The Stryde Hax blog has an excellent breakdown of the technology that the Lower Merion School District in Pennsylvania used to remotely control Webcams in 2,300 laptops it issued to students. (Short recap: In a recent class-action lawsuit — Robbins v. Lower Merion School District (pdf) — in Pennsylvania, the Robbins family alleged that the Lower Merion School District misused Webcam-enabled laptops it issued to students in order to remotely peep into the students’ homes, take photographs and violate their privacy. The school district has denied violating anyone’s privacy, claiming the Webcams were only turned on in case of lost or stolen computers. The FBI and local officials are investigating.)
Stryde takes a close look at Michael Perbix, a network technician for the school district, and his support of remote-activation technology:
Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. […]
The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable “curtain mode”, a special remote administration mode that makes remote control of a laptop invisible to the victim.
Usually on Webcams, when the device is turned on, then a light is also turned on to show the camera is activated. People would be able to know when they’re being watched through the Webcams. Stryde notes:
In this post, Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just “a glitch.” […]
In other posts, Perbix details a script that allows for the computer’s camera to appear off or broken to users (can’t use video conferencing or video chat), but allows the camera to still work for remote-activation purposes. Stryde explains why this is troubling: “What’s the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case?”
The full post has many more details.