UW Computer Security Research and Course Blog

Summary
In many of today’s college classrooms, especially introductory science classes, the large majority of students often makes it difficult to gauge classroom participation. A solution used in many of the lab science introductory sequences at the University of Washington has been to require each student to purchase a ‘clicker’, a wireless transmitter, using either RF or IR technologies, and have them produce multiple choice answers from a selection of answers shown on a large screen in the front of the class, which are then received and tabulated in realtime by a receiver somewhere in the room.

The devices work by transmitting a code to the receiver identifying the specific unit responsible for the transmission, where each student registers his or her ‘clicker’ to their ID.

Assets:

• Physical Equipment (Receivers and Transmitters)
• Confidentiality of student’s answers
• Secrecy of the questions before they are presented
• Secrecy of the correct answers
• Accuracy of the received answers
• Integrity of the transmitted responses
• ‘Locked in’ nature of the responses

Potential Adversaries/Threats:

• Students who wish to gain knowledge of the questions / answers
• Students who wish to alter the answers of their peers
• Individuals who wish to steal the physical equipment
• Students who wish to alter their answers after their responses have been accepted
• Students (or other individuals) who wish to know the answers of their peers

Weaknesses:

• Since the devices are a simple transmitter, it may be possible to rekey each device (with the help of a computer) in order to transmit the codes of multiple students, potentially rekeying their answers, breaking the integrity of the transmitted responses.
• The receivers are kept in the room permanantly, in some location, and may be vulnerable to physical theft / alteration.
• A copy of the receiver may be able to record the answers given, as well as the codes of the devices making the transmission. This could break the secrecy of the transmitted responses.
• Typically, the questions (and sometimes answers) are stored in a the professor’s slide deck. If a copy of the slide deck is available in advance of the lecture, students could learn of the questions and answers before the lecture actually happens.
• The answers of each student must be stored in some sort of database until they are actually turned into grades. If the database is compromised, the locked in answers could be altered.

Potential Defenses:

• Encrypted transmissions could make breaking the transmission / receiving scheme less than trivial, essentially (if the correct type of encryption, or strong enough at least, is used) making it take a very long time to decrypt the sent / received data into any interpretable form. The encryption could then be changed each quarter, since new students typically purchase new devices anyway.
• The physical device could be locked down in some unaccessible position, or fitted with a device that would render it inoperable when not in use, which could then be removed at the end of each day. This would make the theft / alteration of the receiver less likely.
• There are many ways to secure databases, and the discussion of these is out of the scope of this review. Suffice it to say that the database should not be in any plaintext format, and should not be accessible to students, or anyone else that doesn’t strictly need access to the data.

Conclusion:

These devices are commonly used, and although at first they seem very vulnerable to attack by a sufficiently intelligent and motivated individual, the safeguards that could be put in place with a rather trivial amount of effort on the manufacturer would lead to a prohibitive amount of work for a single student to be able to (or wish to) crack for use in a single quarter, or series of three quarters. This makes the safeguards potentially secure, should they be implemented.