Mobile Guardian breach: Protocols in place but more could have been done to investigate processes, say experts

SINGAPORE: Although there are processes in place to screen and test third-party software, government agencies could have investigated Mobile Guardian’s standards more thoroughly, cybersecurity experts said. 
The Ministry of Education had announced earlier this week that Mobile Guardian would be removed from all students’ personal learning devices after a global cybersecurity breach affected about 13,000 secondary school students from 26 secondary schools in Singapore. 
The students had their devices wiped remotely by the perpetrator, and many were worried about losing access to their notes with the exams looming. 
In an earlier incident in April, the personal information of parents and staff from 127 schools was accessed through Mobile Guardian in a data security breach. 
Mobile Guardian is a device management app that enables parents to manage students’ device usage by restricting applications or websites and screen time. 
As a mobile device management solution, its main purpose is to control and manage mobile devices remotely. It assumes “full control” over the devices and there is a high level of trust towards the software and the server that is used to manage the clients, said Mr Kevin Reed, chief information security officer of cybersecurity firm Acronis. 
Since the server is located online, this creates an attack opportunity on devices that are managed through the online service, he added. 
“This is a question of supply chain security and vendor management. Apparently, GovTech or MOE underestimated the risk of the system and did not ensure that the controls that were put in place by Mobile Guardian were appropriate,” said Mr Reed. 
Conducting regular penetration tests and assessing the results, and ensuring that the vendor practises “security by design” and “secure by default” principles can reduce the risks associated with the product, he added.
In an update on Wednesday (Aug 7), Mobile Guardian apologised for the inconvenience caused by the incident. It also clarified that the perpetrator attempted to unenroll both iOS devices and ChromeOS devices, but were successful with only “a limited number” of iOS devices. 
It had said in its initial incident report that both iOS and ChromeOS devices were accessed by the perpetrator. 
Cybersecurity experts CNA spoke to said that the updated statement did not shed much light on the root cause of the issue. 
Based on Mobile Guardian’s explanation, experts said that it was likely that the unauthorised party gained access to its platform, to which the students’ devices are registered, or enrolled. From there, the perpetrator successfully unenrolled some iOS devices and gained control over them, allowing them to remotely wipe the devices. 
The ChromeOS devices were unaffected even though the perpetrator tried to unenroll them from the platform, experts noted. 
“This was probably due to Enterprise ChromeOS devices typically having more stringent and centralised management controls, making unauthorised unenrollment more difficult,” said Mr Reuben Koh, director of security technology and strategy at Akamai Technologies. 
Earlier this week, an individual on Reddit claimed that they had previously informed MOE about Mobile Guardian’s security vulnerabilities, uploading screenshots of email threads starting from May 30. 
The screenshots also show MOE’s Information Technology Division’s replies to the emails. On Jun 6, the ministry said it had taken up the issue with Mobile Guardian and was reassessing its “cybersecurity posture”. 
Weeks later on Jun 25, the ministry said that it had reviewed the individual’s vulnerability report and “confirmed that it is no longer a concern”. 
Assuming that the feedback from users to MOE had been shared with GovTech and the Cybersecurity Agency of Singapore (CSA), the “ideal course of action” would be to conduct a thorough investigation into the vendor’s security standards and processes, said Ms Camellia Chan, CEO of cybersecurity firm Flexxon. 
“Especially since specific concerns about weak access controls had been highlighted, these are issues that can be remedied if the necessary action is taken. At the same time, users could also have been warned to take extra precautions with their accounts,” she added. 
Such attacks can usually be attributed to hackers exploiting software bugs that circumvent protection mechanisms, said adversary intelligence research lead at Group-IB He Feixiang. 
They could also be caused by improper access control configurations that allow unauthorised access to the administration controls, or stolen login credentials that give hackers access to the administrator or end users’ accounts, he added. 
Group-IB, a cybersecurity firm, has identified the sale of more than 300 account credentials related to Mobile Guardian, of which 70 account credentials were put up for sale on the dark web in 2024, said Mr He. 
Experts stressed that government agencies likely did perform the necessary due diligence before deciding to sign a contract with Mobile Guardian. 
Mobile Guardian has ISO27001, which is the cybersecurity “gold standard certification” for organisations, and SOC-2 Type 2, a common certification to validate data security controls for the organisation, highlighted founder of cybersecurity training firm Practical Cyber Ethan Seow. 
These two certifications are commonly used as a benchmark for governments and multi-national corporations to assess the security of a service provider and vendors, he noted. 
Since Mobile Guardian has both of those certifications, it is “clear” that MOE had followed the requirements that are reasonable and expected of such a project, said Mr Seow. 
If GovTech and CSA are involved in different ministries’ and agencies’ tenders, it may take too much resources to maintain an open tender process as they would have to conduct independent tests of every product, which is “nearly impossible”, he added.
Considering that this is not the first time that Mobile Guardian has been breached this year, it is a “worrying sign” for an organisation that has both of those certifications, said Mr Seow. 
Making the final decision to halt all usage of the app is the right move considering what happened, he added. 
When organisations sign contracts with these service providers, they typically have to go through very thorough protocols and analyses of their security functions, said director of Infinity Forensics Ali Fazeli. 
But in many cases, the provider will continue to add features and update the system. If the users are “not that strict” when it comes to implementing these changes and updates, these could give rise to vulnerabilities, he added. 
“They do have very good procedures to check whether everything is secure, however, software is quite complex. Even though you go through the best source code analysis … there is always a part of the system that analysts cannot identify as a threat,” said Mr Fazeli. 
Hackers typically use these “unknown vulnerabilities” to gain access to the system, he added. 
This incident underscored the risks associated with third-party digital solutions being more tightly integrated into critical sectors like education, said Akamai Technologies’ Mr Koh. 
Service providers like Mobile Guardian are increasingly becoming targets for cyber attacks because they serve a large number of clients globally, significantly increasing the volume of victims, he added. 
Experts agreed that online learning is here to stay, and students, teachers and parents should practise digital hygiene to lessen the disruptions caused by similar incidents. 
As schools integrate devices like iPads and tablets, they become more essential for learning, said Mr Koh. 
“Problems arise when these devices are suddenly made unavailable for use and when combined with a lack of adequate backup or recovery systems and contingency plans,” he added. 
“It has the potential to cause widespread disruption like the one we are observing now.” 
Device management platforms like Mobile Guardian can perform powerful functions like remotely wiping devices – when abused, this can be very disruptive to learning, said Mr Koh. 
Schools need robust backup and recovery procedures to quickly restore students’ work and applications, as well as clear and concise response plans to deal with such disruptions, he added. 
This incident has highlighted that establishing a business continuity plan is important, said Mr Terence Siau, general manager of the Centre For Strategic Cyberspace and International Studies in Singapore. 
“Sad to say, we won’t be able to avoid (disruptions and incidents) 100 per cent if we really want to go to a digital world,” he continued, noting that technology will always come with vulnerabilities. 
“We’re definitely dependent on a digital world, so … more planning in terms of business continuity, backing up is important.” 
To minimise disruption if similar incidents occur again, schools can establish more comprehensive contingency plans that include alternative learning methods and platforms, said Flexxon’s Ms Chan. 
They should also implement robust backup systems to ensure data is securely stored and readily accessible even if primary systems are compromised, she added. 
For example, schools can consider saving the materials in multiple locations – in on-site work servers, in the cloud and on hardcopy, she added. 
Students who save their notes and homework on a shared home computer can also consider saving them on an external storage device and a cloud-based system provided by the school. They can also keep a folder of hardcopy notes in case any of these fail. 
Schools can also consider a two-tiered data backup policy, conducting a full back-up every three months or less, and incremental backups – updating your backup every time new changes are made,” Ms Chan said. 
“It is important to note that these are labour-intensive and difficult to enforce at all times. But even so, it helps mitigate a complete loss of records in an incident such as this.”