Respondus LockDown Browser

Respondus LockDown Browser is a piece of proprietary online testing software developed by Respondus, Inc, and used by departments, including the Department of Engineering Education. Success in running under Wine varies from version to version, and may involve complex installation procedures, and the software actively prevents itself from running in a virtual machine.

Official Description

From the Product page:

LockDown Browser® is a custom browser that locks down the testing environment within Blackboard, ANGEL, Brightspace by D2L, Canvas, Moodle, and Sakai. When students use LockDown Browser they are unable to print, copy, go to another URL, or access other applications. When an assessment is started, students are locked into it until they submit it for grading. Available for Windows, Mac and iOS [sic].

Features Bugs

• Integrates with Blackboard, ANGEL, Brightspace by D2L, Canvas, Moodle, and Sakai
• Assessments are displayed full-screen and cannot be minimized
• Assessments cannot be exited until submitted by users for grading

• Task switching or access to other applications is prevented
• Print, Print Screen and capturing functions are disabled
• Copying and pasting anything to and from an assessment is prohibited
• Screen capture, messaging, screen-sharing, virtual machine, and network monitoring applications are blocked from running
• Right-click menu options and function keys are disabled
• Browser menu and toolbar options are disabled, except for Back, Forward, Refresh and Stop

• Source code for the HTML page cannot be viewed
• The browser automatically starts at the login page for the institution’s learning management system
• URLs cannot be typed by the user
• External links don’t compromise the locked testing environment
• Pages from the assessment are not stored on the computer after exiting

• Assessments that are set up for use with LockDown Browser cannot be accessed with other browsers
• Localized for multiple languages, including English, Spanish, French, German, Italian, and Portuguese
• Available for both Windows and Mac computers, as well as iPad

Malware

LockDown requires administrative privileges to run, and cannot be run as an unprivileged user. Features of the browser could be construed to violate Virginia Tech Acceptable Use Policy by engag[ing] in any activity that might be purposefully harmful to systems or to any information stored thereon..., however its use is not widespread enough for this to gain any note.

There is a further extension to Respondus LockDown, called Respondus Monitor ^[1] that allows the proctor to spy on users through their webcam.

Running the Software

Download

LockDown Browser's download website shows the download option based on your OS. Since it does not support Linux, it does not let you download it. So, to download this shitty browser, you need to change the OS in your User Agent to Windows.

The file name must include the school's 9-digit ID code (for VT: 776344933). This must be immediately preceded by a '-' hyphen. If there are multiple numeric sequences exactly 9-digits long and preceded by a hyphen, the first one is interpreted as the ID code.

The following file names would work:

LockDownBrowser-2-1-3-00-776344933.exe
LockDown-776344933-March-03-2025.exe
LD-03032025-776344933.exe
999999999-776344933-999999999.exe
LDB-0000000000-776344933-999999999.exe
Note: the ID id is always the first 9 digit number with a hyphen in front. The .exe is optional.

Likewise, the following file name would NOT work:

LockDownBrowser776344933.exe This does not have a hyphen before the 9-digit code.
LockDown-030320251-776344933.exeThis has multiple 9-digit sequences, but the ID code is not first.
776344933.exeThe ID code is not preceded by a hyphen
Lockdown.exeThe ID code simply isn't in the file name

To pull down VT's executable with the default name, try curl -LO $(curl -L "https://download.respondus.com/lockdown/$(curl -L "https://download.respondus.com/lockdown/download.php?ID=776344933" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.3" 2>/dev/null | grep -ioE "download[0-9].php\?id=[0-9]*")" 2>/dev/null| grep -ioE "https.*.exe" | uniq)

Wine

There are multiple tutorials available by a quick web search which claim to get this working in Wine, however, to date, no member of VTLUUG has succeeded in doing so and existing information indicates it varies by version of the browser. There is a solution for running LockDown browser with Wine, provided by caleb adapted from this Reddit post.

This solution requires winetricks

IMPORTANT NOTE

While we here at VTLUUG promote the use of free software, many people at the university DO NOT. Follow these steps at your own risk, and ALWAYS, ask your professor before using LockDown Browser in this unsupported configuration on an actual exam. Additionally, abusing flaws in Wine's compatibility in order to cheat or otherwise obtain an unfair advantage on exams is against the honor code. If cheating is your primary goal, there are certainly better ways if you do some research. If one person is caught abusing Wine to cheat on an exam, professors will not allow anyone to use it anymore, requiring everyone to use the non-free Windows operating system. If you are tempted to cheat on an exam, consider reaching out to your professor or TA and setting up office hours to discuss the exam.

Additionally, if this method ever fails to work, ensure you have some kind of backup. Whether that is a Windows live-USB you can boot from on the day of the test, a second partition, or an entirely different device, bring it with you. Many courses provide test exams, which you can use to verify this still works a few hours in advance of the exam. The Chemistry department has a good one, and it is accessible as long as you have taken the course in a previous semester or are currently taking the course.

Step 1: Setup

First, install the following packages from your distributions package manager (names may differ):

wine winetricks gnutls

for Debian, the command is

# apt install wine gnutls-bin winetricks

Note that winetricks is only available in the contrib repository on vanilla Debian. Winetricks can be downloaded from their github as a bash script if enabling the contrib repository is not desired.

Step 2: Winetricks

Using winetricks, we can install all of the (non-free) fonts and msftedit, which is related to rich text edit controls.^[2]

$ winetricks msftedit allfonts

Step 3: Install

Now simply run:

$ wine filename

replacing filename with the exact filename of the executable. If an error about the filename missing the 9-digit ID-code appears, ensure the file is properly named. After the program is installed, a .desktop file should automatically be created. Launching that file will load the LockDown Browser. Many features work on Gnome, such as detecting when switching desktops using a gesture or attempting to switch to another application. Other desktop environments and window managers have not been tested (yet).

Virtual Machine (KVM)

This refuses to run in a Virtual Machine. It may be possible to add the -cpu kvm=off flag to Qemu to prevent it from detecting a virtualized environment, but this has not been tested to date. It may also be necessary to disable Virtio drivers and devices.

Natively (Windows or OS X)

To run on Windows, the software requires administrative privileges. Previous versions were shown to have used Internet Explorer with certain modifications executed on the fly, to add the "Lock Down" features, however it currently appears to be a stand-alone browser with some resemblance to Google's Chrome. On both OS X and Windows, it is based off of the open-source Chromium ^[3], although previous OS X versions are believed to have piggybacked off of Safari features. On Windows, the running user must have administrative privileges to run the student edition, however administrative privileges are not necessary to run the browser on OS X.

A version for iOS (iPad-only) is also available, as well as a version for centrally managed Chromebooks for education (k-12).

Analysis

The initially downloaded .exe is an InstallShield self-extracting installer. The 9-digit ID is not checked by this installer during the extraction process whatsoever -- it is simply copied from the filename into a temporary file in the extraction working directory (on Wine, c/users/hokietux/AppData/Local/Temp/ldz<some string>/id.txt, though this is dynamically generated using winapi's GetTempPathA then GetTempFileNameA).

Only cursory analysis has been done thus far, as the author of this article doesn't have a native windows box to run Respondus on. It appears that on launch, it first connects to an unencrypted http server running in AWS, presumably to check if the version is current, then it checks if it is in a virtualized environment.

Other Notes

Actual Bugs

• No support for U2F -- requires second (expensive) device for other 2 Factor Authentication methods
• Easily circumvented
  • Most students have second computer (i.e. Smartphone), which can be used for cheating (i.e. Google searching)
  • Circumvention methods disadvantage students of lower income, who do not have second device.
• No Linux version, disadvantaging students promoting the use of free software
• Does not prevent collaboration in out-of-class testing
• Superfluous for in-class testing, where students are visually monitored anyway
  • At most just promotes lazy proctoring of exams
• Cannot take multiple tests within a single session
• Requires administrative privileges which may not be available on multi-user machines
• Hostile to users of password managers

Open questions on debugging

• Is a TLS cert chain bundled, or can it be MITMed?
• What kind of protocol does it use to authenticate that it is respondus
  • A Kerberos-like protocol would be optimal, but I'd be surprised if they did it
• Does the binary do any integrity checks?
• Does qemu-only emulated devices adequately obfuscate that it runs in a VM? Doesn't seem to

References