Man-in-the-Middle Attack Against the MCAT Exam
In Applied Cryptography, I wrote about the “Chess Grandmaster Problem,” a man-in-the-middle attack. Basically, Alice plays chess remotely with two grandmasters. She plays Grandmaster 1 as white and Grandmaster 2 as black. After the standard opening of 1. e4, she just replays the moves from one game to the other, and convinces both of them that she’s a grandmaster in the process.
Detecting these sorts of man-in-the-middle attacks is difficult, and involves things like synchronous clocks, complex cryptographic protocols, or—more practically—proctors. Proctors, of course, can be fooled. Here’s a real-world attempt of this type of attack on the MCAT medical-school admissions test.
Police allege he used a pinhole camera and wireless technology to transmit images of the questions on a computer screen back to his co-conspirator, Ruben, at the University of British Columbia.
Investigators believe Ruben then tricked three other students, who thought they were taking a multiple choice test for a job to be an MCAT tutor, into answering the questions.
The answers were then transmitted back by phone to Rezazadeh-Azar, as he continued on with the test in Victoria, police allege.
And as long as we’re on the topic, we can think about all the ways to hack this system of remote exam proctoring via webcam.
Brian Ballsun-Stanton • June 2, 2011 7:51 AM
The most trivial man-in-the-middle attack I can see here is just using one of the many remote desktop solutions, one that doesn’t appear in the system tray, to have a confederate also taking the exam. With that and extensive use of keyboard hot-keys to fuzz detection, it would be trivial to have the confederate either click the “correct” answers or display them through a backchannel. Additional testing would be necessary to see if a chat program on a second monitor would register.
Another trivial attack would be on the identification. While they certainly “take a photo for the record” it would be interesting to see if they make that audit-trail available to the professor grading the exam.
As a professor, this type of “human proctoring” would be highly suspect. While it’s not too bad monitoring an entire classroom, watching one student take an exam over a webcam would be an excruciatingly boring experience. There’s little chance that the proctor would remain alert over the entire period. (As the other side of that though, the student should never know when the proctor isn’t alert, which the video of the proctor slightly defeats.)