Computer scientists reveal security issues in proctoring software
Cheating during an online exam? Scientists from the Cyber Security department have proved it is possible, even if anti-fraud software is being used. They found security issues in what is known as proctoring software, which Radboud University is considering using for the final exams of this academic year.
What can you do if students have to take an exam from home, but the answers can be easily googled? Teachers can use proctoring software to prevent digital cheating. The software monitors students during the exam through their webcams and microphones. At the same time, other processes running on the computer are also monitored.
During the meeting with the participational bodies last week, the Executive Board called this solution a last resort . But by using the software, students could possibly take their exams in the last exam week of this academic year. A pilot is currently running which should make clear whether proctoring is feasible and whether students’ privacy would be sufficiently safeguarded. The Executive Board is considering Proctorio as a potential supplier of the software.
Security
Members of the participational bodies are sceptical. Doctoral candidate and computer scientist Anna Guinet is not convinced that Proctorio safeguards students’ privacy sufficiently, for example.
And that is not her only concern. To lend weight to her argument, Guinet got in touch with colleagues Veelasha Moonsamy and Peter Schwabe of the Digital Security Group. They demonstrate that proctoring raises concerns not only about privacy, but also about security. After all, what is the use of anti-fraud software if students can still look up the answers on Wikipedia during their exam, by way of a simple trick?
‘If it is this easy to hack the system, that threatens the validity of the exams’
If the proctoring software is working as it should, the invigilators of Proctorio should be able to see if students open a PDF file with the solutions while they are answering the questions. Or if they navigate to Wikipedia.
Simple trick
However, Moonsamy and Schwabe recorded a video in which they demonstrate that this surveillance can be easily bypassed with a relatively simple trick. They take the exam in something called a virtual machine, a computer program which imitates another computer. Using such a virtual machine it’s possible, for example, to run Windows on a MacBook or use Apple software on a Microsoft computer. In a second video, we see that Proctorio does not notice that the computer scientists are using the virtual machine, so they could surf the Internet unnoticed and could easily have opened a saved PDF file.
According to Anna Guinet, this is a trick which many students can apply. Computer Science student Frank Gerlings, who previously took an exam with the help of Proctorio software, confirms this. ‘It’s really easy to do.’
Add to this the fact that privacy is not safeguarded, and Guinet feels that the university should decide against using the surveillance software. ‘If it is this easy to hack the system, that threatens the validity of exams and degrees at this university.’
Letter
The University Student Council (USR) has also advised the Executive Board not to use proctoring and would rather have students being assessed on the basis of essays, oral exams or other forms of testing. In a letter to the Board this week, the Student Council wrote ‘Proctoring can only be considered in the most exceptional situation in which alternative forms of testing are found to be unsuitable.’
In the same letter, the Council formulates nine preconditions which should be met in such a situation. For example, teaching staff should justify why an alternative form of testing, such as an oral exam, is not an option and that justification should be checked by an independent commission. In addition, the students feel that the processing and storage of personal data should be in compliance with the GDPR.
‘By using proctoring, you penetrate deep into students’ privacy’
USR Chair, Hans Kunstman, feels that the Board must carefully weigh combating the risk of cheating against the invasion of students’ privacy. ‘Naturally, we are also aware of the importance of avoiding study delays. But by using proctoring, you penetrate deep into students’ privacy. And there’s no guarantee that this invasion of students’ privacy is justified if proctoring is not in fact as fraudproof as it claims to be.’
Cooperation
University spokesperson, Martijn Gerritsen, tells us that susceptibility to fraud is one of the aspects being looked at in the proctoring pilot. ‘The university was pleased with the initiative by Cyber Security teaching staff to research the system and gave them access to it.’ According to Gerritsen, Moonsamy and Schwabe had the cooperation of the Board for the hack.
He went on to explain that it’s not necessarily a problem that students taking an exam can look up answers by way of a virtual machine. ‘Proctorio registers any absence from the exam environment. You might compare it to a student leaving the exam hall without any explanation during an exam on campus. If we see that happening, we can ensure that there are consequences, such as declaring the exam invalid.’
At the same time, Moonsamy and Schwabe warn their faculty board in an email that the hack they carried out required only a ‘minimum’ of effort. According to Moonsamy and Schwabe they could have come up with all sorts of hacks which circumvent Proctorio security measures, if they would have spent a couple of hours more.
The pilot with Proctorio runs until 22 May. The Executive Board aims to make a definite decision before the end of May as to whether or not to apply video surveillance during the last exam week of the academic year, in June.
Update 30.04.20 7:30 pm: The videos recorded by Veelasha Moonsamy and Peter Schwabe were taken offline.
Bas Buskens schreef op 14 juni 2020 om 17:23
Totaal gebrek aan reactie van de universiteit op een mogelijk lek met als gevolg de opnames van duizenden studenten op straat. Onbegrijpelijk dat hier zo makkelijk mee omgegaan wordt. Wmbt mag de universiteit wel wat meer openheid en cooperatie tonen dan zich alleen te focussen op het mogelijke omzeilen van de software.