Webcams Spying: It's More than Software
The Webcam spy case in the Lower Merion School District near Philadelphia has raised concern as to whether others with Webcams are vulnerable to remote spying. The school district
to activating the Webcams 42 times during a 14-month period, claiming that it did so only to track lost or stolen laptops.
But for anyone with a Webcam (and Webcams are now built in to many laptops and desktops), the question is whether you are vulnerable to having your Webcam remotely turned on. The answer is yes, though the newest version of the software used by the district to monitor its computers can no longer be used to activate Webcams or even track stolen computers.
According to Harriton High School student Phil Hayes, officials at the Lower Merion School District used a program called LANRev to manage and track the Macintosh laptops issued to students. The product was published by Pole Position Software, which was acquired last year by Vancouver, B.C.-based Absolute Software. An Absolute Software spokesman verified that it is also his understanding that the school used LANRev software.
The Philadelphia Inquirer reported that Mike Perbix, a network technician from the district, had recorded a Webcast where he talked about his use of LANRev. In a YouTube video attributed to Perbix, he says, "I've actually had some laptops we thought were stolen which actually were still in a classroom because they were misplaced, and by the time we found out that they were back I had to turn the tracking off and I had a good 20 snapshots of the teacher and the students using the machines in the classroom."
In one portion of the Webcast (not in the YouTube video), Perbix says, "You can go into curtain mode, so if you're controlling someone's machine and you don't want them to see what you're doing you just click on the curtain mode icon...you can take a snapshot of the screen by clicking on the little camera icon." Scroll down to the end of this post to listen to a 28-second audio excerpt from the Webcast, in which Perbix talks about "curtain mode."
The blog Stryde Hax has more detail about Perbix's reported activities.
End users can no longer track machines
Absolute has changed the name of the program to Absolute Manager and will be marketing it for remote management of PCs, Macs, and iPhones, but the product will no longer be used for theft or loss recovery. For those functions, Absolute offers Computrace for enterprise customers (including schools) and LoJack for Laptops for consumers.
Unlike LANRev, Absolute's current theft recovery products can't be activated by end users, according to Vice President for Global Marketing Stephen Midgley. I interviewed Midgley by phone from his office in Vancouver.
Both the Computrace and LoJack products can be used to turn on a Webcam and photograph the user in the event of a theft investigation. But unlike the old LANRev, only Absolute engineers can track devices and activate recovery features. Company policy, according to Midgley, prohibits them for doing that until a police report is filed. "For us to begin a theft recovery process, we need a case file from the police," he said.
Two of the recovery methods are GPS and Internet Protocol location tracking. Absolute tracks the location of devices every 24 hours, but once a device is reported stolen it increases to once every 15 minutes, according to Midgley. "That allows us to pinpoint the location of the device...we then provide the details over to the local law enforcement, who then go in and recover the device." Midgely said the recovery team is made up of former law enforcement officers and that the company has relationships with well more than 1,000 law enforcement agencies across North America.
Midgley said the company doesn't typically use Webcam photography, even if it's available. "The photography doesn't always take a picture of the criminal, and it's not always permissible in a court of law," he said. Often, the person who is photographed using the laptop is not the person who stole it. By the time it's been reported, the laptop has been sold, and the person using it isn't the same person who stole it, "so taking a photograph of them really proves no value. In that case, it's not a photograph of the criminal. It doesn't really help find out the location of the device," he said.
Other ways to control Webcams
There are, however, other ways to remotely turn on a laptop's Webcam. For one thing, there are many legitimate programs on the market that are used to control "nanny cams," or Webcams used at vacation homes and other remote locations. If someone has physical access to a computer, it would be possible to install this software and turn it on remotely.
There are also programs such as GoToMyPC that are designed specifically to allow users to remotely control a machine via the Internet. Once connected, the person has complete remote control over the host computer, including the Webcam, microphone, and other features.
To be certain that GoToMyPC can be used for this purpose, I downloaded a copy to a laptop and accessed it from my desktop PC via the Internet and then used my desktop PC to activate the camera on the laptop. To be fair, GoToMyPC puts up a notice on the remotely controlled machine indicating that there is a session in progress, but that notice can be immediately taken down from the remote computer.
You need physical access to a computer to install GoToMyPC, but it's not uncommon for stalking victims to sometimes be in the same location as the stalker.
Malware can turn on Webcam
There are also Trojan horses and other malware programs that can be used to take remote control of a computer. According to Mike Geide, senior security researcher at cloud security company Zscaler, "there are several exploit kits out there that include rootkit functionality that allow (people) to interact with the operating system however they want, and that includes turning on specific services or running applications in the background that would include applications to report Webcams, record audio, or turn on a built-in internal microphone."
Geide recently blogged about a Chinese government Web site that had been hacked to post malware to utilize an Internet Explorer 6 vulnerability to plant Backdoor:W32/Hupigon which, according to F-Secure, is "a remote-administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network," and "allows for recording with the user's Webcam."
TrendMicro education director David Perry stressed the importance of being aware of vulnerabilities. "It would do a public service, if we could make the public more aware that when you hook something like a Webcam up to your system that making it secure is your responsibility," Perry said. "By default, it's insecure."
In October 2008, TGDaily reported on a "game" that could "mislead people into clicking on a link that can then remotely control the user's Webcam and microphone." This YouTube video shows a proof of concept of a simple game that could cause a user to turn on the remote camera for an attacker.
While security software can protect you against much of the malware, it can't necessarily protect you against the misuse of legitimate programs designed to remotely enable a Webcam or remotely operate a PC. For that, the user has to be aware of what is running on the machine. While a sophisticated PC or Mac user may be savvy enough to determine if there are remote-control programs running on their systems, there are plenty of people who wouldn't have a clue.
I spoke with a student at Harriton who said some students are employing a very low-tech solution to block their Webcams: they're pasting black tape over the lens. Now all they need to do is figure out how to disable the microphone.
Click below to listen to a 28-second portion of Mike Perbix's Webcast, where he talks about "curtain mode." Audio taken from a longer Webcast downloaded from MacEnterprise.org.
By Larry Magid
Copyright 2010 CBS. All rights reserved. School district: Spy Webcams activated 42 times
The Lower Merion School District, accused of spying on students at home via laptop Webcams, admits that it activated them 42 times in a 14-month period.
But for anyone with a Webcam (and Webcams are now built in to many laptops and desktops), the question is whether you are vulnerable to having your Webcam remotely turned on. The answer is yes, though the newest version of the software used by the district to monitor its computers can no longer be used to activate Webcams or even track stolen computers.
According to Harriton High School student Phil Hayes, officials at the Lower Merion School District used a program called LANRev to manage and track the Macintosh laptops issued to students. The product was published by Pole Position Software, which was acquired last year by Vancouver, B.C.-based Absolute Software. An Absolute Software spokesman verified that it is also his understanding that the school used LANRev software.
The Philadelphia Inquirer reported that Mike Perbix, a network technician from the district, had recorded a Webcast where he talked about his use of LANRev. In a YouTube video attributed to Perbix, he says, "I've actually had some laptops we thought were stolen which actually were still in a classroom because they were misplaced, and by the time we found out that they were back I had to turn the tracking off and I had a good 20 snapshots of the teacher and the students using the machines in the classroom."
In one portion of the Webcast (not in the YouTube video), Perbix says, "You can go into curtain mode, so if you're controlling someone's machine and you don't want them to see what you're doing you just click on the curtain mode icon...you can take a snapshot of the screen by clicking on the little camera icon." Scroll down to the end of this post to listen to a 28-second audio excerpt from the Webcast, in which Perbix talks about "curtain mode."
The blog Stryde Hax has more detail about Perbix's reported activities.
End users can no longer track machines
Absolute has changed the name of the program to Absolute Manager and will be marketing it for remote management of PCs, Macs, and iPhones, but the product will no longer be used for theft or loss recovery. For those functions, Absolute offers Computrace for enterprise customers (including schools) and LoJack for Laptops for consumers.
Unlike LANRev, Absolute's current theft recovery products can't be activated by end users, according to Vice President for Global Marketing Stephen Midgley. I interviewed Midgley by phone from his office in Vancouver.
Both the Computrace and LoJack products can be used to turn on a Webcam and photograph the user in the event of a theft investigation. But unlike the old LANRev, only Absolute engineers can track devices and activate recovery features. Company policy, according to Midgley, prohibits them for doing that until a police report is filed. "For us to begin a theft recovery process, we need a case file from the police," he said.
Two of the recovery methods are GPS and Internet Protocol location tracking. Absolute tracks the location of devices every 24 hours, but once a device is reported stolen it increases to once every 15 minutes, according to Midgley. "That allows us to pinpoint the location of the device...we then provide the details over to the local law enforcement, who then go in and recover the device." Midgely said the recovery team is made up of former law enforcement officers and that the company has relationships with well more than 1,000 law enforcement agencies across North America.
Midgley said the company doesn't typically use Webcam photography, even if it's available. "The photography doesn't always take a picture of the criminal, and it's not always permissible in a court of law," he said. Often, the person who is photographed using the laptop is not the person who stole it. By the time it's been reported, the laptop has been sold, and the person using it isn't the same person who stole it, "so taking a photograph of them really proves no value. In that case, it's not a photograph of the criminal. It doesn't really help find out the location of the device," he said.
Other ways to control Webcams
There are, however, other ways to remotely turn on a laptop's Webcam. For one thing, there are many legitimate programs on the market that are used to control "nanny cams," or Webcams used at vacation homes and other remote locations. If someone has physical access to a computer, it would be possible to install this software and turn it on remotely.
There are also programs such as GoToMyPC that are designed specifically to allow users to remotely control a machine via the Internet. Once connected, the person has complete remote control over the host computer, including the Webcam, microphone, and other features.
To be certain that GoToMyPC can be used for this purpose, I downloaded a copy to a laptop and accessed it from my desktop PC via the Internet and then used my desktop PC to activate the camera on the laptop. To be fair, GoToMyPC puts up a notice on the remotely controlled machine indicating that there is a session in progress, but that notice can be immediately taken down from the remote computer.
You need physical access to a computer to install GoToMyPC, but it's not uncommon for stalking victims to sometimes be in the same location as the stalker.
Malware can turn on Webcam
There are also Trojan horses and other malware programs that can be used to take remote control of a computer. According to Mike Geide, senior security researcher at cloud security company Zscaler, "there are several exploit kits out there that include rootkit functionality that allow (people) to interact with the operating system however they want, and that includes turning on specific services or running applications in the background that would include applications to report Webcams, record audio, or turn on a built-in internal microphone."
Geide recently blogged about a Chinese government Web site that had been hacked to post malware to utilize an Internet Explorer 6 vulnerability to plant Backdoor:W32/Hupigon which, according to F-Secure, is "a remote-administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network," and "allows for recording with the user's Webcam."
TrendMicro education director David Perry stressed the importance of being aware of vulnerabilities. "It would do a public service, if we could make the public more aware that when you hook something like a Webcam up to your system that making it secure is your responsibility," Perry said. "By default, it's insecure."
In October 2008, TGDaily reported on a "game" that could "mislead people into clicking on a link that can then remotely control the user's Webcam and microphone." This YouTube video shows a proof of concept of a simple game that could cause a user to turn on the remote camera for an attacker.
While security software can protect you against much of the malware, it can't necessarily protect you against the misuse of legitimate programs designed to remotely enable a Webcam or remotely operate a PC. For that, the user has to be aware of what is running on the machine. While a sophisticated PC or Mac user may be savvy enough to determine if there are remote-control programs running on their systems, there are plenty of people who wouldn't have a clue.
I spoke with a student at Harriton who said some students are employing a very low-tech solution to block their Webcams: they're pasting black tape over the lens. Now all they need to do is figure out how to disable the microphone.
Click below to listen to a 28-second portion of Mike Perbix's Webcast, where he talks about "curtain mode." Audio taken from a longer Webcast downloaded from MacEnterprise.org.
By Larry Magid
Popular in SciTech
- Calif. teen wins Intel Science Research competition Play Video
- One woman's journey to save the white lions
- New Flickr comes with 1 terabyte free storage
- Computer visionary says he knows who invented Bitcoin
- Apple's next iPhone may be coming in June
- Canada trying to lure Silicon Valley tech workers
- Four things you need to know about tornado season
- Thousands online proclaim: Jahar Tsarnaev is innocent
First, they roll their own customer under the bus for following their recommendations. LANRev specifically touted the ability of the tracking feature to be used by end users to determine the identify of "inside" thefts themselves. Then they turn around and say LMSD shouldn't have done that?
Second, they react to this problem in the complete opposite way to the way that makes sense. If anything, the lesson in this is that transparency and openness is needed in computer security. Instead, they take control of the theft tracking feature out of the hands of their own customers. If I'm going to install software on my computer, you better believe that it's not going to be Absolute Software that gets to choose when its webcam goes on no matter what their policy is because if there's any lesson in this mess, it's that policy is not enough to protect you -- you need enforced protection that you control.
If I had a computer with the camera installed in it - it would be deactivated until I wanted to use it.
Is that too simplistic?
I also keep my computer turned off (shut down and disconnected when the day is done.
I guess personal security is still not well understood!
You are only at risk if you allow yourself to be open to malware and viruses or if you don't make sure you KNOW exactly what you are installing on your machine in terms of software.
The original story of this baffled me, because I just don't understand how, among thousands of students, not one of them was a computer geek that figured out the privacy risk of what was installed on their computers....
Probably because they were Macs...and those just aren't all that attractive to us geek types, in general. So much for the whole "Apples are safer for their users" line that they like to try to sell you. I don't know about anyone else, but having my computer taking pictures of me without my permission is one of the worst security issues I could imagine.