They Hacked Their School District When They Were 12. The Adults Are Still Trying to Catch Up.

—Rachel Woolf for Education Week

Jeremy Currier and Seth Stephens should be the cybersecurity workers of tomorrow. Instead, they're at the center of a possible criminal investigation

Rochester Hills, Mich.

The hack started small, in 7th grade, when they bypassed their middle school’s internet filters to watch YouTube during lunch.

But by the time Jeremy Currier and Seth Stephens were caught, more than two years later, their exploits had given them extraordinary reign over the computer network of the Rochester Community Schools, a well-to-do suburban district about 45 minutes outside Detroit.

The teens had access to the logins, passwords, phone numbers, locker combinations, lunch balances, and grades of all 15,000 of their classmates.

They could view teachers’ tests, answer keys, and email messages.

They could control the district’s security cameras and remotely operate its desktop computers via their phones.

The boys were even using district servers to mine for cryptocurrency.

“It wasn’t anything malicious,” said Jeremy, now 15. “I mostly just wanted to figure out what else I could do.”

That’s not how Rochester school officials saw it. Though there’s no evidence to date that Jeremy and Seth directly threatened anyone, the district expelled both boys, then referred them to the county sheriff’s office.

Now, the case is raising a number of big questions. Chief among them: How can schools better develop the potential of children with advanced computing skills and a penchant for probing boundaries—before things go bad?

With the nation facing mounting cyber threats and a severe shortage of qualified cybersecurity workers, the K-12 sector is under considerable pressure to make that a priority. But the reality is that many school districts are still struggling to protect their own networks, let alone prepare the high-tech workforce of tomorrow.

That’s why Jeremy and Seth are the latest students to be featured for Education Week’s Faces of the Future series.

Instead of finding themselves on track for advanced degrees and lucrative careers, the boys are at the center of a possible criminal investigation.

“I can’t begin to fathom what they did or didn’t know,” said Michele Stephens, Seth’s mom. “They were far more knowledgeable than we could ever keep up with.”

‘I Just Love Figuring Out Problems’

Having a young computer whiz in the family can be a mixed blessing.

Just ask Jeremy’s grandmother.

On a gray October afternoon, Jeremy perched on the edge of her sofa, hands wrapped around his knees in a vain attempt to keep from fidgeting. He sped through the process of helping the 82-year-old set up a new iPad, tossing out mile-a-minute explanations of how to set account preferences and send text messages via Siri.

“Do they have a language on here called ‘Jeremy Speak?’” his grandmother asked.

—Rachel Woolf for Education Week

Now a lanky teen with a wispy mustache, Jeremy started taking computers apart when he was 9. He built his first machine from scratch when he was 11. Before long, he was trying to build computing rigs with enough processing power to “mine” encrypted digital currencies. After seeing what Jeremy had learned on his own via Reddit, an IT contractor offered him a job on the spot.

“I just love figuring out problems,” Jeremy said. “People turn on their computer and think it’s magic. But there’s actually way more to it than that.”

Unfortunately, said Jeremy’s mother, Janet Currier, the local public schools didn’t really tap into that passion for hands-on problem-solving. Teachers and counselors didn’t seem to know what to do with him. The STEM classes offered in middle school felt far beneath Jeremy’s abilities. Potentially exciting computer science classes weren’t available until junior or senior year. Jeremy, focused intently on what he could accomplish right now, started bristling at the Rochester district’s heavy emphasis on college prep.

—Rachel Woolf for Education Week

“I never wanted to go to school in the morning,” he said. “Building stuff at home was my only interest.”

Making things more complicated, Jeremy had few friends.

One of the few peers who shared his passions was Seth, a quiet boy who lived about 10 minutes away.

Their families welcomed the connection.

By 7th grade, the two were having regular sleepovers, staying up all night to play “Counter Strike” and mess around on their computers.

‘Complete and Utter Access’

Seventh grade was also the year the boys noticed a sticky note attached to one of the public computers in the middle school library. It had a username and password on it, they said, in case students or staff wanted to look up books but had forgotten their own credentials.

Jeremy and Seth discovered that by logging in with the information on the note, then closing out of the library software, they could access files that had been shared with the library’s adult staff.

How Can Schools Support Cybersecurity Education? States, the federal government, and private businesses are all pushing the K-12 sector to start now with teaching students the foundational skills they’ll need to protect the nation’s future information-technology infrastructure. It’s a big lift for many districts, which often lack the money, curriculum, teachers, time, and expertise to introduce such a big topic into an already-crowded school day. But there are other ways to make sure students don’t languish or fall through the cracks, said Davina Pruitt-Mentle, the lead for academic engagement for the National Institute for Cybersecurity Education, which is housed in the federal Department of Commerce. Among the resources available: independent cyberdefense competitions, statewide cyber ranges, and programs like CyberPatriots and Hacker High School. “You have to figure out the aptitude of these students and grab them quickly so they can be put on the right track,” Pruitt-Mentle said. Read more about the state of K-12 cybersecurity education.

One of the files, they said, was a Microsoft Excel spreadsheet with a filename that included the school year and the word “students.” The file was unprotected. They opened it up.

It contained the passwords for every student in the Rochester district.

“I was 12. I didn’t want to go up to a teacher and say, ‘Hey, I just found an entire list of student passwords,’” Jeremy said. “We wanted to do a little more exploring.”

According to the boys, their next step was to access the network from home, via the district’s online portal.

Over the next two years, they also found a district program that allowed them to change passwords for everyone in the system. They browsed through selected teacher files containing lesson plans, emails, tests, and answer keys.

They installed a software program called “TeamViewer” on a machine in the back of a science classroom, turning it into a “slave computer” that afforded them remote access to any PC in the district.

After the district installed new internet-enabled security cameras, the boys found another sticky note with a username and password, left on the laptop of a school security guard. They used that information to access the camera system, figuring out how to pan, zoom, and watch old footage.

The boys also installed crypto-mining software on the district’s servers. It remains unclear whose idea it was, whether any money was generated, and who had access to any proceeds.

It’s also not clear if that’s the full extent of the boys’ exploits. Citing the possible criminal investigation, both families declined to answer questions about the possibility of violations not referenced in the disciplinary documents they received from the Rochester Community Schools, copies of which they provided to Education Week.

Regardless, Rochester technology officials bear considerable blame for what happened, said Douglas A. Levin, a K-12 cybersecurity expert who first published an account of the hack on his blog in September.

By leaving its network essentially unprotected, Levin said, the district made it easy for Jeremy and Seth to execute a mind-boggling security breach.

“The notion that two 12-year olds were able to do this is honestly just extraordinary,” he said.“They had complete and utter access.”

‘It Was Very Much a Freakout’

But just as noteworthy, Levin argued, is what the boys didn’t do.

There’s no evidence they cheated or changed grades, disrupted classes or sold answers to tests, zeroed out lunch balances or broke into anyone’s locker, installed malware or deleted files, harassed people online or stole anyone’s identity.

—Rachel Woolf for Education Week

Through a bewildering ordeal, that reality has given Seth’s parents some solace.

“There are things in our everyday lives that we can all do, that we have access to do, but you just don’t, because you know that’s crossing the line,” his father said. “I think that’s where Seth was.”

Scott and Michele Stephens met 17 years ago, while bowling. Not long after they were married, they moved to Rochester Hills, a suburban community subdivided into neighborhoods with names like Meadowbrook Valley and Heritage Oaks. The schools were a big reason why.

Seth’s elementary years went smoothly enough. He did well in his classes and took care of his dog and developed a quirky fascination with the Weather Channel. He also showed an aptitude for coding, which eventually led to him using YouTube tutorials to teach himself programming languages like Javascript and Visual Basic.

The Troubling State of K-12 Cybersecurity A spate of recent hackings and cyberattacks directed at K-12 schools—many by students—has shone a harsh light on the weak cybersecurity practices in many districts. Even more worrisome: Surveys suggest district technology officials don’t appreciate the magnitude of the threat and often aren’t taking even basic steps to protect their networks. “From a larger perspective, one has to wonder why it’s been so easy for students to hack their schools,” said Douglas A. Levin, who runs the K-12 Cybersecurity Resource Center. “In this particular incident, [Rochester Community Schools] left their systems essentially wide open.” Read more about schools' struggles to fend of cyberattacks.

By 6th grade, though, serious issues had surfaced. Seth was diagnosed with attention-deficit hyperactivity disorder. He had trouble falling asleep. He would close himself up in his room, get lost in his computer, and refuse to go to bed. Explosive fights would ensue. Michele and Scott removed the door to his bedroom.

Towards the end of 9th grade, they found out Seth was failing three of his classes.

Scott and Michele felt their son’s needs were going unmet. Worse, his computer talents seemed to be going unrecognized. They started seriously considering other options for the rest of high school.

Still, the call from his principal, saying their son was in trouble, came as a shock.

“It was very much a freak-out,” Michele said.

Staring Into Uncertain Futures

Officials from Rochester Community Schools declined to comment on the case or be interviewed about the district’s cybersecurity practices, citing privacy concerns and the possible criminal investigation.

But letters sent to the Stephens and Currier families as part of the disciplinary proceedings against their sons spell out the district’s perspective.

While the boys “did not directly threaten the safety of staff or students,” Rochester officials wrote, their breach of the district’s network was “pre-mediated [sic], deliberate, and ongoing.”

Giving Jeremy and Seth the chance to make amends—perhaps by helping the district better understand its cyber vulnerabilities—would not undo the privacy violations suffered by staff or students, Rochester officials maintained. Nor would it compensate the district for time lost investigating the hack and rebooting its systems.

Ultimately, the district said, expulsion was necessary to deter other students from similar misbehavior.

That decision has left Jeremy and Seth staring into uncertain futures.

How Should Student Hackers Be Disciplined? There’s no clear consensus in the field about how to discipline students who hack into their district computer systems, and educators across the country have handled incidents in very different ways. Research suggests that harsh punishments such as expulsion don’t have the intended effect, Harper said, either on those who committed the offense or on the broader student body. “The message you end up sending is that if students commit an offense, they should do everything in their power not to get caught, because there’s no way to repair what they broke,” she said. Read more about student hacking incidents.

Their long-term employment prospects should have been bright. In the coming decade, for example, the federal government will be looking for thousands of skilled cybersecurity workers. The growing demand has only been underscored by a steady drumbeat of news stories about hacks, cyberattacks, and digital espionage.

But the boys are unlikely to be eligible for many of those public-sector positions, said Davina Pruitt-Mentle, who helps head cybersecurity-education efforts at the U.S. Department of Commerce in Washington.

“Will they be able to pass a background check and get a security clearance?” she said, noting that the process includes a review of candidates’ moral character, not just criminal background. “I’m not a lawyer, but my money would probably be on ‘No.’”

Depending on how the possible criminal investigation unfolds, private-sector employers may be more accommodating.

But even in the best-case scenario, the teens face a rocky road to the postsecondary degrees and credentials that will unlock more than entry-level IT jobs.

Since getting kicked out of Rochester Community Schools, Jeremy has enrolled at Oxford Virtual Academy, a full-time online school run by the Oxford, Mich., school district. He started the year on a kind of probation; because of the nature of his expulsion, the school wouldn’t give him a laptop to use at home. So twice a week, he heads to a storefront in a strip mall to work at one of Oxford Virtual’s drop-in centers.

Even before his expulsion, Janet Currier said, she felt on an island, trying to encourage her son’s interests and talents, even though they’d long since exceeded her capacity.

Now, she alternates between fury and exasperation at what she views as the Rochester district’s scapegoating of Jeremy, as well as the criticism she’s received on Facebook for not punishing him more harshly.

“What am I supposed to do? Lock him in his room? Set him on fire? Discourage him from his chosen career path?” she asked.

—Rachel Woolf for Education Week

Seth’s education, meanwhile, now consists mostly of online Khan Academy courses.

No longer allowed to have a computer in his bedroom, he works mostly downstairs, at a desk cluttered with game controllers and Tootsie rolls, in the room where his dad stores dozens of bowling balls.

After working nightshifts as an electrician at the local Ford plant, Scott spends his days home-schooling Seth, trying to reach his son in a way that a 2017 National Blue Ribbon-winning school district apparently could not.

With little idea how to proceed, Scott has leaned on what he knows. The main project he’s assigned Seth this semester is to build a website and app that will allow bowlers to track their bowling equipment.

Seth says he still hopes to go to college, to study computer science.

His parents hope that opportunity hasn’t been lost.

“It’s like there’s this big mature person inside of this little body,” Michele said as her son hung his head quietly beside her.

“He showed very bad judgment. But they’re treating him like a criminal.”

Vol. 38, Issue 13, Pages 1, 10-11

Published in Print: November 13, 2018, as Student Hackers Are Facing an Uncertain Future

Please enable JavaScript to view the comments powered by Disqus.

Back to Top