Expose the testing station MAC address in JavaScript API for Windows version

[GabrielMihalache]

Hello,

Our testing platform (CASAS eTests) uses the testing station MAC address as one authentication factor so that we know if someone attempts to take our tests outside the school’s proctored environment.

We are exploring the use of SEB and find it to be robust in every way (congratulations for this great work!), except that it is lacking a way for us to grab the station' MAC address.

Could this be added to the Javascript API? Browsing through the source code we found out SEB internally collects the MAC address in the "SystemInfo.cs" file, it is just not exposing the collected information.

Thank you much!

[dbuechel]

Thanks for your input. That should definitely be possible, I am at the moment just not sure about the (first and foremost) security-related implications of exposing the MAC address(es). Would it also suffice to expose the information in a cryptographically safe way (e.g. as a hash value)? Or with a password, which would be part of the configuration and required to be able to retrieve the actual value:

SafeExamBrowser.system.getMacAddress(password)

@danschlet What do you think about the proposed extension of the JavaScript API?

[GabrielMihalache]

Thank you for your answer. Yes, for us it would be enough to expose the MAC address as a hash value if there are security concerns about providing the plain address.

[GabrielMihalache]

Both approaches (hash value or obtaining the plain MAC address based on a configuration password) will work for us. I believe the solution with the hash value may be easier to implement. But there is a catch, many PCs today have multiple network interfaces, and therefore multiple MAC addresses. If SEB consistently retrieves the same MAC address, one value would be enough, otherwise a list with all the addresses might be necessary.

[danschlet]

To expose all MAC addresses of all network interfaces sounds way too complicated and out of the scope what we currently can implement in SEB clients. Also as far as I know at least iOS doesn't expose MAC addresses at all for privacy reasons and I could imagine that Apple will also restrict this in macOS. In most cases we cannot develop new SEB features if they can't be available on all SEB platforms.

Also I remember that MAC addresses can be faked using at least some (hackable) network interfaces.

I would recommend to find another way to implement your use case. You know that you could store certificates containing private keys in the certificate store of a managed device and then use those to decrypt SEB settings? Maybe that would work. You can also easily check IP addresses of clients in your exam solution.

Also the one and only solution we offer to monitor exam clients is SEB Server. We are investing most developer resources in that solution, as it is far superior in ensuring client integrity over everything what third party exam solutions can do with current SEB client versions. I don't think even the SEB Javascript API could be used to replace what is possible with SEB Server. We will soon support generic LMS/exam solution support in SEB Server, so no full integration will be necessary to use it with other systems than the ones already supported (Moodle, Open edX, OpenOlat, Ans).