New Research: Cheating On Exams With Smartwatches

A Belgian university recently banned all watches from exams due to the possibility of smartwatches being used to cheat. Similarly, some standardized tests in the U.S. like the GRE have banned all digital watches. These policies seems prudent, since today’s smartwatches could be used to smuggle in notes or even access websites during the test. However, their potential use for cheating goes much farther than that. As part of my undergrad research at the University of Michigan, I’ve recently been focusing on the security and privacy implications of wearable devices, including how smartwatches might be used for cheating in an exam. Surprisingly, while there’s been interest in the security implications of wearable devices, the focus within the research community has been on how these devices might be attacked rather than on how these devices challenge existing social assumptions.

ConTest: A Smartwatch App for Collaborative Cheating

As a proof of concept, I developed ConTest, an application for the Pebble smartwatch that shows how students could inconspicuously collaborate on multiple-choice exams in real time. ConTest allows students to select a question, vote on answers, and view the most popular solution based on all of the responses from other students taking the exam. Prior to an exam, students pair their watches with their smartphones and choose the exam that they are taking. During the exam, the smartphone—hidden in the student’s pocket or backpack—facilitates communication between the smartwatch and a cloud-based aggregation service. All user interaction during the exam takes place on the smartwatch itself with simple, inconspicuous button presses.

Disrupting Security Assumptions 

The obvious solution for preventing students from cheating using smartwatches is to ban watches from exams, just as Artevelde College in Belgium recently did. But the devices will continue to evolve, both decreasing in size and detectability, and increasing in capability and ubiquity.  Future form factors are likely to be even less conspicuous and enable more unique attacks—think smart contact lenses or implantable smartphones. Outright bans may not be desirable or even feasible. In the long run, we will need to adapt in more drastic ways, perhaps by abandoning traditional exams as a form of student assessment.

While wearable devices offer an exciting platform for new types of applications, they also upend implicit security assumptions that are built into many everyday social contexts. Testing centers assume that watches don’t talk to the Internet; casinos assume that eyeglasses aren’t heads-up displays. ConTest demonstrates that even today’s technology challenges present threat models. The time has come for the research community to start considering the attack vectors introduced by this new class of technology, and for all of us to start adapting our assumptions and threat models based on an awareness of such devices.
If you’re interested in a more detailed discussion about ConTest and the security implications of smartwatches, see this technical paper I coauthored with Zakir Durumeric, Jeff Ringenberg, and J. Alex Halderman.