Reddit post claims MOE warned of Mobile Guardian vulnerability 2 months before hack

SINGAPORE: Following a recent hack of the Ministry of Education (MOE)’s Mobile Guardian app, which affected 13,000 students, a Redditor revealed on social media that he had emailed MOE about potential security vulnerabilities as early as two months ago.

In a Reddit post dated August 5, the user shared the content of the email, noting his long-standing awareness of the app’s security issues and the potential consequences.

“So many emails to Mobile Guardian and MOE later, it is disappointing for me to find out that everything I did was for nothing. It still took MOE an actual cybersecurity breach to learn their lesson,” the user wrote.

The user expressed a desire to raise awareness about the issue by sharing his correspondence with MOE.

“Hopefully, this will allow us to take similar incidents more seriously in future.”

Gutzy has reached out to MOE and Mr Chan Chun Sing, Minister of Education for their response regarding this claim and will include their response if received.

Redditor alerts critical vulnerability in the Mobile Guardian App

In the email shared by Reddit user “Hopeful_Chocolate080,” the Redditor described a critical vulnerability in the Mobile Guardian app, which was sent to MOE in late May.

The email highlighted that the vulnerability involved improper access control, allowing unauthorized read and modification of all data within the Mobile Guardian system. The Redditor noted that this flaw could be exploited in under three minutes.

The Redditor suspected that this portal was Mobile Guardian’s internal management system, which, contrary to the information published by MOE, provided full read-and-write access to all schools and users.

This included the ability to impersonate users, meaning an attacker could perform any action that school admins could, such as resetting personal learning devices.

The Redditor emphasized that this was a trivial vulnerability, likely indicative of other similar issues.

The email urged MOE to reconsider Mobile Guardian as a vendor for DMA services, questioning the security and management of sensitive data by foreign companies under contractual obligations.

In an email dated 6 June, the Redditor received a brief reply from MOE, stating that they had raised the issue with Mobile Guardian and were reassessing their cybersecurity posture.

About three weeks later, the Redditor had to write to MOE again to request an update. In their response, MOE stated that they had reviewed the vulnerability report and “confirmed that it is no longer a concern.”

“However, we take data protection seriously and appreciate all vulnerability disclosures. ”

“Due to commercial sensitivity, we are unable to share information about our future engagements with Mobile Guardian. We appreciate your understanding. ”

Recently, following the loss of internet access issue involving the Mobile Guardian app, the Redditor sent another email to the MOE Minister.

The Redditor reiterated his belief that Mobile Guardian should be removed immediately to prevent further damage, even if no replacement is available at present.

The Redditor expressed pessimism about the situation, noting that he had not yet received a reply from MOE and doubted his efforts contributed to the app’s removal.

He also voiced disappointment over the cybersecurity breach on 4 August, criticizing it as a demonstration of Singapore’s digital defence failure.

“It is ridiculous how so many students on the ground knew about the vulnerability and tried to alert the authorities, but nobody took it seriously.”

“I cannot help but to be reminded of the attempted assassination of Donald Trump — there is just so much similarity between the two incidents. We have got to do much better than this, Singapore.”

I alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago
byu/Hopeful_Chocolate080 inSGExams

MOE awarded tender to Mobile Guardian in 2020

Developed by a South African firm, Mobile Guardian, a device management app (DMA), restricts users’ access to apps and websites on smartphones, tablets, and laptops.

In 2020, MOE awarded a tender to Mobile Guardian, which holds the ISO27001 certification, an international standard for information security management systems.

In April, a data leak exposed the names and email addresses of parents and teachers from several Singaporean schools.

Following the breach, MOE pledged to collaborate with cybersecurity experts to prevent future incidents.

However, the recent breach has sparked concerns about the effectiveness of these measures and the continued vulnerability of students’ personal learning devices.

Minister for Education Chan Chun Sing addressed Parliament, stating, “Mobile Guardian assessed that the compromised support account was primarily due to poor password management practices, not the result of an unauthorized individual exploiting vulnerabilities in their systems.”

Mr Chan emphasized MOE’s serious view of the incident, noting that IT service providers are contractually obligated to protect personal data.

“MOE has registered our deep dissatisfaction with Mobile Guardian over this incident. ”

“We have asked them to appoint a forensic investigator to evaluate their systems and processes and provide recommendations to prevent recurrence. Investigations are ongoing, and appropriate actions will be taken should there be breaches of contractual obligations,” he stated in May.

Despite Mr Chan’s assurances, the recent hack of Mobile Guardian raises questions about the pledges made by him and the ministry.

This is particularly concerning in light of claims made by the Reddit user, who alleged that MOE was warned about vulnerabilities in the app months before the current hack.