4 security risks of proctoring software & how they’re eased

Does the software really need temporary access to the user’s webcam, microphone, and computer files? Should it be given permission to open and close network ports at will?

If your company is considering remote proctoring software, your concerns are reasonable. The permissions given to the app are risky, but also accompanied by rigorous checks and balances – including some of your own.

In this article, we discuss the biggest security risks of remote proctoring software, so that you can better understand the primary threats, as well as the safeguards that help mitigate them.

Collection of sensitive data

Remote proctoring software acts as a digital invigilator, and so requires “access” to the same things a human would. This includes:

• The student’s face, including how it compares to their ID.
• The student’s personal information like their name and email address.
• The student’s behaviour during their test.

This highly sensitive data is collected through an online form, as well as the student’s webcam and microphone in the form of video footage. The information is stored in the system so that invigilators can review student’s data if required – particularly any timestamped test violations that have been flagged by the system, which the invigilator must validate.

If an attacker broke into the system, they could access students’ data, including biometric identifiers, personally identifiable information (PII), and behavioural analytics from test sessions. However, robust online proctoring solutions mitigate this risk by implementing strong encryption protocols. High-quality systems employ RSA (2048-bit or higher) or elliptic-curve cryptography (ECC) for secure key exchange, alongside AES-256 encryption for data at rest and in transit. This ensures that even if someone intercepts the data, it remains indecipherable without the necessary cryptographic keys, which are securely managed using industry-standard key management practices.

In addition to strong encryption, the remote proctoring solution should include an in-depth data lifecycle policy that includes classification, lifecycle stages, access and security controls, adherence to compliance, incident management, secure disposal, and more. And of course, data shouldn’t be kept any longer than it needs to be.

Authentication

Remote online proctoring software stores personal data for students as well as valuable company assessment data, so requires strong user authentication policies for students, proctors, and administrators of the system.

This includes:

• Robust password standards for all users, with the typical lengths and character combinations, plus expiry policies to keep passwords fresh.
• Strong cryptographic protocols (like TLS 1.3 or higher) for encrypting authentication data in transit.
• Secure storage of passwords using strong hashing algorithms like bcrypt or Argon2, to prevent rainbow table attacks.
• The use of rate-limiting, CAPTCHA, or similar defenses against common attacks like brute-force and credential stuffing.

Firewall exceptions

To handle real-time video streaming, remote system monitoring and biometric data transmission, remote proctoring software often requires specific outbound network configurations, including firewall exceptions.

If your company has restrictions for accessing the internet, you may need exceptions for the following:

• UDP, RTMP, or HLS ports might be blocked, which prevents video and audio streaming. This might also be affected by restrictive NAT policies.
• RESTful APIs might block unknown domains or IPs, preventing biometric data, keystroke analysis, and other important tracking information from being sent to the servers.
• WebSockets could be throttled, prevent real-time communication between proctoring software and servers.
• Restrictions to outbound telemetry that the remote proctoring software uses to block restricted apps, like virtual machines.
• Captive portal authentication, which may block Wi-FI connections to the proctoring software.

While the software should only ask for the access it requires, you can implement risk-mitigation measures like domain-specific allowlisting, enforcing strict outbound rules, applying identity-aware policies, and performing DPI and threat analysis.

Admin-level access

The extensive permissions required by remote online proctoring software means that it may request admin-level access to the system, though this changes from software to software.

Students don’t have the skills to apply their own risk-mitigation measures for admin access (like sandbox environments, applying tamper protection, and others), so there’s only one thing to do here: ensure the software is trustworthy.

You can do this with the following and more:

• Research the company’s reputation, including forums and reviews.
• Review the company’s security certifications, compliance, and policies.
• Verify their incident response and disaster recovery plans.
• Meet with someone from the company and learn more about what the software needs access to, and why.

Those are the main security risks of remote proctoring software, and how they can be mitigated. While the software creates hazards that might ring alarm bells for security professionals, quality modern applications have safeguards that limit the risk. When combined with your own security measures, you’ll find that this form of testing is safe and secure.