Incident: Security Settings Bypassed: iPads Used for Games in LA Schools

Published Date: 2013-10-05

Postmortem Analysis
Timeline 1. The software failure incident where students decoded security settings and used iPads to play games happened in August 2013 [22640].
System 1. Security settings of the school-supplied iPads [22640]
Responsible Organization 1. Students who decoded the security settings and bypassed the devices' security measures [22640]
Impacted Organization 1. Students in the Los Angeles Unified School District were impacted by the software failure incident as they were able to decode the security settings on the iPads provided by the school system, allowing them to access unauthorized websites and apps [22640].
Software Causes 1. Weak security settings on the school-supplied iPads allowed students to easily bypass them and access unauthorized websites and apps like Facebook, YouTube, and games [22640]. 2. Lack of planning and preparation in terms of implementing a robust security strategy and educating students on responsible iPad usage before distributing the devices [22640]. 3. Inadequate software support for English-as-a-second-language students, highlighting a deficiency in the educational software provided on the iPads [22640].
Non-software Causes 1. Lack of proper planning and preparation before distributing the iPads to students, including inadequate security measures and insufficient training on responsible use of the devices [22640].
Impacts 1. Students were able to alter the security settings on the school-supplied iPads to access unauthorized websites and apps, such as Facebook, YouTube, and Pandora, leading to distractions and misuse of the devices [22640]. 2. The incident raised concerns among critics and supporters about the lack of planning and preparation in the distribution of iPads to students, questioning the effectiveness of the program [22640]. 3. The security breach resulted in the confiscation of tampered iPads and a freeze on using them off-campus until security settings were improved, causing disruptions in the implementation of the program [22640]. 4. There was confusion and debate over who would be responsible for the cost of broken, lost, or stolen iPads, creating uncertainty and potential financial burdens for families and schools [22640]. 5. The incident highlighted the lack of adequate educational software to support English-as-a-second-language students, raising concerns about the effectiveness of the educational programs on the iPads for diverse student populations [22640].
Preventions 1. Proper planning and preparation before the rollout of the iPad distribution program could have prevented the software failure incident. This includes thorough testing of security settings and potential vulnerabilities [22640]. 2. Extensive training and education for students on the responsible use of iPads and the importance of adhering to security measures could have helped prevent the incident [22640]. 3. Implementing a more robust firewall system that is not easily breached could have enhanced the security of the iPads and prevented unauthorized access to websites and apps [22640].
Fixes 1. Implement a more robust security system on the iPads to prevent students from easily bypassing security settings and accessing unauthorized websites and apps [22640]. 2. Conduct thorough planning and preparation before distributing the iPads to students, including educating students on responsible iPad usage and ensuring the installation of a firewall that is not easily breached [22640]. 3. Address concerns about the educational software on the iPads, particularly ensuring adequate support for English-as-a-second-language students to enhance the educational value of the devices [22640]. 4. Clarify and establish clear policies regarding the responsibility for damaged, lost, or stolen iPads to avoid confusion among families and ensure accountability for the devices [22640].
References 1. Students at Roosevelt High School [22640] 2. Renee Hobbs, director of the Harrington School of Communication and Media at the University of Rhode Island [22640] 3. Carlos Espinoza and Maria Aguilera, students at Roosevelt High School [22640] 4. Scott Folsom, a parent representative to the district's bond oversight committee [22640]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown <Article 22640> does not provide information about the software failure incident happening again at the same organization or at multiple organizations. Therefore, the answer to this question is 'unknown'.
Phase (Design/Operation) design, operation (a) The software failure incident in the LA school system distributing free iPads to students can be attributed to design factors introduced during the system development phase. The incident occurred because the security settings on the iPads were not robust enough to prevent students from easily bypassing them to access unauthorized websites and apps like Facebook, YouTube, and games [22640]. (b) Additionally, the software failure incident can also be linked to operation factors introduced by the misuse of the system. Students were able to manipulate the iPads by deleting the established profiles and setting up their own Internet connections to access social media and games, highlighting operational weaknesses in how the devices were being used [22640].
Boundary (Internal/External) within_system (a) within_system: The software failure incident in the LA school system involving the free iPads for students was primarily due to contributing factors that originated from within the system. The incident occurred because nearly 300 students were able to alter the school-supplied iPads' security settings to access unauthorized websites and apps like Facebook, YouTube, and games [22640]. The weak security setup implemented by the school district allowed students to easily bypass the security measures by deleting the established profile and setting up an Internet connection on the iPads [22640]. This internal vulnerability within the system led to the failure of the intended educational use of the iPads and raised concerns about the lack of planning and security measures in place [22640].
Nature (Human/Non-human) human_actions (a) The software failure incident in this case was primarily due to human actions. Students were able to decode the security settings of the iPads provided by the school district, allowing them to access unauthorized websites and apps, such as Facebook, YouTube, and games like Temple Run and Subway Surfing [22640]. The incident highlighted the lack of proper planning and security measures in the distribution of iPads to students, leading to the breach of security settings without any direct non-human actions contributing to the failure.
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware can be seen in the article where it mentions that students were able to alter the school-supplied iPad's security settings to access unauthorized websites and apps like Facebook, YouTube, and Pandora. This indicates a failure in the hardware's security measures [22640]. (b) The software failure incident related to software can be observed in the same article where it describes how students were able to bypass the security settings by accessing the tablet's settings, deleting the profile established by the school district, and setting up an Internet connection. This indicates a failure in the software's security implementation [22640].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident in the LA school system involving the free iPads for students was non-malicious. The incident occurred when nearly 300 students were able to alter the school-supplied iPad's security settings to access unauthorized websites and apps, such as Facebook, YouTube, and games like Temple Run and Subway Surfing [22640]. The students found it easy to bypass the security measures by deleting the profile established by the school district and setting up an Internet connection, indicating a lack of robust security measures rather than a malicious intent to harm the system.
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the distribution of iPads to students in the Los Angeles Unified School District can be attributed to poor decisions made by education officials. The incident occurred when more than 300 students were able to alter the security settings on the school-supplied iPads to access unauthorized websites and apps, such as Facebook, YouTube, and games [22640]. This failure highlights the lack of proper planning and oversight in implementing the program, as students were able to easily bypass the security measures put in place by the district. Additionally, concerns were raised about the lack of adequate software to support English-as-a-second-language students, indicating a lack of thorough consideration in the planning process [22640].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the LA school system with the free iPads for students can be attributed to development incompetence. The incident occurred because nearly 300 students were able to alter the school-supplied iPads' security settings to access unauthorized websites and apps like Facebook, YouTube, and games [22640]. This indicates a lack of professional competence in setting up robust security measures on the devices, allowing students to easily bypass them. (b) Additionally, the incident also involved accidental factors, as students were able to exploit the weak security setup accidentally. One student mentioned that accessing the tablet's settings, deleting the profile established by the school district, and setting up an Internet connection was so easy that even the most tech-challenged parent could have done it. This accidental exploitation of the security flaws highlights a combination of development incompetence and accidental factors contributing to the software failure incident [22640].
Duration temporary (a) The software failure incident in this case appears to be temporary. The incident involved students altering the security settings of the school-supplied iPads to access unauthorized websites and apps, such as Facebook, YouTube, and games like Temple Run and Subway Surfing [22640]. The district officials quickly confiscated the devices, put a freeze on using them off-campus, and promised to improve the security settings to prevent such unauthorized access in the future. This indicates that the failure was temporary and could be addressed through improved security measures.
Behaviour crash, omission, value, other (a) crash: The software failure incident in the LA school system involved a crash where the iPads lost their intended functionality due to students altering the security settings to access unauthorized websites and apps, such as Facebook, YouTube, and games like Temple Run and Subway Surfing. This led to the system not performing its intended functions as expected [22640]. (b) omission: The incident also involved an omission failure where the iPads omitted to perform their intended educational functions, such as solving math problems or doing English homework, as administrators had envisioned. Instead, students used the iPads for unauthorized activities like social media and gaming [22640]. (c) timing: There is no specific mention of a timing-related failure in the articles. (d) value: The software failure incident also included a value failure where the iPads were used incorrectly for non-educational purposes, such as accessing social media and playing games, rather than for their intended educational value [22640]. (e) byzantine: The articles do not mention a byzantine behavior in the software failure incident. (f) other: The software failure incident also involved a security vulnerability where students were able to easily bypass the security settings of the iPads by deleting the established profiles and setting up their own Internet connections. This behavior was not anticipated by the school district and led to unauthorized access and usage of the devices [22640].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the distribution of iPads to students in the Los Angeles Unified School District resulted in the loss of at least 71 iPads, valued at over $48,000. These iPads went missing as part of a trial run of a $1 billion program aimed at improving education [22640]. Additionally, there were concerns raised about who would bear the cost if a student damaged or lost an iPad, with confusion initially surrounding whether families or schools would be responsible for covering such costs [22640].
Domain knowledge The software failure incident reported in the articles is related to the education industry. The Los Angeles Unified School District (LAUSD) had a $1 billion plan to provide iPads to each of their 650,000 students, aiming to improve education by giving equal access to cutting-edge educational software programs [22640]. However, the incident occurred when students were able to bypass the security settings on the iPads provided by the school district. This allowed them to access unauthorized websites and apps, such as social media sites and games, instead of using the devices for educational purposes as intended [22640]. The failure in the security measures and the subsequent misuse of the iPads by students led to concerns about the planning and implementation of the program. It raised questions about the effectiveness of the educational software, the responsibility for damaged or lost iPads, and the lack of adequate support for English-as-a-second-language students [22640]. In summary, the software failure incident in this case directly impacted the education industry, specifically the efforts to enhance educational opportunities for students through the use of technology.

Sources

Back to List