Proctorio's Anti-Cheating Software Exposes Students To Hackers Say Dutch Education Officials
from the well-duh-[but-in-Dutch] dept
Spyware is spyware. It doesn’t matter who’s deploying it. Proctorio — the snitchware maker that helps schools keep tabs on distance learners — has made headlines here for abusing the DMCA to silence security researchers who found flaws in the remote surveillance software. Bogus claims were filed and Proctorio is currently being sued by the EFF and one target of its censorial bullshit.
It was only a matter of time before someone took advantage of the omnipresent anti-cheat spyware, which takes control of students’ cameras and microphones to keep an eye on them as well as track their internet activity to ensure they aren’t searching the internet to find answers to tests. That’s a lot of centralized power enabled by expansive, mandatory permissions. It was bound to be exploited sooner or later. And sooner was the most likely outcome, considering Proctorio sometimes seems more interested in silencing critics than addressing the harms its software poses.
RTL News reports that students in the Netherlands may have been working with compromised computers for months, thanks to exploitation of Proctorio’s anti-cheat software.
Many tens of thousands of Dutch students have been easily hacked for months because their education forced them to install insecure anti-cheat software. Malicious persons could therefore gain access to their online accounts and peek in with their webcam.
This might jeopardize Proctorio’s contract with schools in the country which, all things considered, will harm no one but Proctorio. Pretty tough to find any tears to shed for a company that greets reports of security flaws with DMCA notices and legal threats. But students in the Netherlands aren’t happy with the tradeoff educators are making to reduce cheating.
“It is shocking that we were so easily hacked by Proctorio,” said Manish Jhinkoe-Rai, president of the student council of the University of Amsterdam (UvA). The National Student Union (LSVb) wants the online privacy and security of students to be better protected: “And that we are no longer forced to use this kind of unsafe software”, says LSVb chairperson Ama Boahene.
Well, it’s not all that shocking. This was an inevitability. A large user base, software with extensive permissions, students prevented from taking steps to secure their devices due to the demands of school and anti-cheat software, a company that retaliates against security researchers… it’s all a malicious hacker’s dream come true.
What’s not clear from this report is how many students were hacked or what damage hackers may have caused beyond surreptitiously surveilling students and their online activities. But there’s a lot that’s tempting to hackers. Here’s how the setup works when students are taking exams, according to a Netherlands-based computer science Ph.D candidate.
Before you are allowed into the exam, Proctorio will have you enable your webcam and microphone. It closes all open tabs in the browser. It also uses the screen-sharing functionality in Chromium, originally built for video calls, to record your screen. You will have to show a photo ID to the webcam to identify yourself. Following this, you will be asked to take your webcam and film your entire room to prove you are alone, that your desk is clean and that you haven’t stuck sticky notes out of view of the webcam. After this, you can take the exam, during which the microphone and webcam will continue to record you.
Even when Proctorio is not in active use, it still provides an attack vector for malicious hackers.
[The Proctorio hack] is a so-called universal cross-site scripting attack (UXSS). In such an attack, a criminal can execute code on every website you visit and, for example, intercept passwords or modify the recipient of a money transfer. The leak is usually in the browser or a browser plugin you are using.
Experts suggest students uninstall the Proctorio extension when not needed and reinstall prior to tests. But students using school-supplied devices may not have that option, which means the attack vector is always present, even if it isn’t currently active.
To its credit, Proctorio has made some efforts to patch reported flaws. But it continues to demand an insane amount of access to students’ computers. And for what ends? To ensure a few people won’t cheat on tests? The tradeoff in security seems completely out of whack. Hackers could leverage Proctorio to snoop on students’ online activities, harvest passwords from accounts, grab photos of their IDs, and engage in surreptitious recordings.
Students in the Netherlands are demanding a return to open book tests using physical books. Due to COVID-related complications, in-person testing is limited. But allowing students to work with offline testing materials would shut down this attack vector. If the end result is a few cheaters getting away with cheating, that would make COVID-affected schooling no different than the schooling that preceded it.
Even if more students would cheat on tests given the opportunity presented by distance learning, what’s the loss to society? If the information is important enough students will have trouble proceeding in life after a couple of years of testing. The only losers are the students who failed to learn. If they move through life without difficulty even without mastering this information, it only raises questions about the value of this information, rather than the students’ unwillingness to sacrifice time and energy studying information with extremely limited value.
Proctorio is perhaps no more intrusive than it has to be to achieve its stated aims. But that’s not a vindication of its demands from users and their devices. It’s an indictment. If students can be trusted with distance learning but not distance testing, the educational system needs to do more than allow a third-party to create enticing, hackable holes for malicious people to exploit.