Simply typing “Lower Merion County WebCam” into Google brings back 35,000 websites and “Lower Merion County” 185,000. This is no small news story. Yet, the focus of many is on the ability the IS department had to take unsolicited and private pictures of minors/students in their homes using school issued laptops.

On February 16th, 2010 a civil suit was brought against the Lower Merion PA school district which, in short, charges the school of spying on students and in some instances taking photographs of students in their homes using the embedded webcam in the school issued Apple MacBooks, without their knowledge. Previously social-engineer.org had blogged on the initial disclosure.

The information for these articles is based on the recently released report of an independent investigation retained by the school district and preformed by Ballard Spahr, L.L.P. with the use of L-3 Services, INC., an independent computer forensic consulting firm. During the course of this 10 week independent investigation, 500,000 pages of documents and 19 terabytes of data was voluntarily given by the school district to be analyzed by the investigating parties resulting in a very long report. There were also several interviews with school district staff and local law enforcement.

Social Engineer.org sent out a plea for help and a security enthusiast and penetration tester, Nick “nick8ch” Hitchcock, stepped forward to help us analyze and decipher this large report. What we came up with was a two part blog post that will analyze this story from some unique perspectives.

Part 1: Technical Analysis: what technology was used, how, when and to what extent. Part 2: What we can learn from this case and protect ourselves against privacy violations from so-called “trusted” sources.

Part 1: Technical Analysis.

First, let’s look at the background of the school district’s technology setup. In the fall of 2007, the school district purchased a computer management software to handle the ever growing size of their network infrastructure. They chose a software product by the name of LANrev. It’s important to note that since the time of initial purchase of the software, the company that previously created this software package, Pole Position, was purchased by Absolute Software. The name of the software has changed as well as some features, but for the case record, I will use the original naming of the monitoring software and named components. LANrev’s features included features such as software deployment and updates/patches, hardware/software inventory management, cross-platform compatibility (meaning Windows and Apple computers were supported) and a “Theft Recovery” feature called TheftTrack. For obvious reasons we will be focusing on the aspects of the last feature.

What exactly did TheftTrack do? In the event of a laptop theft, this service could be remotely activated on the laptop. The TheftTrack service was not active at all times. It had to be manually started. Within the school district, only two individuals of the 18 IS staff members had TheftTrack administrative access, Carol Cafiero – IS Coordinator and Michael Perbix – Network Technician.

What was TheftTrack capable of? Three things could be selected to be collected. Any one or all of these features could be selected or deselected when TheftTrack was activated. 1) The IP address of the computer 2) A still photograph or snapshot from the embedded webcam taken at a certain time interval, as short as one minute. 3) A desktop screenshot of the computer taken at a similar time interval as the webcam snapshot.

Some points to note from these features is that TheftTrack was incapable of recording video or audio from the computer. Also, it could not access the camera if it was in use by another application for instance, video conferencing. It was found that remote snapshots were not available “on-demand” but available only after TheftTrack was activated and then sent at the time interval in which LANrev was set to check-in or “call home” to the school’s main LANrev inventory server. This obviously could only take place when the specified computer was connected to the internet. The information was then uploaded and stored to the LANrev inventory server. This information would then need to be manually purged from the server and reviewed.

Here is a video of Michael Perbix talking about this tracking feature:

One discrepancy in the internal investigation that I found is that, although only two individuals had sufficient credentials to activate or deactivate the service, I see documentation to support that any LANrev administrator could view collected data from TheftTrack.

From a social engineering perspective, the usefulness and relevance of this independent report ends here. One critical aspect of this case goes ignored……

The entire focus of this investigation rests in the fact that the TheftTrack module was the only method able to remotely breach the privacy of students and teachers.

The standard install of LANrev allows remote administrator access to the client and allows much more to be done to monitor, track and collect data from its client computers.

The following information can be found via the LANrev website. Theft tracking was officially available starting with version 4, but as far back as Version 1 of LANrev the administrator had the ability to interact with the shell or command line of any monitored computers. Any information security specialist or hacker will confirm this alone is the “Holy Grail” or the ultimate goal in compromising a computer system. This, by default, was available at ANY time to the administrators. Notice other highlighted revisions in the life of this software:

– LANrev version 2.0 implemented remote desktop integration with Mac and Windows, allowing remote graphical user interface interaction.

– LANrev version 3.0 added integration of VNC, PC Anywhere and Timbuktu. VNC takes remote graphical user interface interaction to another level, because it allows stealth remote monitoring of the computer desktop undetected and without interaction from the remote user. This contradicts the claim that the school district did not have the means of viewing live feeds of the students activity.

– LANrev version 4.51 added support to search and display any text file from client computers on the administrator’s workstation using the new View Text File command. Also added in this release was the ability to request LANrev to try to wake up a computer that is presently suspended and to discard all commands that have been run from the remote computer.

– LANrev version 4.6.2 decided to sacrifice security for ease of use. Directly from the release notes: “New preference setting for Agent Deployment Center (Mac OS X only): You can now instruct LANrev Administrator to disregard SSH host keys for identifying clients on which to install the Agent. This has the advantage of not requiring re-authentication when the operating system of the client has changed, e.g., because of reinstallations. Note, though, that this option also causes a slight reduction in security that makes it possible in principle for an unauthorized device to appear as a legitimate member of the network to the Agent Deployment Center and capture the SSH password.”

– LANrev version 5.1.1 added a feature when executing AppleScript scripts, you can choose between executing them in the context of the current user or in the context of another user.

Another part of this case is that one of the two members of the IS department that had TheftTrack credentials, Michael Perbix, was active on certain technical forums discussing remote activation and deactivation of the built-in webcam on Apple MacBooks. One such post on his own blog gave instructions on how to do this, as well as providing a simple script to make such a process easy.

Remember the last feature mentioned above ,where “you can now choose between executing them in the context of the current user or in the context of another user.”? This particular feature comes into play with a possible “stealth” use of the built-in webcam.

During normal operation, if the internal webcam is activated on a MacBook, a small green light appears next to the webcam, letting you know it is active. For instance, at times during the past few years at the Lower Merion school, several students reported their green webcam lights momentarily turning on and then off. One such case was even reported by a 9th grade teacher by the name of Christine Jawork. She even mentioned it to her students that the school could “activate their laptops’ webcam”, and she had taped over her webcam because of this. She also confirmed to the independent investigation that some of her students discussed seeing the green light when not using the webcam.

This would make sense if the monitoring software took a single snapshot. But if there was any prolonged use of the webcam it would not be “stealth” because the light would stay on constantly. But, what if, there was a way to disable the light? This is where our research becomes speculative but still raises serious concerns. As mentioned, Michael Perbix posted a method to disable the built-in webcam. Why would he do this if the TheftTrack software relied on this hardware for taking snapshots? His own words in another forum has the answer.

He says: “You … can simply change permission on 2 files…what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking etc)…I actually created a little Applescript utility and terminal script which will allow you to do it remotely, or allow a local admin to toggle it on and off. The info and links to a DMG are in my blog.“

Interesting. So the method of disabling the webcam he used was a permission change. Remember, the LANrev software gave administrator rights on the remote machine, allowing them to activate the webcam. Continue to watch our blog for updates on this research.

In addition, here is Michael Perbix’s personal blog where he mentions installing software directly on to a users computer and executing commands via scripts.

It would appear that the IS department knew what the LANrev software was capable of. They knew how to use it officially, meaning activating TheftTrack. Our research leads us to believe this is just the tip of the iceberg. LANrev itself was capable of much more. The extremely scary part about this is that anything manually pushed out or installed remotely using LANrev may not have been logged. At least TheftTrack, when activated, left a paper trail. If any one of these LANrev administrators, not just the two TheftTrack administrators, wanted to remotely install a malicious application, such as a program to capture keystrokes or screenshots, they could at any time. In addition, they had the ability to remotely view the computer desktop of any user in real-time without the user’s knowledge.

In conclusion, the independent report, although seemingly thorough, was narrow in focus. It did not take into consideration the abilities of the LANrev software, but solely dwelt on the TheftTrack module. I’d also like to highlight the fact that they retrieved 19 terabytes of electronic data. To put this in perspective, they say you would be able to fit the entire library of congress on roughly 20 terabytes. So in the span of 10 weeks all 19 terabytes of data were thoroughly investigated?

I believe this “independent” investigation is not enough to persuade anyone of the school district’s innocence in this matter. In fact, at face value, it appears that this report distracts from the real issue, that of the personal privacy of the students and family. The report simply places blame on the previous IS director who is no longer employed by the school district and the TheftTrack software which is no longer in use. However, ANY monitoring software that allows remote access to a computer in the privacy of your home without your knowledge is the same thing. Privacy issues are still being violated. Just because the “official” tracking software does A, B & C, this doesn’t mean that LANrev cannot accomplish the same when in the hands of an unethical network technician. Privacy and human decency should always be put above any network infrastructure process. There is so many intricate details in this case that we simply couldn’t write about all of it. Although the independent report lacks a full scope into this case, it does have very good information about some of the specifics. I suggest you take a look at it.

Have we heard the last of this? Probably not. There are ways you can protect yourself and your family. Look for a follow-up to this article about ways and methods of protecting yourself from a technical perspective and using common sense techniques against privacy threats from “trusted” sources.