Schneier on Security
A blog covering security and security technology.
« Security Implications of "Lower-Risk Aircraft" |
| Captchas »
February 10, 2012
Securing iPads for Exams
Interesting blog post about locking down an iPad so students can take exams on them.
Posted on February 10, 2012 at 6:21 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
He has forgotten *one* thing. Some Androids can acts as USB hosts, and AFAIK you can jailbreak most iDevices over USB. Don't know how fast you can do that.
What a nonsense. So much effort and so much expense (an iPad for every pupil attending) and in the end they print the completed papers for markup! And in some cases (graphs, equations) pupils have to use paper sheets anyway.
So why not use paper in the first place?
Peter A., the article states right up front that these are students with additional needs, not "every student attending." Computer mediation for students with motor difficulties or vision problems is a wonderful thing. I can attest to that, since I've been working with deaf students for 34 years and many of them have Usher's Syndrome (briefly, retinitis pigmentosa, onset in their early 20s, leaving many with very little useful vision). Computers have made a great deal of difference in their educational lives.
If they are going to go to the trouble of giving tests on iPads, why not just make it "open book" and rework the exam questions accordingly? Why are we fighting the technology instead of teaching how to use it more effectively?
@Vicki R "...students with additional needs"
I have apparently missed that. Sorry.
He didn't forget the USB attacks. That's why the proctors are there. You have to, you know, physically do that without your phone (which you are required to leave outside) And USB cable getting detected.
All in all, I'd say he does a pretty good job with this. For a guy who is not an infosec pro, he handles it with a pretty good infosec methodology. And I love how he understands his risk and accepts it -- something a lot of infosec people and managers I know of could do better with.
Of course, it's harder to write exams that test true understanding rather than checking whether students are able to memorize itemized facts. But once you go that extra mile, most cheating issues suddenly simply vaporize.
I sat in exams where we could bring any book (no Internet back then) we wanted, or any kind of self-made or professional cheat sheets — and you could still fail if you hadn't properly understood the subject tested for.
When I taught programming, I tried very hard to make my exams so that it wouldn't really matter if someone cheated.
I don't get this. The blog says they print the completed papers for marking. So why not hand out papers for the students to fill in? What's the point of incurring all that expense and inconvenience (securing & charging them) for something that ends up on paper anyway?
Instead of locking down the network, I was thinking more about associating a cost with leaving and re-entering the test app.
It appears that in this case, they're using an off-the-shelf PDF reader... but let's say they're using a custom app instead.
The test app could show a splash/countdown screen for 2 minutes every time the app regains focus. Want to look something up on Wikipedia? No problem, but it'll cost you 2 more minutes while you switch back to the test app.
From my understanding of the opening paragraphs this is a test from the state and grading is done offsite (hence the printing at the end.) they also don't have the option to rewrite the test for open book.
They handle tethering by looking for wireless networks to show up and require phones to be in another room.
@sbi - interesting. The major vector I was worried about (for pre-calculus through calculus courses) was copying a neighbor's work.
I tried to make certain that most neighbors had different problems that looked the same at a glance.
It shocked me what percentage of students would have the correct answer for the wrong problem on their first quiz. In one case, I got nearly 40%.
@Scott: Not too long ago PS3's could be jailbreaked with *calculators* (TI-83).
So Yes, I think he is likely to have missed something. Also, custom jailbreak devices can be made TINY.
@AC - With a non-locked down iPad, you could also collaborate with classmates, or indeed anyone in the world, on the answers to the test.
Personally, I don't think tests (closed or open) even remotely accurately evaluate skill or ability in a given field, and I say this as someone who breezed through them in school. However, as long as we are using them to evaluate individuals, you'd have to lock down the testing workstation.
If I was at that school, I'd never use my iPad for that test. Come on.. a complete factory reset as an exam prerequisite? On a heavily used iPad the restore alone can take an hour or two - not to mention that a restore from iTunes backup does not always back up everything (e.g. losing scores in games, photos, client certificates etc...), or the fact that one iDevice can only be registered for sync with a limited number of computers (5 I think)..
Any school age kid who manages to work his/her way around this set up and successfully cheats probably deserves to pass anyway...
First, the #2 pencil on an optically scanned form is going away due to obsolete technology.
Next, an exam given on an iPad not used for other purposes in a proctored test room leaves little room for jailbreaking, especially if there is no open wireless access in that room. Alternatively, it might be possible to write a lockdown tool that prohibits access to any other site if the test is online.
Finally, a solution that significantly reduces the possibility of cheating (by students, teachers, or school administrators) is a big step forward. It isn't necessary for the idea to be perfect in order for it to still be a good choice. We all know that it is impossible to reduce risk to zero in any non-trivial, reasonable cost system.
I took an Econ course once (when laptops-on-campus were the happening new thing, and PDAs were for businessmen).
The prof said we could bring any electronic device or computer we wanted into the test. But he reserved the right to clear all memory from the machine at any moment during the test. His words were roughtly, "if you don't mind me leaning over your shoulder and formatting your HDD, you can bring your laptop in."
Don't know how he would apply that to a tablet, though...
Readdle PDF Expert claims the following features:
Sync any folder on Dropbox, iDisk, Readdle Storage or WebDAV storage with a local folder on the iPad.
If the student can somehow connect to an access point (the Kismet is a good control, though hopefully both 2.4GHz and 5Ghz are being watched), the next step would be to connect to dropbox and upload the test. A collaborator elsewhere, with a computer connected to dropbox, is notified of the new document, completes the test, or portions thereof, and saves the document. The student then re-opens the now complete document, deletes the dropbox account and presents it as his or her own.
Note: I have not tried this particular PDF software, so there may be some reason this scenario won't work.
I've had no end of trouble finding a PDF annotation app that doesn't connect to every web-based storage service on the planet.
@woo the ipads are provided by the school just for the test. If you read more of the blog you'll see that Fraser was the first to take a school to 1 ipad per student. the exam ipads are not the normal ipads assigned to the student, they were from his spares used to swap out broken ones during repairs.
Assuming the jailbreaks work with all the options he turned off (pretty much everything is shutdown but wireless and iMessages) they would still need a way to either create a wireless that doesn't show up on their scanner or tether to a phone, which can be done with a small device how? Especially on an iPad with no straight USB, just a dock connector. Dock to USB dongles aren't exactly small.
Yeah, I agree with @leo, if someone manages to jailbreak and cheat without gettting caught in this setup - they deserve to pass anyway.
Wow. You are mostly stating why this is a bad idea, instead of reading the entire article, and figuring out why this is a good idea. Open you mind and think outside the box. Maybe an iPad is overkill, maybe not. Maybe this is just a first step in an evolutionary process. I hope they are successful. As with any new use for technology, we'll find ways to get around security, and those holes will be plugged. What if IBM had said, "Nope, computers are a bad idea."
Physically disabling the iPads Home and power buttons would make it 100% safe, unless you find a way to crash the test app. I see a market for special tamper proof iPad cases that have those buttons covered.
I heartily agree with Scott -- the author of this paper:
• frankly admits his limited knowledge
• accepts that the protocol manages risk, but does not eliminate it
• presents a very nice analysis of the problem and the chosen solution
I wonder how many well-paid "security professionals" would have fallen short.
They should use Androids instead of iPads, then simply put on a special secure ROM since it's so easy to root them. ;)
I wonder why someone hasn't produced a minimal computer (monitor, ports for a keyboard and mouse and speakers, enough processor to run a specialized OS with a word processor, calculator, and exam displaying program; no modem, wireless card, or ethernet card and no other software) and sold them for exam writing. If the machine physically can't connect to the internet, and doesn't run a mass market OS and word processor, the security issues should be much simpler, and such a machine should only cost a few hundred dollars and last five years or so.
@mare : such cases exist; at least one airline has deployed them for in flight entertainment
Now, I'm no network engineer, but wouldn't it be possible (for example, with a custom built/modified android app) to make a wifi network that operates on such a low power that the "Kismet" thing doesn't detect it simply because you'd be far enough away?
I get that this is for students with "special needs" -- I teach a lot of these students in similar situations. But since he's locked out all the features of the iPad that make it different from a piece of paper, I'm having trouble figuring out what special needs could be accommodated with an iPad that can't be done with paper. There are a few, but they're so rare that the sensible thing to do is to administer the exam separately for those students with a special proctor and not worry about network security.
Its very common for students with fine motor problems to be granted the right to type or dictate their exams, at least at the university where I did my undergraduate degree. Lots of people can't write clearly fast enough, but can think, type, or dictate. But an iPad is such an awful environment to write on, unless you attach a keyboard, that I'm not sure if this is the case.
@Fred P: "I tried to make certain that most neighbors had different problems that looked the same at a glance."
Been there, done that, but with 4 or 5 different sujects, and with prior warning.
The agregation of mathematics in France has a 4-hour exam. Your subject is randomly chosen between a public list of 100 subjects. You may bring any book with ISBN, but one.
After the 4 hours, you have 30 minutes to present your solution on black board.
Same thing for certain tenure exams (e.g., agriculture high school), but: preparation lasts 24 hours, you can go in any place you want during the preparation.
What happens when an iPad crashes and loses a students work?
An obvious and easy to achieve measure to circumvent Kismet would be using a Bluetooth connection for tethering. The required mobile phone can be placed nearby beforehand. This is not a sophisticated attack, many iPad users know how to establish such a connection. Afterwards Dropbox can be used to collaborate from PDF expert.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.