Wired has a story about security and the Webcam laptop surveillance technology that was used in the Lower Merion School District in Pennsylvania to remotely peep into the students’ homes and take photographs. A federal judge recently issued an order that “permanently banned the Lower Merion School District from using webcams or other intrusive technology to secretly monitor students through their school-issued laptops.” (Here’s the latest update on the Robbinses’ case, which has garnered widespread media attention and a federal investigation.)
Lower Merion used LANrev Theft Track, a remote-surveillance technology, to activate Webcams in laptops that it issued to its students (2,300 computers were given to students) to allow the Webcams to broadcast images of wherever the laptops were located, including students’ bedrooms. Wired reports that Leviathan Security Group, a security firm that examined LANrev Theft Track, found that the program “contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures.”
The vulnerability in the LANrev system lies in the symmetric-key encryption it uses for authentication between the client and the server, and isn’t related to the optional Theft Track feature. Therefore, even computers that are not using the theft feature are potentially vulnerable.
The authentication key is stored in the client-side and server software and is fairly easy to decipher, says Frank Heidt, president and CEO of Leviathan. It took Leviathan just a few hours to determine that it’s a stanza from a German poem. The key is the same for every computer using LANrev.
The LANrev client software on a computer is configured to contact a server every minute or so to check in and see if the server has any commands for it. Knowing what the key is would let an attacker who has installed a sniffer on the network intercept that ping and masquerade as the server in communication back to the laptop. It requires the attacker to be on the same network as the target machine — for example, on a wireless network at the school or anywhere else that offers free Wi-Fi the student might use. […]
Absolute Software, which acquired LANrev last December, said it identified the vulnerability at the time it was purchasing the software and is fixing it in a more robust version to be released in July, which will use Open SSL for encryption.