Proctorio's Anti-Cheating Software Exposes Students To Hackers Say Dutch Education Officials
from the well-duh-[but-in-Dutch] dept
Spyware is spyware. It doesn't matter who's deploying it. Proctorio -- the snitchware maker that helps schools keep tabs on distance learners -- has made headlines here for abusing the DMCA to silence security researchers who found flaws in the remote surveillance software. Bogus claims were filed and Proctorio is currently being sued by the EFF and one target of its censorial bullshit.
It was only a matter of time before someone took advantage of the omnipresent anti-cheat spyware, which takes control of students' cameras and microphones to keep an eye on them as well as track their internet activity to ensure they aren't searching the internet to find answers to tests. That's a lot of centralized power enabled by expansive, mandatory permissions. It was bound to be exploited sooner or later. And sooner was the most likely outcome, considering Proctorio sometimes seems more interested in silencing critics than addressing the harms its software poses.
RTL News reports that students in the Netherlands may have been working with compromised computers for months, thanks to exploitation of Proctorio's anti-cheat software.
Many tens of thousands of Dutch students have been easily hacked for months because their education forced them to install insecure anti-cheat software. Malicious persons could therefore gain access to their online accounts and peek in with their webcam.
This might jeopardize Proctorio's contract with schools in the country which, all things considered, will harm no one but Proctorio. Pretty tough to find any tears to shed for a company that greets reports of security flaws with DMCA notices and legal threats. But students in the Netherlands aren't happy with the tradeoff educators are making to reduce cheating.
"It is shocking that we were so easily hacked by Proctorio," said Manish Jhinkoe-Rai, president of the student council of the University of Amsterdam (UvA). The National Student Union (LSVb) wants the online privacy and security of students to be better protected: "And that we are no longer forced to use this kind of unsafe software", says LSVb chairperson Ama Boahene.
Well, it's not all that shocking. This was an inevitability. A large user base, software with extensive permissions, students prevented from taking steps to secure their devices due to the demands of school and anti-cheat software, a company that retaliates against security researchers… it's all a malicious hacker's dream come true.
What's not clear from this report is how many students were hacked or what damage hackers may have caused beyond surreptitiously surveilling students and their online activities. But there's a lot that's tempting to hackers. Here's how the setup works when students are taking exams, according to a Netherlands-based computer science Ph.D candidate.
Before you are allowed into the exam, Proctorio will have you enable your webcam and microphone. It closes all open tabs in the browser. It also uses the screen-sharing functionality in Chromium, originally built for video calls, to record your screen. You will have to show a photo ID to the webcam to identify yourself. Following this, you will be asked to take your webcam and film your entire room to prove you are alone, that your desk is clean and that you haven’t stuck sticky notes out of view of the webcam. After this, you can take the exam, during which the microphone and webcam will continue to record you.
Even when Proctorio is not in active use, it still provides an attack vector for malicious hackers.
[The Proctorio hack] is a so-called universal cross-site scripting attack (UXSS). In such an attack, a criminal can execute code on every website you visit and, for example, intercept passwords or modify the recipient of a money transfer. The leak is usually in the browser or a browser plugin you are using.
Experts suggest students uninstall the Proctorio extension when not needed and reinstall prior to tests. But students using school-supplied devices may not have that option, which means the attack vector is always present, even if it isn't currently active.
To its credit, Proctorio has made some efforts to patch reported flaws. But it continues to demand an insane amount of access to students' computers. And for what ends? To ensure a few people won't cheat on tests? The tradeoff in security seems completely out of whack. Hackers could leverage Proctorio to snoop on students' online activities, harvest passwords from accounts, grab photos of their IDs, and engage in surreptitious recordings.
Students in the Netherlands are demanding a return to open book tests using physical books. Due to COVID-related complications, in-person testing is limited. But allowing students to work with offline testing materials would shut down this attack vector. If the end result is a few cheaters getting away with cheating, that would make COVID-affected schooling no different than the schooling that preceded it.
Even if more students would cheat on tests given the opportunity presented by distance learning, what's the loss to society? If the information is important enough students will have trouble proceeding in life after a couple of years of testing. The only losers are the students who failed to learn. If they move through life without difficulty even without mastering this information, it only raises questions about the value of this information, rather than the students' unwillingness to sacrifice time and energy studying information with extremely limited value.
Proctorio is perhaps no more intrusive than it has to be to achieve its stated aims. But that's not a vindication of its demands from users and their devices. It's an indictment. If students can be trusted with distance learning but not distance testing, the educational system needs to do more than allow a third-party to create enticing, hackable holes for malicious people to exploit.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cheating, hacking, spyware, students, surveillance
Companies: proctorio
Reader Comments
Subscribe: RSS
View by: Time | Thread
But WHY...?
[ link to this | view in chronology ]
Re: But WHY...?
Because what's the point of a computerized learning platform if you have to grade shit? Testing for understanding in how to apply stem concepts is hard, and grading is harder. Using multiple choice or short answer questions to test memorization is easy to test and grade. But the book undermines that form of testing to actually measure results.
Combined with issues of standardized testing, low pay for teachers, grading being done outside official school hours, Professional inertia, and other national and state requirements to provide simple measurable results that favor frequent testing, and no-book tests are overwhelmingly favored.
[ link to this | view in chronology ]
Exercise your brain muscles, you slugs!
There is a point to stuffing information into your head. If you have nothing in your head by pointers to online resources, it is much more difficult for you to identify things which are wrong. ... or if you prefer, counter to what you have learned.
Practically speaking, going to original sources is going to be greatly the exception rather than the rule. So sure, nothing "prevents" you from using arbitrary references to solve a problem, but the entry condition is "knowing that there is a problem".
Just as a trivial example... The cashier rings up a bill for $16.36. I hand them a Twenty, two ones, a dime, and a penny. It is amazing how many cashiers will hand me back the ones, and often the coins, rather than return me the Fiver and three quarters.
[ link to this | view in chronology ]
Re: Exercise your brain muscles, you slugs!
I'm currently employed as an accountant. I won local quick computation contest. If you give me 22.11 for a 16.36 bill I'm not giving you a 5 and 3 quarters. You'll get a five, two quarters, a dime, 4 pennies and your dime and penny back. I've been doing this for 7 hours, I'm not getting yelled at by Anonymous Karen for fucking up mental math.
That said, you've given an odd example. The widespread use of calculators is accepted in every workplace. Perhaps you are going for sarcasm, but if so Poe's law has struck here.
As an accountant, my working memory of GAAP rules is limited to those topics I handle regularly. If I only see it once a year, I won't remember it. We have recipe cards for a reason. I used to program C++ and Objective C regularly and had a working knowledge of some functions, but I almost exclusively was looking up other libraries, syntax of various functions, or good ways to handle problems. Doctors don't rely on memory, they rely on reference material. Laywers don't rely on memory, they rely on reference material outside the court and take what they need into court with them.
Reliance on years old memorization is not a viable way to remember everything, and studies suggest most students forget material simply learned by rote memorization, no matter how well you had it down the day of the test.
[ link to this | view in chronology ]
Re: Re: Exercise your brain muscles, you slugs!
"Doctors don't rely on memory, they rely on reference material"
There's a very good argument that those are the last people who should do so since medicine moves fairly fast. You probably don't want to be diagnosed. by a GP who only relies on what they learned 40 years ago.
Whereas, I can say that in my job in tech, there's probably only 10-20% of what I learned at university that's even relevant today. Some fundamentals don't change, but a large proportion of my day to day didn't exist back then. I'd hate to to be seen by a doctor who was in a position where he didn't keep up.
[ link to this | view in chronology ]
Re: Re: Exercise your brain muscles, you slugs!
In both cases, they also rely on each other. It's a bad doctor or lawyer who tries to be a hero and solve everything on their own. Of course, you mentioned difficulty of grading in another comment, and it's hard to produce individual grades when the class are working together.
[ link to this | view in chronology ]
Re: But WHY...?
There is certainly some value in working out whether a person understand basic concepts, especially in an online world that allows people to access knowledge without understanding what they're repeating. In my profession, you quickly learn who knows something, and who copies and pastes from StackOverflow without knowing what it means. A qualification from someone who's allowed to do the latter devalues the entire thing.
How you test this is another question, but it's certainly not reliable to get people to rote memorise things and expect them never to look at a reference source.
[ link to this | view in chronology ]
Re: But WHY...?
When I was at university, maths/statistics exams (among a few others) were open-book. you could bring anything into the exam that:
They recognised that being able to look up an equation didn't do much to help you solve that equation if you didn't know how it worked (and the mathematic processes for solving it). And there are so many equations available, that it's impossible for everyone to remember the full, exact, equations for everything in their heads.
From memory, chemistry parctical (i.e. lab work) exams were also open book. If you don't know how to do a titration, wasting time reading up how to do it isn't going to help you get that done before the cutoff time.
[ link to this | view in chronology ]
It’s a rootkit, anti-cheat edition.
Now we have to worry about anti-cheat used in video games that have access to the kernel level.
[ link to this | view in chronology ]
Re: Agreed. Proctorio, take notes from Sony BMG.
If promoting your moral objectives is more important than stopping hackers and maintaining the security of the computers of your users, you're doing it wrong!
[ link to this | view in chronology ]
I want to point out: if you have a 3rd party owned device, in no way is it safe OR sane to be logging in to unrelated services, or doing financial transactions on it.
[ link to this | view in chronology ]
Re:
Easier said than done. Students are not known for having vast financial resources to purchase additional devices; in the USA and Canada, at least, many of them have negative money. So, the basic human right of privacy is one additional privilege students from rich families have over the poor.
[ link to this | view in chronology ]
Ah, Proctologo, back in the news again for their unneeded, unwanted, and unqualified invasive services, now with their quackery shown to open backdoors for further harmful invasiveness. Good work.
[ link to this | view in chronology ]
Isn't this the same company that was monitoring bar exams that were leaving future lawyers hacked?
[ link to this | view in chronology ]
Re:
Back when I did the bar exam, it was a different arrangement. Everyone showed up in a huge convention room, and if you used a computer the anti-cheat software offered a crude editor that took over your computer. The one big room meant that there was no need for cameras and that sort of stuff on the computer.
Best practices were to use a separate lap-top for that exam. I still have the one I used, in a back room somewhere. It has not been powered on for many years, probably about so many as it has been since I did the bar exam.
[ link to this | view in chronology ]
GDPR?
If mere cookies can cause enough GDPR issues in the EU to be an existential threat to entire companies, HOW can what amounts to a mandatory data breach just be business as usual?
[ link to this | view in chronology ]