The Internet of Things (IoTs) devices have managed to transport educational classrooms into the 21st century with tools like interactive smart boards, tablets, and, yes, all those Chromebooks. However, this revolution has come at a cost. The start of 2023 saw a 41% rise in the average number of weekly cyberattacks targeting IoT devices compared to 2022. And 2024 is already proving to be rough for schools. At least four districts have reported data breaches already this year, while others are still recovering from attacks over the holidays.
The education and research sector, in particular, is facing an unprecedented surge in attacks targeting IoT devices, with 131 weekly attacks per organization - more than twice the global average and a staggering 34% increase from the previous year.
One of the big drivers in this jump is the rise in remote learning, which naturally necessitates more IoT devices, making schools prime targets. With many schools constrained by restricted budgets and tight labor markets, cybersecurity is unlikely to be a priority in many districts.
The surge of IoT devices in modern classrooms
No longer confined to dusty textbooks and static blackboards, education is experiencing a revolutionary metamorphosis. Gartner predicts that the number of IoT devices in educational settings will reach 2.5 billion by 2025.
Typical IoT devices found in schools include laptops, tablets, lighting, heating, ventilation and air condition (HVAC) systems, security cameras and locks, printers and copiers, smart boards, and interactive displays. It's easy to understand the widespread adoption of IoT devices in schools due to the benefits they create for enhanced learning experiences. For example:
- Smart building systems such as automated lighting and HVAC systems optimize energy usage, reducing costs and creating a comfortable learning environment.
- Smart boards and tablets enable interactive activities, tailored learning paths, and real-time feedback, keeping students engaged and motivated.
- IoT-powered security systems, like cameras, deter crime, monitor suspicious activity, and ensure authorized access to school premises.
- Emergency response systems, such as connected sensors and alarms, can quickly alert authorities and initiate emergency protocols in case of fires, injuries, or other incidents.
However, this widespread adoption and a lack of strong IoT cybersecurity measures have led to schools becoming key targets for hackers.
The dangers of unsecured IoTs in schools
For many hackers, attacking schools is seen as a low-risk, high-reward proposition. This is especially true since most schools spend less than 8% of their IT budget on cybersecurity, with one in five schools spending less than 1%. The potential gains from obtaining sensitive data or causing disruption can be significant, while the chances of getting caught are often relatively low.
Schools hold a wealth of valuable personal information about students, staff, and parents, including names, addresses, social security numbers, financial aid information, and medical records. This data is exactly what criminals are looking for and can be used for identity theft, financial fraud, blackmail, or even sold on the dark web.
But how do hackers get access to the school's IoT devices? Unfortunately, it's easier than you think. Even in 2024, one of the main ways hackers gain access is through weak passwords and default credentials. Users often still stick to factory-set passwords or predictable combinations, offering hackers an easy entry point. Failure to change default credentials exposes devices to automated brute-force and dictionary attacks that systematically guess passwords.
Next up is unsecured network connections. Did you know that using outdated Wi-Fi protocols like Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) with weak encryption is like leaving your door unlocked? Hackers can easily intercept data transmitted over such networks, including login credentials and sensitive information.
Phishing attacks are also a common way to hack into IoT devices, which include deceptive emails and messages that lure users into clicking links or downloading infected files. Once installed, such malware can take control of the device and grant hackers access to the network or other connected devices. And finally, Distributed Denial-of-Service (DDoS) Attacks allow hackers to infect numerous vulnerable devices with malware through botnets. This enables them to launch orchestrated DDoS attacks that flood the device or network with overwhelming traffic, rendering it inaccessible or unusable.
In 2017, an unnamed US university experienced a DDoS attack on its IoT devices, 5,000 campus vending machines and lights, to be exact, were infected with a botnet that was spreading from device to device using brute force attacks. The attack was eventually flushed out by university developers who wrote a new script allowing them to remove the infection.
With increased connectivity comes a new vulnerability: the potential for hackers to manipulate IoT devices and disrupt school operations. Take climate control, for instance, by hacking into a school's HVAC system, a hacker could gain control of the school's smart thermostat system, changing the temperature and making it impossible for students and staff to concentrate or even stay in the building. This could lead to school closures, canceled classes, and even health risks for vulnerable individuals. Moreover, some classroom devices, such as security cameras or microphones in smart speakers, could be hacked to eavesdrop on conversations or record video footage—causing a severe privacy violation.
Safeguarding schools with IoT device security best practices
IoT cyberattacks may be on the rise, but that doesn't mean schools cannot adopt successful strategies to counteract these attacks.
Although some schools may be unable to increase their cybersecurity spending due to budget constraints, they can still strengthen their defenses by securing devices and networks. IoT devices also need regular software updates, allowing for prompt patching of vulnerabilities. It’s also very important to segment school networks to isolate critical systems from vulnerable devices. Should an attack take place, the most critical and sensitive data could be further protected.
Additionally, cybersecurity awareness and training should become a topic taught to students, staff, and administrators. Some specific issues to be covered in training programs could include identifying phishing attempts and password best practices. Teachers and students should be taught the importance of using strong passwords for all IoT devices. Schools could even set periodic dates to change passwords, for example, every semester. These training programs could be completed by internal staff members with the most experience, or if budgets allow, professionals could be brought in to provide a more comprehensive cybersecurity program.
If schools can afford to increase their cybersecurity budget, then investing in an automated data security and student safety monitoring platform is an extra layer of protection. These platforms can scan online workspaces and applications to constantly monitor for malware, phishing schemes, compromised accounts, and abnormal behavior to help prevent attacks on school IT systems, and thus IoT devices.
Wrapping up
The escalating cybersecurity risks associated with IoTs demand vigilant measures to safeguard sensitive data and ensure uninterrupted school operations. By embracing a proactive and comprehensive approach to IoT security, schools can harness the transformative power of these technologies while fortifying their digital infrastructure against potential threats. Balancing innovation with security is not just a necessity. It's a commitment to creating a safe and resilient educational ecosystem for future generations.
