Thein the Lower Merion School District near Philadelphia has raised concern as to whether others with Webcams are vulnerable to remote spying. The school district to activating the Webcams 42 times during a 14-month period, claiming that it did so only to track lost or stolen laptops.
But for anyone with a Webcam (and Webcams are now built in to many laptops and desktops), the question is whether you are vulnerable to having your Webcam remotely turned on. The answer is yes, though the newest version of the software used by the district to monitor its computers can no longer be used to activate Webcams or even track stolen computers.
According to Harriton High School student Phil Hayes, officials at the Lower Merion School District used a program called LANRev to manage and track the Macintosh laptops issued to students. The product was published by Pole Position Software, which was acquired last year by Vancouver, B.C.-based Absolute Software. An Absolute Software spokesman verified that it is also his understanding that the school used LANRev software.
The Philadelphia Inquirer reported that Mike Perbix, a network technician from the district, had recorded a Webcast where he talked about his use of LANRev. In a YouTube video attributed to Perbix, he says, "I've actually had some laptops we thought were stolen which actually were still in a classroom because they were misplaced, and by the time we found out that they were back I had to turn the tracking off and I had a good 20 snapshots of the teacher and the students using the machines in the classroom."
In one portion of the Webcast (not in the YouTube video), Perbix says, "You can go into curtain mode, so if you're controlling someone's machine and you don't want them to see what you're doing you just click on the curtain mode icon...you can take a snapshot of the screen by clicking on the little camera icon." Scroll down to the end of this post to listen to a 28-second audio excerpt from the Webcast, in which Perbix talks about "curtain mode."
The blog Stryde Hax has more detail about Perbix's reported activities.
End users can no longer track machines
Absolute has changed the name of the program to Absolute Manager and will be marketing it for remote management of PCs, Macs, and iPhones, but the product will no longer be used for theft or loss recovery. For those functions, Absolute offers Computrace for enterprise customers (including schools) and LoJack for Laptops for consumers.
Unlike LANRev, Absolute's current theft recovery products can't be activated by end users, according to Vice President for Global Marketing Stephen Midgley. I interviewed Midgley by phone from his office in Vancouver.
Both the Computrace and LoJack products can be used to turn on a Webcam and photograph the user in the event of a theft investigation. But unlike the old LANRev, only Absolute engineers can track devices and activate recovery features. Company policy, according to Midgley, prohibits them for doing that until a police report is filed. "For us to begin a theft recovery process, we need a case file from the police," he said.
Two of the recovery methods are GPS and Internet Protocol location tracking. Absolute tracks the location of devices every 24 hours, but once a device is reported stolen it increases to once every 15 minutes, according to Midgley. "That allows us to pinpoint the location of the device...we then provide the details over to the local law enforcement, who then go in and recover the device." Midgely said the recovery team is made up of former law enforcement officers and that the company has relationships with well more than 1,000 law enforcement agencies across North America.
Midgley said the company doesn't typically use Webcam photography, even if it's available. "The photography doesn't always take a picture of the criminal, and it's not always permissible in a court of law," he said. Often, the person who is photographed using the laptop is not the person who stole it. By the time it's been reported, the laptop has been sold, and the person using it isn't the same person who stole it, "so taking a photograph of them really proves no value. In that case, it's not a photograph of the criminal. It doesn't really help find out the location of the device," he said.
Other ways to control Webcams
There are, however, other ways to remotely turn on a laptop's Webcam. For one thing, there are many legitimate programs on the market that are used to control "nanny cams," or Webcams used at vacation homes and other remote locations. If someone has physical access to a computer, it would be possible to install this software and turn it on remotely.
There are also programs such as GoToMyPC that are designed specifically to allow users to remotely control a machine via the Internet. Once connected, the person has complete remote control over the host computer, including the Webcam, microphone, and other features.
To be certain that GoToMyPC can be used for this purpose, I downloaded a copy to a laptop and accessed it from my desktop PC via the Internet and then used my desktop PC to activate the camera on the laptop. To be fair, GoToMyPC puts up a notice on the remotely controlled machine indicating that there is a session in progress, but that notice can be immediately taken down from the remote computer.
You need physical access to a computer to install GoToMyPC, but it's not uncommon for stalking victims to sometimes be in the same location as the stalker.
Malware can turn on Webcam
There are also Trojan horses and other malware programs that can be used to take remote control of a computer. According to Mike Geide, senior security researcher at cloud security company Zscaler, "there are several exploit kits out there that include rootkit functionality that allow (people) to interact with the operating system however they want, and that includes turning on specific services or running applications in the background that would include applications to report Webcams, record audio, or turn on a built-in internal microphone."
Geide recently blogged about a Chinese government Web site that had been hacked to post malware to utilize an Internet Explorer 6 vulnerability to plant Backdoor:W32/Hupigon which, according to F-Secure, is "a remote-administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network," and "allows for recording with the user's Webcam."
TrendMicro education director David Perry stressed the importance of being aware of vulnerabilities. "It would do a public service, if we could make the public more aware that when you hook something like a Webcam up to your system that making it secure is your responsibility," Perry said. "By default, it's insecure."
In October 2008, TGDaily reported on a "game" that could "mislead people into clicking on a link that can then remotely control the user's Webcam and microphone." This YouTube video shows a proof of concept of a simple game that could cause a user to turn on the remote camera for an attacker.
While security software can protect you against much of the malware, it can't necessarily protect you against the misuse of legitimate programs designed to remotely enable a Webcam or remotely operate a PC. For that, the user has to be aware of what is running on the machine. While a sophisticated PC or Mac user may be savvy enough to determine if there are remote-control programs running on their systems, there are plenty of people who wouldn't have a clue.
I spoke with a student at Harriton who said some students are employing a very low-tech solution to block their Webcams: they're pasting black tape over the lens. Now all they need to do is figure out how to disable the microphone.