On paper, Roy Sun seemed an exemplary student. During his senior year at Purdue University, he made As in every class, despite rarely attending any of them.
But in reality, he was failing. Instead of studying, he spent his time stealing professors’ passwords so he could hack into the computer system and change his grades from Fs to As.
“It became so much easier to change my grades than going to class and working real hard,” Sun said in an Indiana courtroom last week, when he was sentenced to three months in jail.
Sun joins a growing list of college students who have chosen hacking over studying to boost grades. The students have exposed lax computer security on campuses increasingly under attack from outside hackers trying to steal intellectual property developed by professors.
In December, two students and a graduate of Florida International University were allegedly caught hacking into a professor’s computer, obtaining upcoming tests, and selling the answers for $150.
Last March, two Miami University students allegedly hacked into their professors’ computers and changed grades for themselves and 50 other students.
In almost every case, the students stole professors' passwords using a keystroke logger. The device, widely available online and installed inside keyboards, allowed them to capture login information as it was typed.
Keystroke loggers are popular among hackers because they are “notoriously hard to detect unless physically spotted,” according to a blog post by John Hawes, a technical consultant at the computer security publication Virus Bulletin.
Sun and his accused accomplice, fellow Purdue student Mitsutoshi Shirasaki, gained access to professors’ computers by picking locks on their office doors, then installing keystroke loggers on their keyboards, prosecutors said. Hoping to avoid detection, they waited to hack into the university computer system until 10 minutes before professors' deadline to submit their grades for the semester, according to the Lafayette Journal and Courier.
But they aroused suspicion by changing professors’ passwords. Shirasaki failed to mask his computer's IP address, allowing authorities to link the hacking to his apartment, where they found a keystroke logger and a lock-picking set, according to court documents.
The hackers made “substantial changes” to their grades, changing Fs to As -- a jump that “would be noticed,” said Tally, the university spokesman.
“They were not subtle about it,” Tally said.
Students have been trying to hack their way to better grades for years. Back in 2008, Duong Thanh, a computer science student at University of Texas at Dallas, published research on how to hack into Blackboard, the popular course management software. Since then, Thanh said he has received "hundreds of emails" from students asking for help hacking into their teacher’s accounts to change their grades or view upcoming quizzes.
“The number of requests sent to my mail box increases dramatically during every final exam period,” Thanh wrote in a 2010 blog post.
Colleges and universities make easy hacking targets. Many don’t have money for sophisticated IT experts or the latest cybersecurity software, according to Hawes. They also have a history of being “open and trusting communities,” a philosophy that runs counter to strong cybersecurity, according to Rodney Petersen, former head of the cybersecurity program at Educause, a nonprofit alliance of schools and technology companies.
“It wouldn’t be uncommon to walk into an academic setting at a university and see a professor’s door wide open while he went to get some coffee,” Petersen said.
For university IT departments, such incidents are a minor concern compared with Chinese hackers who are attempting millions of cyberattacks against their networks every week.
Still, student hackers have pushed some schools to improve security. After Sun’s arrest, Purdue University replaced keyboards in open areas with thin, Apple-made keyboards, making it more difficult to install keystroke loggers, Tally said.
Many colleges and universities should do more, including requiring staff to log in at computers that are off-limits to students, and requiring professors to use two-step authentication -- entering a random password sent to their phones -- before logging in to a system with grades and tests, experts said.
They also should educate students about the penalties for hacking, Petersen said.
“Some students might see this as minor issue, but it is a crime,” Petersen said. “We need to bring more attention to the fact there are serious consequences associated with this.”
In most cases, hackers have been expelled. Some have been charged with misdemeanors. In addition to a 90-day jail sentence, Sun was reportedly kicked out of a graduate program at Boston University and will be forced to return his diploma from Purdue.
Shirasaki has been charged with several felonies, including conspiracy to commit computer tampering. He's wanted on an arrest warrant.
Sun, who had a $70,000-a-year job as an engineer his first year out of college, reportedly now works as a part-time busboy, and earned only $1,500 last year.
During his sentencing last week, Sun, now 25, said he was blinded by ego, telling the judge that he “felt really arrogant” while hacking into professors’ computers.
“I thought I was untouchable,” he said.