For months now, ITS has been exploring the positive contributions AI can make in the assessment industry. But we’re also looking at the negative—namely, how examinees might use AI to cheat during a test. Unfortunately, this threat is a real issue, and the technology keeps getting better. Your secure browser is supposed to block cheating, but there are many smart hackers out there, and many popular secure browsers are being hacked. We’ve already seen several apps for sale targeting specific testing programs.
We consider this a potential game changer for cheating. Unlike approaches where an examinee has to allow an unknown person full access to their machine, these solutions provide the option of paying someone for a software application that can be easily installed and used to cheat on tests. It’s also more difficult to detect just by watching the examinee: a single hotkey and a question is answered.
What Is AI Capable Of?
Example 1
Here’s an example of AI cheating that we’ve been playing with. We started with a screenshot of the item.
Earlier versions of ChatGPT and other AI engines were unable to parse the text from an image, and they struggled with tables. That problem is solved. In the latest version of ChatGPT4, we passed ChatGPT the image above and provided a prompt.
Prompt to ChatGPT4: Answer the question in the picture.
ChatGPT4’s response: Based on the table, it would probably take the shortest amount of time to climb to the top of Mount Pelée, which is listed as having a height of 4,800 feet, the lowest elevation amount the options provided. Therefore, the answer is E) Mount Pelée.
Example 2
Here’s another example. The examinee is asked to write a short description of a picture.
Prompt to ChatGPT4: Describe what is in this picture.
ChatGPT4’s response: The image shows a serene natural landscape featuring a long wooden boardwalk extending through a lush green meadow. The grass is tall and vibrant, suggesting it’s either late spring or summer. A variety of green shrubs and small trees are visible on the right, while the meadow spreads out to the left. The sky above is a clear blue with scattered white clouds, indicating good weather conditions. The sunlight appears to be casting a warm glow on the scene, highlighting the greenery and creating a peaceful atmosphere. There doesn’t seem to be anyone on the boardwalk, which invites viewers to imagine walking through this tranquil environment.
How Does an AI Attack Happen?
ITS has created a test “hacker” application that we use to practice concepts. Even though the ITS Secure Browser will block the attacks, we can use the application on third-party secure browsers, and of course, when the test is running outside of a secure browser.
AI attacks have three key parts:
- Get the content. There are several ways this can be done, such as (but not limited to) screenshots, man-in-the-middle content capturing, clipboard buffers, and accessibility interfaces. You should expect your secure browser to block all of these.
- Retrieve the answer. The test content must be sent to an AI Large Language Model (LLM) such as ChatGPT, and the generated answer must be returned. Currently, it is expensive and requires a technical skill set to establish a local LLM capable of answering complex questions, though that will change in the future. In the meantime, blocking web traffic to AI engines is a good way to block AI attacks. Unfortunately, very few secure browsers will do this.
- Communicate the answer to the examinee. Many approaches can be used and the approach may differ based on the item type. For essays and short answers, the software might paste the response directly into the answer block. Multiple choice and other item types might be displayed in a window that is invisible to screen recorders, or the computer might read the answer out loud. The most advanced software will use accessibility interfaces to answer the question for the examinee, without even moving the mouse.
Is Your Program Vulnerable?
You might be wondering how you can make sure your testing program isn’t vulnerable when you aren’t delivering using the ITS Secure Browser. Many vendors think they’re secure when they aren’t. These hackers are often the same people who hack video games, and they are not only smart, but they are constantly evolving and sharing new attack vectors.
- If you’re delivering outside of a secure browser, anyone can easily cheat. Secure browsers must be downloaded and running on the local machine. Beware of programs using a simple browser plug-in to block cheating. You can also search the internet to see if anyone is advertising cheating for your program. Use Google and Reddit to search for “cheat [your-program]” and see what’s returned.
- Consider your compatibility with JAWS, NVDA, and other assistive technologies. If the functionality is always enabled for all examinees, you’re vulnerable to screen hacking. A better approach is to enable the technologies only when the examinee is approved.
- Ask your provider about how protected you are. Do they use a third-party to evaluate their security? That’s essential, and ITS will provide a private validation service if desired. There’s a bit of truth to the fact that no matter what you do, it’s possible to cheat on a remote test. After all, cameras could be hidden in the room. But our feeling has always been that it’s our job to make it as difficult as possible to cheat, and that starts with a strong secure browser.
Interested in licensing the ITS Secure Browser? We license to any test provider, including direct competitors. Any licensing and analysis we do is completely confidential. We believe that security breaches are bad for all of us, and the ability to block a breach should not be the point of competition for delivery services. If you’re interested in using ITS security services, please contact our Sales team at info@testsys.com.
About the Authors
Pat Ward, President and CEO of ITS, has 30+ years of experience in the assessment industry. Pat’s entrepreneurial instincts led him to apply his knowledge and understanding of testing and technology to create ITS. Pat’s expertise is in merging technology architecture and trends with traditional and new assessment concepts. He specializes in the technical challenges relating to high-volume testing with local and wireless networks, emerging markets, live in the application assessment, security, large-scale data management and reporting, and the usability of item banking systems. In 2018, Pat was honored with the Association of Test Publishers (ATP) Career Achievement Award, a prestigious award highlighting significant contributions to the field of testing and assessment. Pat has a bachelor’s degree in computer science from Loyola University and in his free time, you may find him nestled away at his WV cabin or cheering at a local Oriole’s baseball game.
Chris Glacken is the Director of Innovative Technologies at ITS. Chris has nine years of experience in assessment with over a decade of experience in business and technical system requirements. He’s responsible for the ITS Secure Browsers and developed an in-house ‘white hat’ tool to identify Secure Browser vulnerabilities. He’s also the mastermind behind the ITS remote proctoring technology, ProctorNow™. He earned his bachelor’s degree in information science/studies at Salisbury University, Perdue School of Business. When he’s not pioneering innovative ideas for testing software, you might find him playing Hot Wheels with his two sons or strumming the mandolin.
Leave a Reply