Categories
Security

When The Laptop Watches You

Virtually everyone in the United States has now heard of the case in Lower Merion School District where administrators allegedly took thousands of pictures of students at home. They did this by using a school issued laptop that was equipped with a camera and software that could remotely access them. Kids often leave them in their bedrooms, and the rest is pretty self-explanatory.

The software LANrev (now renamed Absolute® Manage) intends for the feature to be used by administrators for the purposes of theft recovery. That obviously leaves an avenue for abuse.

If you or someone you know has a laptop with a camera that is managed by a third party, always assume they could have control of that device. A simple piece of opaque tape (I’d suggest electrical tape) over the camera will prevent any abuse of the camera. You can put a small piece of paper between the camera glass and tape to help avoid damage and clean it when you remove the tape before returning it. Harmless fix. Someone could in theory still listen using the microphone and view what’s on the screen at any given moment, but that’s a much smaller invasion of privacy than someone watching you get undressed in your own home. Use the computer only for school work if possible, and the rest isn’t much of an issue.

Someone did some digging into the software and it’s implementation at this particular school district, and quite frankly it’s a bit disturbing.

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

“what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking”

This type of stuff should have set off some alarms. Good security doesn’t rely on obscurity or deceit.

The laptops have a light next to the camera that illuminates when the camera is activated, however the IT folks are alleged to have claimed the light appearing was a glitch according to the above link.

That said, school districts shouldn’t use laptops with cameras and microphones. Manufacturers should give those bulk purchasers the ability to have no camera installed. Alternatively they should be physically removed from the chassis by IT staff before being distributed to students. Disabling via software or policy isn’t going to stop this problem as long as the same people who control the laptops are the ones most likely to abuse it.

This is an interesting mix of hardware, software and policy security implications. The hardware worked correctly (it warned the user) but shouldn’t have existed. The software was abused and the policy was flawed. Lots of things can be learned here.