Public pen test of classroom scanners in Lipsius
On Monday 28 March a ‘pen test’ will be carried out to check the security of the classroom scanners. These people counters in University buildings were temporarily switched off in December after there was growing disquiet about privacy aspects of the devices. The pen test will be carried out in the Faculty of Humanities Lipsius building. Read below what this means for you.
What is a pen test?
A pen test is a penetration test in which ethical hackers assess systems and networks for vulnerabilities. These hackers try to gain unauthorised access to information and/or systems for a client (in this case the University). This can reveal any vulnerabilities, which are then shared with the client (the University) in a report. The report also offers advice on how to mitigate these vulnerabilities.
When will the pen test take place?
The pen test will take place on Monday 28 March from 09:00-17:00.
Where will the pen test be carried out?
The pen test will be carried out in a room on the ground floor of the Faculty of Humanities Lipsius building at Cleveringaplaats 1. There will also be an information desk in the main hall on the ground floor where you can ask any questions.
Who will carry out the pen test?
The pen test will be carried out by an ethical hacker from an external consultancy (LBVD) and two ethical hackers who are still studying.
What will the pen test involve?
During the pen test, the ethical hackers will investigate whether a recent firmware update from the manufacturer (firmware is fixed software that is necessary for the operation of a device but that users cannot make any changes to) and the changes made to the network have resolved the previously shown vulnerabilities. This will be tested with a limited number of scanners that will be temporarily switched on that day. The test will be carried out from the perspective of an attacker who wants to abuse the system by gaining access to the information and systems via both the internet and the internal network. The ethical hackers will also analyse whether there are any vulnerabilities if hackers try to gain direct access to the sensors themselves.
Which scanners will be switched on and what does this mean for passers-by?
The following scanners at Lipsius will be switched on temporarily in order to be able to carry out the pen test: at the entrance/main entrance, at the south entrance, and also in rooms 0.01, 0.02, 0.03, 0.05 and 0.28. The scanners will be set to the highest security level, which ensures that no people are visible. The information will not be stored either. The scanners that are activated will only count the people present/passers-by for the pen test (they will be invisible therefore).
Why will the pen test be public?
The purpose of an open demonstration of the ethical hackers’ work is to provide openness and transparency in the follow-up steps with the scanners, such as this pen test. We want to show our community ‘live’ what we are doing with the sensors – this test for example – and why we are doing this. In the coming period, we want to involve students and staff in the way we deal with the security and privacy aspects of such systems. Experts will therefore be present to answer questions.
Will students/staff be able to look around/ask questions?
On 28 March an information desk at the reception desk in the Lipsius will be open all day for any questions.
What will be done with the results of the pen test?
The results of the pen test will be shared with Leiden University in a report that also contains advice on how to mitigate any vulnerabilities found. If the results are positive, this does not mean that the sensors will be switched back on immediately. This pen test is only meant to check the security and possibly make further improvements; other aspects will not been taken into account. The University will not make a decision until the report on privacy aspects has been completed and will also take into account the insights gained during the ‘Technology and Trust’ symposium on 2 February.