that he was able to discover was improper access control to the student information system. Demirkapi explained that most properties of the system were incremented, with a simple approach, making it easy to identify a student. Additionally he discovered a local file inclusion flaw.
He explained that when downloading their schedule or report card, users would be redirected to a servlet called toolResult.do.
"After running a tool or attempting to download a file shared with the user, a request to toolResult.do is made," Demirkapi said. "By modifying the fileName parameter to the proper path escape, an attacker can access any file on the system."
Within Blackboard's Community Engagement software, Demirkapi said that he found what he referred to as "SQL injections galore," the end result of which also enabled him to gain unauthorized access. Again, he noted that he really didn't know what he was doing but was still able to find issues.
"Essentially, I grabbed a list of links through a crawler and using Chrome Web Tools, I would then try and find interesting parameters to play around with and see how the server reacted when it received unexpected input," he said. "For parameters that responded to characters commonly used in SQL injection, I put them through SQLmap."
SQLmap is popular open-source tool that easily enables users to test for and exploit SQL injection conditions in software. The Blackboard system that Demirkapi accessed involved more than just his own school and had over five million students and teachers in the system spread across over 5,000 schools.
Demirkapi was quick to note that in his own research he only looked at his own data and did not look at or take anyone else's information. He commented that any other information that was gathered was metadata, such as the number of rows in a database.
"The primary reason I kept investigating is because the database had my records too," he said. "I felt obligated to determine the extent for the impact to my own records and the records of my peers."
Not only was Demirkapi meticulous in trying to be responsible about only accessing his own data, he also attempted to be responsible in his disclosure to both his school and the impacted vendor, with mixed results. After attempting to get the attention of his school with a disclosure notice that was only supposed to go to his school's IT team but ended up going to every school in his district, Demirkapi said he was suspended from school for two days.
Demirkapi learned from that initial experience and made future disclosures via the CERT Coordination Center, which made the disclosure process a bit easier getting things fixed, though he still faced some hurdles.
During his presentation, he noted that he had contacted Blackboard before giving his DEF CON presentation and was advised to share a statement in the presentation, which he did.
"Blackboard is always working hard to improve both the security of our products, as well as the processes and procedures we leverage in support of security," the company stated.
Wrapping up, Demirkapi said that it's important for schools to take data security seriously and hold software vendors accountable. "Don't fall for marketing," he said. "Just because they say they take care of data doesn't mean they do."
Demirkapi added that in his view there needs to be more regulations to keep children's data safe, since they can't defend their own data. "If a 16 year old can find a breach affecting millions of students and teachers, what would a nation–state find?" he asked.