The Lockdown Browser is not very good at locking down

Posted byGabriel Sieben 1 Comment on The Lockdown Browser is not very good at locking down

I’m taking my second semester of classes at Inver Hills, and in my Chemistry class, we have this awful piece of software called the “Respondus Lockdown Browser.” It’s job is to lockdown the computer so you can’t use other programs, prevents copy-paste, and in theory prevents cheating.

I understand the motivation. Cheating is a scourge upon faculty and faithful students. But the methods Respondus uses (specifically the Monitor add-on) were, in my view, unacceptably invasive. Scan my Student ID or Driver’s License even though a similar company had 440,000 students hacked? Freak at me if I dare to stretch or move my head or bury my face in my palms? The ways browsers like this are unfair, discriminatory, and invasive have been well-documented in The New York Times, The Verge, and in a particularly scathing article from the MIT Technology Review.

Software that monitors students during tests perpetuates inequality and violates their privacy.

– MIT Technology Review.

Even though I took the first exam with Respondus, I got more and more angry about it. In a particular moment of frustration upon realizing Chem Exam II would use the same browser, I wrote a fairly angry email to my professor. Even though my professor had earlier admitted the browser was “draconian,” it was to prevent cheating. In my view, I did not pay $1000+ for this class to potentially have my Student ID stolen, my face recordings potentially kept for up to 5 years and resold to third-parties for AI training, or to support privacy-invasive technology. In my mind, I cheered for the 1200 students of the University of Massachusetts who successfully protested to have Lockdown Browser banned.

My professor didn’t receive my email well, but I managed to get a deal through where he would monitor me over Zoom with some other students. I have yet to take that exam, but that’s much better than the risks this software has and my ethical qualms about using it.

Now, with a safe academically-honest way to take the test, I wondered how secure Lockdown Browser actually is. I’m a Computer Programmer by trade (90th percentile on AngelList!), but the Respondus TOS states that I’m not allowed to reverse-engineer, disassemble, modify, blah blah blah boilerplate EULA. So, without using any computer programming skill, I wondered how Lockdown Browser might be defeated.

The answer: In short, it’s bad. In less than 5 minutes, without using Google, I thought of a potential solution and in 5 minutes more got it working. I can’t say they didn’t try, but if a 19-year-old can think of a solution to beat your software in 5 minutes without using Google, that’s really really bad.

That’s Google Chrome and Microsoft Word, open in a fully locked-down browser mode (just without a test loaded, but all of the system lockdown functionality is in effect.) I’m not going to explain at all how I did it (also because people have been sued for finding bugs in similar programs and reporting about them), but for the computer programmers out there, this image gives a big hint as to what the flaw is. I’m also not going to explain how I took a screenshot when Respondus blocks screenshots. Also, Respondus doesn’t do screen recording, so this hack is completely undetectable except for the student’s facial expressions, glare on glasses, or sound of typing.

So, to anyone on my campus (or in the broader world) who thinks that Respondus is virtually cheat-proof on a system level but has problems with student privacy, that’s not the case. The software can absolutely be defeated, even without programming skill. What’s frustrating too is that, when I looked at my experience shown above, I could think of multiple different methods the programmers could have used to block what I just did. They just didn’t put together what I did as being possible.

So… if a 19-year-old manages to defeat a major corporation’s anti-cheat software in 10 minutes with a unique flaw, why are we giving them student IDs again?

I think this is enough to prove my point. For anyone out there who thinks that I cheated or am posting this in bad faith, I can only say that I took the exam completely honestly – and that I am posting this publicly because it removes the temptation to keep the problem secretly to myself, and thereafter use it for all of my Chemistry exams as awesome as my grades would be. 😉

Update: I passed that test just fine with my instructor watching over Zoom call. I also held a meeting with my college about the security problems, which they acknowledged, but claimed that because it was a state-wide contract, they couldn’t stop using Respondus, and it would probably be “secure enough” for most students. I can’t help but wonder, though, how many wealthier student’s parents would be interested in purchasing my methods… am I really the only one who has figured out bypasses…

Published by Gabriel Sieben

Gabriel Sieben is a 21-year-old software developer from St. Paul, MN, who enjoys experimenting with computers and loves to share his various technology-related projects. He owns and runs this blog, and is a traditional Catholic. In his free time (when not messing with computers), he enjoys hiking, fishing, and board games.

Join the Conversation

1 Comment

  1. Reply

Leave a comment

Your email address will not be published. Required fields are marked *