New app to replace Mobile Guardian to roll out in Jan

A new application to manage the use of students’ devices is slated to be rolled out by January 2025, after the Ministry of Education (MOE) terminated the existing Mobile Guardian app in all students’ iPads and Chromebooks.

Education Minister Chan Chun Sing told Parliament on Sept 10 that legal action has been taken against relevant contractors involved in Mobile Guardian’s various incidents in 2024.

He said his ministry is studying options for an alternative device management application (DMA), and will work towards rolling it out by the new school year.

Mr Chan said that about one in six of the 13,000 affected devices lost some data as a result of the cybersecurity breach in August, and less than 5 per cent were unable to recover all their data as their devices had not been backed up.

In response to queries, MOE said that Mobile Guardian’s services were ceased from end August 2024. Mobile Guardian is a DMA that helps parents manage their children’s device use, restricting screen time and access to specific websites and apps.

Mr Chan was speaking in Parliament in response to questions posed by MPs about the recent cybersecurity incidents involving Mobile Guardian, how students have been supported, and the ministry’s approach to technology for teaching and learning following these incidents.

Until the replacement application has been rolled out, schools have instituted additional processes to ensure that devices are safely and responsibly used during school hours, said Mr Chan.

This includes activating web filtering on Chromebooks, and instructions shared on Parent Gateway on how to activate Apple’s built-in parental controls on iPads for parents to be able to set boundaries like screentime and restrict access to certain sites.

There were two incidents regarding Mobile Guardian in July and August, with the first taking place as early as July 30. The Straits Times reported that more than 1,000 students from at least five MOE secondary schools were affected by a glitch on the Mobile Guardian app.

This glitch was due to a human error in configuration by Mobile Guardian, said Mr Chan, and is separate from the later Aug 4 incident where a global cyber-security breach affected 13,000 students from 26 secondary schools in Singapore.

The cyberattack remotely wiped out the iPads of 13,000 devices in schools, which amounts to approximately 8 per cent of devices used by secondary schools, said Mr Chan.

To contain the breach, Mobile Guardian immediately shut down their servers and the ministry removed the app from all devices on Aug 5.

Over 300 IT engineers and staff were deployed to affected schools to help students restore their devices, and provided instruction sheets to students who wanted to troubleshoot their own devices, said Mr Chan.

“Our priority was to help affected students, particularly those sitting for national examinations so that learning and revision could continue,” he said, adding that all devices have since been restored for use in August.

During this time, schools had made learning resources hardcopy and supported students that were emotionally affected, said Mr Chan, adding that deadlines for assignments were extended and exams postponed where necessary.

Students could also continue to access learning resources on the Singapore Student Learning Space, which is an online learning portal that provides resources for both students and teachers.

“Through this episode, it was most heartening to see many of students step forward and proactively share their personal notes with classmates, and organise study sessions to do revision for their tests and exams together,” said Mr Chan.

Mr Chan also thanked GovTech, the Cyber Security Agency, the media, and the member of the public who had flagged the potential vulnerability.

On May 30, a member of the public had reported a potential vulnerability in the Mobile Guardian application to MOE, which the ministry’s IT team had immediately investigated the report on May 31.

Mr Chan said that attempts to replicate the vulnerability were not successful due to additional security measures that had already been implemented following the hack in April 2024.

In April 2024, Mobile Guardian’s user management portal at its headquarters in Surrey, Britain, was hacked, due to poor password management practice.

This led to a data leak involving the names and e-mail addresses of parents and teachers of five primary schools and 122 secondary schools in Singapore.

MOE had then asked Mobile Guardian to appoint an independent forensic investigator to evaluate its systems and processes, and findings showed poor password practices, said Mr Chan.

Mobile Guardian responded by implementing additional security measures such as strengthening authentication controls and fixing vulnerabilities that were rolled out on May 31.

An independent penetration test was later engaged in June and confirmed that the vulnerability reported by the member of the public had been closed, but it also uncovered new vulnerabilities in the app.

However, before these vulnerabilities could be fixed, the incidents in July and August occurred, said Mr Chan.

Forensic investigations with GovTech and CSA into the Aug 4 incident found a new vulnerability in Mobile Guardian’s system could allow an individual to carry out the attack, said Mr Chan.

“While no security test can be entirely exhaustive, MOE expects its contractors to regularly assess and strengthen their systems’ security posture,” he said, adding that the ministry requires all IT service providers to keep systems and data safe.