The hardware bugs known as Spectre and Meltdown, which were identified by researchers as affecting Intel chips that are used in a variety of vendors’ processes and operating systems, allow hackers to obtain sensitive information from devices used in schools and homes, according to experts.
Miguel Guhlin, director of professional development for the Texas Computer Education Association, said that the two vulnerabilities “can open the door to hackers who can get apps or software onto your device of choice,” and the resulting malware “can skim private or confidential data from your device, including encryption keys your device uses.”
“Virtually every modern computer is affected by these vulnerabilities, including those deployed in the classroom and in school server rooms and in tablets/phones,” noted Doug Levin, founder and president of EdTech Strategies LLC.
He said in an email that the threat is significant. Some experts also believe that no security controls that are currently in place will be useful against the two vulnerabilities.
Though there have been no known reports of data breaches among schools specifically linked to these newly announced security risks, not all software and systems have yet received updates to mitigate the new risks — so school systems should beware, according to those following the matter.
Intel announced that they are releasing updates that include patches for all devices made in the last five years, which should mitigate any risks posed by Spectre and Meltdown.
“It is vitally important that these new updates be applied as soon as possible to avoid the exfiltration of sensitive data,” Levin said.
‘Information security posture’
The recent spate of hacking incidents and threats underscores the risks posed by using educational technology.
Levin said security researchers are devoting more of their attention to issues of hardware security given the increased reliance on IT systems “to manage increasing amounts of sensitive data, [but] it doesn’t matter how secure an operating-system, or its software is, if the underlying hardware is vulnerable.”
According to his research on state education agencys’ website security and privacy practices, Levin found that many school districts remain under-prepared for a cybersecurity incident, despite the rise in serious events.
“I am not aware of evidence that suggests that school leaders are better positioned to respond to these threats and a recent survey conducted by CoSN suggests that the cybersecurity practices of school district IT staff are lax,” he added. “While there are common sense steps that districts can take to reduce their risk of an attack, I fear that it will take new regulations before the information security posture of most schools is improved to where it needs to be.”
Mitigating risk now
Google said in a statement that the issue has been mitigated in many Google products or was never an issue to begin with. They said the following are not affected by the vulnerabilities: Google Suites/GoogleApps, Google Home/Chromecast, and Google Hub/WiFi.
Guhlin said that this is a “hardware design problem rather than a software problem,” and as such, districts may need to consider replacing devices that have the faulty Intel chip.
In the meantime, TCEA offered the following measures that schools can take to mitigate any immediate vulnerabilities:
- In the Chrome browser, enable an optional feature known as “Site Isolation.” Once enabled, the feature isolates websites into separate address spaces and prevents an attacking website that was visited from obtaining login and password credentials, Guhlin said.
- Microsoft recommended that Windows 10 updates be completed prior to adding firmware updates.
- To protect an iOS or Macbook, install all updates as soon as they become available and only install new apps from the approved Apple store, he added.
Emily Ann Brown covers education technology and STEM education issues for LRP Publications.
Copyright 2018© LRP Publications, Education Daily®