The cybersecurity firm McAfee announced Monday that its researchers recently found four “critical” vulnerabilities in Netop Vision Pro, a popular brand of classroom management software used to manage online classes in K-12 schools, that if left unpatched, could allow hackers to steal user credentials, install ransomware on school IT and even take control of students’ and teachers’ webcams.
Vision Pro is used by teachers to share the contents of their screens to remote students, as well as to view students’ screens and push URLs and other content to students. The program is used by about 3 million teachers and students globally, spread across more than 9,000 school systems. But the vulnerabilities McAfee found could allow malicious actors to use those capabilities to plant malware or spy on users.
Members of McAfee’s Advanced Threat Research Group tested the Netop program by creating a simulated virtual classroom, with one computer acting as the teacher’s station and three student devices. One of the first things the researchers noticed was that teacher and student user profiles carried different permissions levels. They also quickly spotted that all network traffic between the teacher and students was being sent in unencrypted packets — including screenshots of students’ screens being sent to the teacher — with no option to turn on encryption.
“With this information, the team was able to disguise themselves as a teacher by modifying their code,” the McAfee researchers wrote.
The McAfee research also revealed that Vision Pro’s chat function could be manipulated to deploy malware. The chat function allows teachers to send messages or files to students’ computers, which are stored in what the program calls a “work directory.” That authority, combined with unauthorized users masking themselves as teachers, leaves students highly vulnerable to falling for malicious files, the research reads.
“Based on the team’s discovery that a hacker could disguise themselves as a teacher, it became clear that hackers could also use this functionality to overwrite existing files or entice an unsuspecting student to click on a malicious file,” it states.
That type of attack, the McAfee report warns, could be used to steal information from an individual student or install malware that spreads to an entire school network. Similarly it could also give hackers the ability to switch on webcams and microphones, “allowing them to physically observe your child and their surrounding environment,” it reads.
McAfee says it notified Netop of these vulnerabilities on Dec. 11, and that the company was quick to respond, releasing an updated version of Vision Pro in February. The new version addresses several of the flaws, including adding encryption to Windows credentials that were formerly plaintext, and removing students’ ability to overwrite system files, reducing chances a hacker posing as a teacher could entice a student to open a malicious link.
While the credentials are now encrypted, communications between students and teachers are still exposed, McAfee reported, though Netop told researchers it is working on future updates that will protect all traffic, including students’ screenshots.