Online testing firm agrees to security audit after inquiry from senator
A company whose software has been widely used to administer law school entrance exams during the coronavirus pandemic has agreed to an independent audit of the software after a U.S. senator raised cybersecurity concerns about the product.
Alabama-based ProctorU’s web-browser extension software has allowed people across the U.S. to take the LSAT exam from home during the pandemic. But Sen. Ron Wyden, D-Ore., worried that that same accessibility, if left unsecured, could give cybercriminals a foothold onto test-takers’ devices.
And so, after inquiries from Wyden, ProctorU has hired outside security experts to review its software and the tool it uses for remote troubleshooting, according to the Law School Admissions Council (LSAC), which administers the LSAT. More than 145,000 LSAT exams were administered online from May 2020 to February 2021, and ProctorU appears to be the main contractor for doing so.
It’s another case of privacy and security risks emerging in technology that is key to adapting to the COVID-19 era, echoing the vulnerabilities that researchers have found in contact-tracing applications.
ProctorU is one of multiple companies that use web cameras, facial recognition and human proctors to monitor test-takers for signs of cheating. Some test-takers have complained that the software tools exhibit racial bias or are insensitive to people with disabilities, charges the companies say they take seriously.
Browser extensions — software that a user can add to browsers like Chrome and Safari to give them custom features — are sometimes vessels for fraud. In a case unrelated to ProctorU, Microsoft found that hackers were hijacking popular browsers to gin up web traffic in a scam that at one point affected 30,000 devices a day.
The LSAC said it has not received any complaints from test-takers that the ProctorU software accessed inappropriate data or exposed their computers to hacking.
Still, ProctorU’s audit will reassure test-takers that the company is taking “the necessary security measures” to protect their data, LSAC general counsel Leanne Shank wrote in a March 30 letter to Wyden’s office. The council will also try to negotiate contracts with vendors that do not absolve the vendor of any cybersecurity risks that come with the software, Shank said.
ProctorU was the victim of a large data breach that came to light last year, when someone on a hacking forum offered to sell some 444,000 records of personally identifiable information stolen from a ProctorU server. ProctorU confirmed the breach and said the data was from prior to 2015. The company also said it instituted heightened security measures after the breach.
Wyden told CyberScoop that the move to online testing made him concerned that students wouldn’t have a choice but to use software that hadn’t been independently vetted.
“While the pandemic has forced much of our education system online, that’s no excuse to sacrifice students’ right to privacy and security,” Wyden said. “I hope to see other testing groups following LSAC’s example.”
It is unclear which firm ProctorU hired to do the audit. ProctorU did not respond to requests for comment.
Test-taking is not the only facet of education whose exposure to cyberthreats has grown during the pandemic. Ransomware attacks on colleges doubled from 2019 to 2020 as institutions shifted to remote learning, according to a study from security firm BlueVoyant.
You can read the full letter from the LSAC to Wyden’s office online.