You know you are living in an Orwellian nightmare when governments install surveillance software in schools to monitor children for extremism. Having said that, it is pretty easy to see why schools would seem like a great place for governments to indoctrinate the next generation into a life of unquestioned surveillance. Unfortunately, the fact that the government has installed this software in schools and is using an ‘anti-radicalization module’ to monitor your children in the UK and US is the least of your worries.
While teachers look for keywords as evidence that a child may have become a Jihadist organization sympathizer or a ‘jihobbyist’. The very software that is meant to help the government stop terrorism is so easy to hack that it is now known any school could be penetrated by anyone, from anywhere in the world. Giving the hacker full access to all of the school and your children’s information.
This surveillance tool goes hand in hand with the UK’s newly revived ‘snoopers charter’, which can be used to target individuals or organizations that try to radicalize young British people. The latest privacy eroding surveillance program deemed necessary in the name of security.
So, how do we know that the software is so insecure? In January, white hat hacker Zammis Clark became interested in the software, by UK firm Impero, at the BETT education tech conference in London. After requesting information about its security, which Impero failed to respond to, he decided to test the software himself.
He discovered that due to a complete lack of secure authentication it was incredibly easy for anyone to gain access to Impero’s server, where all connected machines are ‘completely open to compromise’. Interviewed about the hack Mr. Clark said,
‘Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,’
After making his findings public in June, Impero issued a fix. Clark, however, penetrated the software again and published the updated exploit to the internet, also emailing the company to warn them of the issue. Not happy with having their software’s vulnerabilities’ publicized, Impero have filed a lawsuit against Clark. It Claims that Clark broke its terms and conditions of service by tampering with its product, Nikki Annison director of marketing at Impero said,
‘While we actively encourage helpful feedback that contributes to the development of the product, through regular focus groups and security workshops, the methods used to identify and communicate this particular issue were not legal and we shall be taking a firm stance.’
Most companies pay to have white hat hackers discover weaknesses in their systems, but confusingly Impero would rather not know, annoyed at having to deal with the problems that Clark found. Impero, it would appear, is more worried about selling its flagship product Impero Education Pro, than with actually making sure it is up to the stringent needs of modern digital security.
For now the disagreement between the two parties continues. Why Impero can’t come to some sort of an agreement with Clark to improve the software is incomprehensible, Annison claims that after the hack,
‘We immediately released a hot fix, as a short term measure to address the issue and since then we have been working closely with our customers and penetration testers to develop a solid long-term solution. All schools will have the new version, including the long-term fix, installed in time for the new school term.’
Despite the bravado, however, no evidence has surfaced that Impero have made any progress whatsoever at fixing the exploit that Clark published. For now then, a school surveillance system designed to make databases on children by using ‘keyword detection libraries based on bullying, homophobia, grooming and sexting, suicide, eating disorders and self-harm, violence and weapons and radicalization’ can still be penetrated by any hacker, anywhere.