Classroom scanners in the Lipsius building tested by ethical hackers
To check whether the classroom scanners are secure, a ‘pen test’ was performed in the Lipsius building on Monday 28 March. This involved switching on the person counters for a day so that ethical hackers could try to gain access to the system.
To ensure openness and transparency, the test was public. An information desk was open all day for any questions, but at 14.00 there hadn’t been much interest yet. ‘Beside an editor from Mare, just a few people have shown some interest,’ said Cyber Security trainee Timon Osinga. ‘There’s a fair amount of traffic here, especially during lunch, but hardly anyone has asked any questions.’
‘The aim of the pen test is to test the updated firmware and the change to the network settings,’ says Osinga. ‘We’re looking at whether the previous vulnerabilities have been eliminated and whether we can discover any new vulnerabilities. We want to check that the system is secure.’
The pen test is being carried out by an ethical hacker from an external consultancy (LBVD) and two ethical hackers who are still studying. ‘We’re testing the security from an attacker’s perspective,’ the ethical hacker from LBVD explained. ‘As soon as we find anything, we’ll report it and will also give recommendations on how best to fix it. This gives a realistic picture of how secure the system is.’
The results of the pen test will first be shared with the University in a report. Osinga: ‘Based on the report, we’ll be able to take any extra measures and contact the supplier. We want to resolve any vulnerabilities before we communicate. Once everything’s been fixed, we’ll share the findings with the students and staff.’
The people counters in University buildings were temporarily switched off in December after concerns arose about privacy and security aspects of the devices. A report on the privacy aspects will also be prepared before a decision is made on whether the classroom scanners will be used in the future. The results of the technology and privacy symposium will also inform the decision.