MOE Responds to Reddit Post About Potential Vulnerability in Mobile Guardian Before Hack

This week, students were all talking about merely one thing: Mobile Guardian.

No, it’s not a new mobile game.

Since 2022, students in Singapore have been using tablets and laptops to aid in their studies, which are called “Personal Learning Devices” (PLD).

There are limitations on what you can do with it.

But how can the school limit your device access? This comes down to Device Management Applications (DMA), and here is where Mobile Guardian comes in.

That’s not what they are. Mobile Guardian is a company which provides DMA on these MOE learning devices, specifically for iPads and Chromebooks, allowing both schools and parents to manage device use.

On 4 August 2024, Mobile Guardian was hacked, and in Singapore, 13,000 students in 26 secondary schools had their devices remotely wiped.

On 5 August, MOE announced that the Mobile Guardian DMA would be removed from all iPads and Chromebooks.

MOE is now working to fix all the issues by 16 August.

You can watch this video to know what happened:

However, if you’ve been on Reddit, you might have come across a thread, whereby a user claimed that there has been a potential vulnerability in the app even before the hack took place.

On Singapore’s birthday, MOE has responded.

MOE Responds to Reddit Post About Potential Vulnerability in Mobile Guardian Before Hack

In Reddit, a user called Hopeful_Chocolate080 claimed to have alerted MOE about an “impending cyber-security attack” on the Mobile Guardian app.

In it, the user claimed to have “alerted MOE of an impending cybersecurity attack on Mobile Guardian two months ago”, and went on to provide steps on how to gain access to Mobile Guardian’s administration portal on 11 steps.

The user also mentioned sending multiple emails to both MOE and Mobile Guardian regarding the vulnerabilities he had found in the app. He also provided transcripts of his email exchanges with both parties, detailing concerns about “improper access control” that could potentially allow unauthorized access and modification of all data within the Mobile Guardian system.

According to the user, MOE responded six days later, indicating they would “reassess their cyber-security posture,” and 19 days after the initial report, the ministry confirmed that the vulnerability had been addressed and was “no longer a concern.”

MOE confirmed on 9 August that it had investigated a report made by a member of the public regarding a potential vulnerability in the Mobile Guardian application.

The report, submitted on 30 May, was promptly looked into by the ministry.

According to The Straits Times, MOE said that a member of the public had reported a potential vulnerability in the Mobile Guardian application to the Ministry of Education on 30 May. They had then immediately investigated the report, and found that the vulnerability had been picked up as part of an earlier security screening, and had already been patched.

They assured that the reported exploit was no longer viable following the patch. An exploit refers to a program or code that takes advantage of a vulnerability in an application or system. Just think of it as an unlocked backdoor in a house.

MOE also stated on 9 August that, following the public report, an independent certified penetration tester conducted an additional assessment in June, which revealed no such vulnerability.

The public is encouraged to report any concerns about IT service weaknesses through GovTech’s Vulnerability Disclosure portal.