After describing how they setup iPads to do secure student testing, Fraser Speirs considers the attack tree – various ways a student might circumvent all of the security measures.
Having done all this, I decided to develop an attack tree for cheating while doing exams on an iPad. The tree is below, but here's the minimum you would need to do:
- Set up some kind of hotspot that Kismet can't detect in range of the exam hall
- Connect to it during the exam
- Sign in to iMessage
- Relay each question to a knowledgable conspirator outside the exam hall
- Receive each answer and paste it into the exam paper
…all without being detected by the invigilator. That's a pretty sophisticated, well-resourced and coordinated attack for a school pupil but I'm not deluding myself that such an attack is impossible. It's not. With proper invigilation it shouldn't be a problem but I would feel happier if iMessage could be disabled or if I could lock the device onto one network only. I may be over-thinking it a bit.
The purpose of exam invigilation is not to absolutely prevent any cheating. It's to prevent any undetected cheating. The decision to make an attempt lies with the individual candidate and they should be detected and suffer the consequences.
At the same time, I'm defending this system against 15-18 year old kids from Greenock, not GCHQ and the NSA. It's important not to go overboard with the paranoia.
That's how we're doing Digital Question Papers on iPad.
Photo from Fraser Speirs
Story via Bruce Schneier