Proctorio's Anti-Cheating Software Exposes Students To Hackers Say Dutch Education Officials

from the well-duh-[but-in-Dutch] dept

Spyware is spyware. It doesn’t matter who’s deploying it. Proctorio — the snitchware maker that helps schools keep tabs on distance learners — has made headlines here for abusing the DMCA to silence security researchers who found flaws in the remote surveillance software. Bogus claims were filed and Proctorio is currently being sued by the EFF and one target of its censorial bullshit.

It was only a matter of time before someone took advantage of the omnipresent anti-cheat spyware, which takes control of students’ cameras and microphones to keep an eye on them as well as track their internet activity to ensure they aren’t searching the internet to find answers to tests. That’s a lot of centralized power enabled by expansive, mandatory permissions. It was bound to be exploited sooner or later. And sooner was the most likely outcome, considering Proctorio sometimes seems more interested in silencing critics than addressing the harms its software poses.

RTL News reports that students in the Netherlands may have been working with compromised computers for months, thanks to exploitation of Proctorio’s anti-cheat software.

Many tens of thousands of Dutch students have been easily hacked for months because their education forced them to install insecure anti-cheat software. Malicious persons could therefore gain access to their online accounts and peek in with their webcam.

This might jeopardize Proctorio’s contract with schools in the country which, all things considered, will harm no one but Proctorio. Pretty tough to find any tears to shed for a company that greets reports of security flaws with DMCA notices and legal threats. But students in the Netherlands aren’t happy with the tradeoff educators are making to reduce cheating.

“It is shocking that we were so easily hacked by Proctorio,” said Manish Jhinkoe-Rai, president of the student council of the University of Amsterdam (UvA). The National Student Union (LSVb) wants the online privacy and security of students to be better protected: “And that we are no longer forced to use this kind of unsafe software”, says LSVb chairperson Ama Boahene.

Well, it’s not all that shocking. This was an inevitability. A large user base, software with extensive permissions, students prevented from taking steps to secure their devices due to the demands of school and anti-cheat software, a company that retaliates against security researchers… it’s all a malicious hacker’s dream come true.

What’s not clear from this report is how many students were hacked or what damage hackers may have caused beyond surreptitiously surveilling students and their online activities. But there’s a lot that’s tempting to hackers. Here’s how the setup works when students are taking exams, according to a Netherlands-based computer science Ph.D candidate.

Before you are allowed into the exam, Proctorio will have you enable your webcam and microphone. It closes all open tabs in the browser. It also uses the screen-sharing functionality in Chromium, originally built for video calls, to record your screen. You will have to show a photo ID to the webcam to identify yourself. Following this, you will be asked to take your webcam and film your entire room to prove you are alone, that your desk is clean and that you haven’t stuck sticky notes out of view of the webcam. After this, you can take the exam, during which the microphone and webcam will continue to record you.

Even when Proctorio is not in active use, it still provides an attack vector for malicious hackers.

[The Proctorio hack] is a so-called universal cross-site scripting attack (UXSS). In such an attack, a criminal can execute code on every website you visit and, for example, intercept passwords or modify the recipient of a money transfer. The leak is usually in the browser or a browser plugin you are using.

Experts suggest students uninstall the Proctorio extension when not needed and reinstall prior to tests. But students using school-supplied devices may not have that option, which means the attack vector is always present, even if it isn’t currently active.

To its credit, Proctorio has made some efforts to patch reported flaws. But it continues to demand an insane amount of access to students’ computers. And for what ends? To ensure a few people won’t cheat on tests? The tradeoff in security seems completely out of whack. Hackers could leverage Proctorio to snoop on students’ online activities, harvest passwords from accounts, grab photos of their IDs, and engage in surreptitious recordings.

Students in the Netherlands are demanding a return to open book tests using physical books. Due to COVID-related complications, in-person testing is limited. But allowing students to work with offline testing materials would shut down this attack vector. If the end result is a few cheaters getting away with cheating, that would make COVID-affected schooling no different than the schooling that preceded it.

Even if more students would cheat on tests given the opportunity presented by distance learning, what’s the loss to society? If the information is important enough students will have trouble proceeding in life after a couple of years of testing. The only losers are the students who failed to learn. If they move through life without difficulty even without mastering this information, it only raises questions about the value of this information, rather than the students’ unwillingness to sacrifice time and energy studying information with extremely limited value.

Proctorio is perhaps no more intrusive than it has to be to achieve its stated aims. But that’s not a vindication of its demands from users and their devices. It’s an indictment. If students can be trusted with distance learning but not distance testing, the educational system needs to do more than allow a third-party to create enticing, hackable holes for malicious people to exploit.

Filed Under: , , , ,
Companies: proctorio

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Proctorio's Anti-Cheating Software Exposes Students To Hackers Say Dutch Education Officials”

Subscribe: RSS Leave a comment
Max says:

But WHY...?

I never understood the staunch determination of most education outfits to insist on people taking exams using nothing but their heads; in 99.99% of real life situations there exists absolutely no condition preventing the use of arbitrary references to solve a problem as long as you do it in a timely manner. Utterly asinine…

James Burkhardt (profile) says:

Re: But WHY...?

Because what’s the point of a computerized learning platform if you have to grade shit? Testing for understanding in how to apply stem concepts is hard, and grading is harder. Using multiple choice or short answer questions to test memorization is easy to test and grade. But the book undermines that form of testing to actually measure results.

Combined with issues of standardized testing, low pay for teachers, grading being done outside official school hours, Professional inertia, and other national and state requirements to provide simple measurable results that favor frequent testing, and no-book tests are overwhelmingly favored.

Anonymous Coward says:

Re: Exercise your brain muscles, you slugs!

There is a point to stuffing information into your head. If you have nothing in your head by pointers to online resources, it is much more difficult for you to identify things which are wrong. … or if you prefer, counter to what you have learned.

Practically speaking, going to original sources is going to be greatly the exception rather than the rule. So sure, nothing "prevents" you from using arbitrary references to solve a problem, but the entry condition is "knowing that there is a problem".

Just as a trivial example… The cashier rings up a bill for $16.36. I hand them a Twenty, two ones, a dime, and a penny. It is amazing how many cashiers will hand me back the ones, and often the coins, rather than return me the Fiver and three quarters.

James Burkhardt (profile) says:

Re: Re: Exercise your brain muscles, you slugs!

I’m currently employed as an accountant. I won local quick computation contest. If you give me 22.11 for a 16.36 bill I’m not giving you a 5 and 3 quarters. You’ll get a five, two quarters, a dime, 4 pennies and your dime and penny back. I’ve been doing this for 7 hours, I’m not getting yelled at by Anonymous Karen for fucking up mental math.

That said, you’ve given an odd example. The widespread use of calculators is accepted in every workplace. Perhaps you are going for sarcasm, but if so Poe’s law has struck here.

As an accountant, my working memory of GAAP rules is limited to those topics I handle regularly. If I only see it once a year, I won’t remember it. We have recipe cards for a reason. I used to program C++ and Objective C regularly and had a working knowledge of some functions, but I almost exclusively was looking up other libraries, syntax of various functions, or good ways to handle problems. Doctors don’t rely on memory, they rely on reference material. Laywers don’t rely on memory, they rely on reference material outside the court and take what they need into court with them.

Reliance on years old memorization is not a viable way to remember everything, and studies suggest most students forget material simply learned by rote memorization, no matter how well you had it down the day of the test.

PaulT (profile) says:

Re: Re: Re: Exercise your brain muscles, you slugs!

"Doctors don’t rely on memory, they rely on reference material"

There’s a very good argument that those are the last people who should do so since medicine moves fairly fast. You probably don’t want to be diagnosed. by a GP who only relies on what they learned 40 years ago.

Whereas, I can say that in my job in tech, there’s probably only 10-20% of what I learned at university that’s even relevant today. Some fundamentals don’t change, but a large proportion of my day to day didn’t exist back then. I’d hate to to be seen by a doctor who was in a position where he didn’t keep up.

Anonymous Coward says:

Re: Re: Re: Exercise your brain muscles, you slugs!

Doctors don’t rely on memory, they rely on reference material. Laywers don’t rely on memory, they rely on reference material

In both cases, they also rely on each other. It’s a bad doctor or lawyer who tries to be a hero and solve everything on their own. Of course, you mentioned difficulty of grading in another comment, and it’s hard to produce individual grades when the class are working together.

PaulT (profile) says:

Re: But WHY...?

There is certainly some value in working out whether a person understand basic concepts, especially in an online world that allows people to access knowledge without understanding what they’re repeating. In my profession, you quickly learn who knows something, and who copies and pastes from StackOverflow without knowing what it means. A qualification from someone who’s allowed to do the latter devalues the entire thing.

How you test this is another question, but it’s certainly not reliable to get people to rote memorise things and expect them never to look at a reference source.

Eldakka (profile) says:

Re: But WHY...?

When I was at university, maths/statistics exams (among a few others) were open-book. you could bring anything into the exam that:

  • didn’t disturb anyone else taking the exam (e.g. playing music);
  • wasn’t a communications device (so you couldn’t call a friend);
  • you could carry by yourself into the room and could fit on/about the desk not intruding on walkways/other peoples work space.

They recognised that being able to look up an equation didn’t do much to help you solve that equation if you didn’t know how it worked (and the mathematic processes for solving it). And there are so many equations available, that it’s impossible for everyone to remember the full, exact, equations for everything in their heads.

From memory, chemistry parctical (i.e. lab work) exams were also open book. If you don’t know how to do a titration, wasting time reading up how to do it isn’t going to help you get that done before the cutoff time.

Anonymous Coward says:

Experts suggest students uninstall the Proctorio extension when not needed and reinstall prior to tests. But students using school-supplied devices may not have that option, which means the attack vector is always present, even if it isn’t currently active.

I want to point out: if you have a 3rd party owned device, in no way is it safe OR sane to be logging in to unrelated services, or doing financial transactions on it.

Anonymous Coward says:

Re: Re:

I want to point out: if you have a 3rd party owned device, in no way is it safe OR sane to be logging in to unrelated services, or doing financial transactions on it.

Easier said than done. Students are not known for having vast financial resources to purchase additional devices; in the USA and Canada, at least, many of them have negative money. So, the basic human right of privacy is one additional privilege students from rich families have over the poor.

Tanner Andrews (profile) says:

Re: Re:

same company that was monitoring bar exams

Back when I did the bar exam, it was a different arrangement. Everyone showed up in a huge convention room, and if you used a computer the anti-cheat software offered a crude editor that took over your computer. The one big room meant that there was no need for cameras and that sort of stuff on the computer.

Best practices were to use a separate lap-top for that exam. I still have the one I used, in a back room somewhere. It has not been powered on for many years, probably about so many as it has been since I did the bar exam.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...