iPad Security: Students At LA Highschool Easily Hack School-Issued iPads.

The Los Angeles Unified School District (LAUSD) has decided to temporarily pause the handing out of school-issued iPads to students, one week after the program started.  The cause of the interruption: 300 or so students who managed to bypass the iPad security measures  implemented on the devices.

While one TV network is painting this as an instance of “kids know more about computers than adults,” to these eyes and ears it appears as an instance of “LAUSD didn’t spend as much money on security as they did on the iPads”.

Delete the Personal Profile Information and You’re Golden

The issuance of iPads to all students in LAUSD was, and still is, controversial.  However, the one that must have hit home to educators is the criticism that students would use the devices for non-school, non-educational activities.

Thankfully, software for controlling such things exists for the iPad.  However, not all device management and security software are created the same.  Based on what’s been covered, it sounds like LAUSD decided to use one that wasn’t carefully thought out (my emphasis):

Students began to tinker with the security lock on the tablets because “they took them home and they can’t do anything with them,” said Roosevelt senior Alfredo Garcia.

Roosevelt students matter-of-factly explained their technique Tuesday outside school. The trick, they said, was to delete their personal profile information. With the profile deleted, a student was free to surf. [latimes.com]

Security software that can’t protect itself?  It’s a nice twist on quis cutodiet ipsos custodes.

Such security software is less than useless.  At its most fundamental roots, not only does the security require people behaving themselves – which, if true, means that you might as well not have the security software to begin with – it comes with a price tag, for a double-whammy.

LAUSD should have opted for software that incorporates a method where the security software cannot be uninstalled or modified by the enduser, such as AlertBoot MDM.

Big, Prevalent Problem

In LAUSD’s defense, the problem of security software that can be overridden by the enduser is something of a pervasive problem.  When clients contact us about full disk encryption or MDM for smartphones and tablets, one of the most frequently asked questions is whether the enduser can uninstall AlertBoot.

The answer is “no.”  A more nuanced answer is, “only if the enduser figures out the administrator’s login credentials.”

Considering that we’re talking about a school environment, however, and that the endusers happen to be students, the nuanced answer really shouldn’t come to fruition.

Related Articles and Sites:


Comments (0)

Let us know what you think