Student hacker shows holes in K-12 cybersecurity

Jennifer Chambers
The Detroit News

Rochester Hills — It started with a yellow sticky note stuck to a student computer. It ended with a hacked IT system at a Michigan school district and the expulsion of two students.

Jeremy Currier, with his parents Ted and Janet Currier, at their home where he participates in the Oxford virtual academy online high school on a computer that he built in Rochester Hills.

The case of one of those students, Jeremy Currier, a tech-savvy Rochester Hills teen, and the Rochester Community School District highlights the vulnerability many schools systems face and the risks some students take despite potentially dire consequences.

Jeremy's troubles began in May when the ninth-grader and another student got caught, suspended and expelled for gaining improper administrative access to the district's IT system.

Jeremy, now 15, admitted on May 8 to two assistant principals that two years ago, while he was a middle school student, he and the other student installed software on the district's computer system that permitted them to access district cameras as well as student and teacher files, according to a letter from the district to Currier's parents. 

"Jeremy also admitted the other student had used district resources to 'mine' for crypto-currency, in an effort to make a profit," Elizabeth David, the district's chief human resources officer, wrote in a letter obtained by The Detroit News. "Jeremy further admitted he had used a student log-in to gain access to the open internet at school and had given the same password to other students."

This week, the district posted a statement on its school website addressing the incident for the first time, recommending — not requiring — that students change their passwords.

"We are living in unprecedented times, and school districts also remain a target for hacking," Superintendent Robert Shaner said in a statement on the district's homepage. "Computer and technology use is a privilege in our schools, and all students are expected to behave responsibly."

He confirmed that "a small number of students abused that privilege," and that school disciplinary sanctions were imposed as police investigate.

Shaner said the district is now "taking the necessary steps to confirm that none of our digital information has been altered, destroyed or transferred."

"At this time, we are confident that our network and data are secure," he said. "However, we strongly encourage students to change their passwords on a regular basis and keep them safe. Staff members are required to change their passwords every 90 days and ensure their security."

The district declined to answer questions on how much profit, if any, the student made using its IT system to mine for cryptocurrency. Cryptocurrency mining, in which people use computing power to verify transactions, can be lucrative, computer experts say. There has been a wave of crypto-mining at colleges across the United States.

The Curriers gave their permission to be identified in this story. The other student involved in the case did not want to be interviewed or identified.

Janet Currier, Jeremy's mother, says it all started when her son found a yellow Post-It note stuck to a student computer in his school's media center. It contained a username and password. He was 12, she said.

Both Jeremy and the other student maintained their access to the district network for three years and did not change grades or disclose personal information, she said. She also says her son did not install software on the district's computer system.

"Without that yellow note, he would never have been able to poke around at the district at all. That was his entry point. They poked around, they looked, they didn’t change grades. They explored," she said.

The teens gained access to bypassing filters by using the username and password of a former teacher whose account remained open in the district network, Janet and Jeremy say. 

The district held disciplinary hearings for both students and expelled them in June. According to a letter to Currier's parents, the district determined that Jeremy violated the district's student code of conduct in electronic tampering.

The Curriers hired an attorney to represent their son at the hearings and appealed the district's disciplinary decision, which was denied. 

In a June 25 letter to Currier's parents, the district said Jeremy's offense was "premeditated, deliberate and on-going" and that he accessed records protected by federal and state law and subjected himself and the district to liability.

"Furthermore, the district incurred significant expense to remedy Jeremy's violation, including: re-assigning a district employee to investigate the depth of Jeremy's penetration into the district's computer systems, purchasing additional software to correct Jeremy's penetration and the time it took all district personnel and students to re-boot their computers after the new software was installed," the letter said.

On May 17, before their son was expelled, a detective with the Oakland County Sheriff's Department appeared at their doorstep with a search warrant for their home. Police seized three hard drives from the house.

An official at the Oakland County Sheriff's Department said the case remains under investigation.

Jeremy, who is now taking high school classes online and is employed as a computer technician at several tech companies, said once he was in the district's system, he felt he could not reverse course.

"You can't go back. You can't say, 'Oh, I will turn myself in now.' I felt trapped," he said.

Jeremy said many students in the school were using the same access to bypass school filters on their own.

"At the beginning, I told them what was wrong with their security measures," Jeremy said of school officials. "I did try to help and say I am willing to do what you want. At the beginning, they took notes on what I was saying."

Both his mother, Janet, and Jeremy said the district should have forced students to change their passwords back in May instead of waiting until October to recommend a change.

Jeremy said he thinks the district knew for a while about the breach but needed to find out who was behind the hack to understand how it happened.

"I wouldn’t do it again. If I did find something that like an open door to passwords, I would tell someone just at the start," he said. "As soon as you try to do something, you are screwed."

Janet Currier says the district bears responsibility for its careless password management practices, and she is upset the district waited so long to inform the school community of the breach and has not required password changes for students.

"When I send my son to school, I want him to be safe (online) in all regards. I don’t think he was safe if he can get in this much trouble this quickly with just a few clicks of a button. The little effort he makes to get into huge trouble means the district isn’t watching out for the safety of our kids,” Janet said.

District officials said in the letter that expulsion for Jeremy was to the best way to discourage other students from engaging in similar conduct.

"The hearing officer and the panel did not believe a lesser punishment would be sufficient to deter Jeremy and other student from engaging in similar misconduct in the future. Many students enjoy the 'bragging rights' that attach to hacking into an institution's computers," the district stated in the letter.

Jeremy's case isn't isolated. In May, students in Bloomfield Hills schools hacked into the district’s computer system and changed grades, attendance information and balances on lunch accounts.

District officials said due to privacy issues, it cannot disclose student disciplinary actions.

"Also, for legal reasons, we cannot disclose any investigation findings," district spokeswoman Shira Good said.

Police in Bloomfield Township confirmed this week they were investigating the matter and were waiting for more materials from the district. 

Student hacking incidents like the one in Rochester Hills highlight weak K-12 cybersecurity systems, according to Doug Levin, founder of the K-12 Cybersecurity Resource Center.

With the access the Rochester students had, Levin said the teens could have caused irreparable damage to the district's systems.

"He and his friend could have deleted all the data on the school servers, infected it with malware. Taken data out and dumped it. They could have taken data and sold it. Changed their grades. Sent spoof emails from superintendent and staff," Levin said. "In many respects, these kids were quite restrained in what they did, given the access the district left open."

Levin has documented seven incidents in Michigan, including the breaches in Rochester Hills and Bloomfield Hills.

"These are incidents are fairly common," Levin said. "They do represent a threat to the private information of students, teachers and staff who've had ID stolen. Districts have been defrauded. Schools have taken over ransomware and had to pay ransom."

According to the search warrant in Jeremy's case, authorities were seeking evidence of the crime of prohibited access to a computer network.

The law in Michigan is broad, covering unauthorized access to a computer program, a computer, computer system or computer network, says Sgt. Jerry DeRosia of the Oakland County Sheriff's Computer Crimes Unit. 

"Even if you neighbor's wireless is open and unprotected and you use it, the law says you can't use someone else's network without their permission," DeRosia said.

The crime of prohibited access to a computer can be charged as a 90-day misdemeanor or a five-year felony, according to state law. Use of computer program, computer, computer system or computer network to commit crime is a 20-year felony.

Kevin Hayes, chief information security officer at Merit, an Ann Arbor-based nonprofit that provides network and security services to K-12 districts, colleges and other nonprofits, said school districts simply do not have the financial resources to monitor hacks from students, especially if no data or grade changing is occurring.

"Cybersecurity has lagged behind, and students can figure things out quicker than school officials can," Hayes said.

But Hayes said the expulsion of a K-12 student for such a hacking incident as Jeremy's is a severe response. 

"Districts need to take a measured and knowledgeable approach," Hayes said. "Some (incidents) may be extremely malicious in nature ... or that curious kid double clicked on something that can ultimately hurt them for the rest of their lives."

Jeremy says he would like to go back to the district to play in the high school marching band again. He plays tenor sax. 

His mother says she just wanted the matter to become public.

"I don’t want this to happen to another kid, and it will, if they don’t tighten up their system," she said.