School Laptop Spying Program Has A 'Hacker-Friendly' Security Vulneratibility

from the but,-of-course-it-does dept

It always happens. A technology used for spying on people always opens up security vulnerabilities. Sony's "rootkit" DRM had huge security vulnerabilities that let people do bad things to your computer. And now comes the news that the LANrev system used by the Lower Merion School District to secretly photograph students at home also just happened to have a big security vulnerability that, in theory, made it possible for others to spy on children without them knowing it as well:
The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop webcam to snap surreptitious pictures....

The vulnerability in the LANrev system lies in the symmetric-key encryption it uses for authentication between the client and the server, and isn’t related to the optional Theft Track feature. Therefore, even computers that are not using the theft feature are potentially vulnerable.

The authentication key is stored in the client-side and server software and is fairly easy to decipher, says Frank Heidt, president and CEO of Leviathan. It took Leviathan just a few hours to determine that it’s a stanza from a German poem. The key is the same for every computer using LANrev.

The LANrev client software on a computer is configured to contact a server every minute or so to check in and see if the server has any commands for it. Knowing what the key is would let an attacker who has installed a sniffer on the network intercept that ping and masquerade as the server in communication back to the laptop. It requires the attacker to be on the same network as the target machine -- for example, on a wireless network at the school or anywhere else that offers free Wi-Fi the student might use.
To be fair, there's no evidence that anyone used this hack outside of the researchers who have discovered it, but it still raises more questions about the wisdom of using such software, especially on laptops used by kids.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, May 21st, 2010 @ 11:55am

    It just gets better and better

    Hey, how did my picture get out on that porn site?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 21st, 2010 @ 11:58am

    Re: It just gets better and better

    ...with 2 girls and a cup.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Free Capitalist (profile), May 21st, 2010 @ 12:04pm

    PileOn++

    FTA:
    “If we give you this stanza of poetry, it’s over and the fat lady sings,” Heidt says. “There would be [hackers] turning on webcams.”


    One static key for every installation, every server to client session.

    It would be a just and quick death of the product if they would would just put on a black shirt, show up in a hipster coffee shop and start quoting some Teutonic verse!

    Would it help if I said "please"?

    Big Brother sucks.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 21st, 2010 @ 12:34pm

    Password

    - 12345. They'll never guess it. Let's just make it that on all the software.

    - You know we could have it generate...

    - Shutup, I'm in charge here.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, May 21st, 2010 @ 12:37pm

    Google hacked, to its very core. Gaia's Content Management System, it's bread & Butter password/authentication system, breached. 24+ other [anonymous] companies breached in similar manners
    People still use these companies without knowing who they are.
    People don't care about security: period.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Free Capitalist (profile), May 21st, 2010 @ 12:56pm

    Re:

    People don't understand security: period.

    FTFY

    Everyone cares about security when they realize theirs has been compromised.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, May 21st, 2010 @ 12:57pm

    I'm something of a "neat freak". It's something I've had to deal with over the years, along with my OCD, phobia of straws, generalized anxiety disorder, social anxiety disorder, panic disorder, agoraphobia. I also have post-traumatic stress disorder that came about when I worked for as a preschool teacher.

    I've found that there are a number of legitimate uses for spying programs. As one example, I put spying programs on my computer so I can do make sure my hair remains tidy.

    If someone doesn't have a spying program on their computer, I load up a program like LanRev so I can do my hair. Sometimes I forget to uninstall it. But that's because I'm interested in my hair and also have Aspergers, which means I can only wear shoes that have velcro.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Free Capitalist (profile), May 21st, 2010 @ 1:04pm

    Re:

    HAHAHAHA! That is truly a worthy use case. Genius.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Berenerd (profile), May 21st, 2010 @ 1:57pm

    Re: Password

    Amazing..thats the same combination I have on my luggage!

    Now the evidence will show there really was child porn being made...Its out there...you know it..I know it...that school will now need to be "saved" because they will be labeled as child molesters

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Dark Helmet (profile), May 21st, 2010 @ 2:13pm

    Re: Re: Password

    Holy Christ, how could I have missed that opportunity?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    squish (profile), May 21st, 2010 @ 2:53pm

    really

    they didn't even randomize the encryption key O.o heck i don't even know how this went on until they actually tried to charge that one kid with the candy for drug possession there had to have been previous complaints made i can't be brought to believe none of these kids parents work in IT and none of them wondered why there child's laptop is constantly sending a high volume of encrypted packets to an outside machine and fear of theft my ass they trust kids with piles of heavy 100$ textbooks every year you know there solution to the kids loosing those they pay for the value of the book lost the textbook doesn't come with a convenient spy camera

    you know in some back room in that school district there's a pile of hard drives full of video of 13 year olds discovering Internet porn I can't believe no ones going after them on that

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Flalex72, May 21st, 2010 @ 2:57pm

    They aern't the only ones

    As a student in grade 11, I can tell you that our local school board actively uses a "monitoring" program to watch what students are doing. The big difference is that it is used on school computers that don't leave the school. Until this year, that has always been desktops but now includes two class sets of netbooks that move around the school as required. The program allows teachers to monitor and block what student's are doing, as well as show their screen on everyone in the classes computer. This usage is okay, however as the laptops never leave the school. Another local school does have the same software on their laptops, but the students are in a different situation in that they buy and can keep the school provided laptops. The difference here is that the program only functions on the school's local network, and does not connect over the internet when the student is at home. On the issue of security, it's not good. The computer technicians placed a file explaining how to install and use the teacher level software as well as all of it's pass codes on a SHARED network drive accessible by all people in the school. It took less then 15 minutes for me to add my personal laptop to the school's workgroup, install the software trial from the manufacturer's website, unlock it, and begin controlling any computer in the school. What I'm saying is that this software is very common, and is usually pushed as being educationally oriented or letting the teachers teach more efficiently. In reality is is used by a handful of teachers who know how to and is easily abused by anyone with some basic networking skills.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    mudlock, May 21st, 2010 @ 4:04pm

    Re: Re:

    Too true. And it's not just the general populace, it's people whose job is to do it!

    At my last job I was astounded how little of this stuff was understood by my coworkers, fellow professional programmers; most of them didn't have the first clue about the considerations necessary for even the most rudimentary security concerns. They probably would have shipped something just as crappy as this stuff if I hadn't been involved.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    NAMELESS.ONE, May 21st, 2010 @ 4:06pm

    and now you twits with iphones...

    Now you twits with iphoneswill understand why no self respecting hacker would be caught dead with a video enabled device
    they have had vulnerabilities.

    FOR A LOT LONGER THEN YOU KNOW

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    NAMELESS.ONE, May 21st, 2010 @ 4:10pm

    OH and wonder why pirates dont use video tech

    for authentication?
    like that uber secret pirate site?
    THIS is why its been known to me at least 6-7 years.

    only thing i use a cam for is the special offline box i have that never goes near the net and has a motion sensor that will start recording when someone changes the video in front

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Dohn Joe, May 21st, 2010 @ 4:59pm

    I Would Be Furious

    If I were the parent of one of these kids I would be furious at the school for putting pedophile-friendly crackable spyware on their laptops!

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Jose_X, May 21st, 2010 @ 8:47pm

    I try to avoid closed source software. I avoid Windows entirely as a starting point. I very much prefer software where the vendor made the blueprints to the software public. [The public compiles the application from this source code set of blueprints, and distributes this version.]

    In fact, privacy and security are two important reasons I try to stay exclusively with open source.

    And, yes, commercial vendors prefer closed source. We the people must pressure them to open up by voting with our dollars and choices.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Spanky, May 22nd, 2010 @ 8:49pm

    re

    "you know in some back room in that school district there's a pile of hard drives full of video of 13 year olds discovering Internet porn I can't believe no ones going after them on that"

    Let's try to give these people the benefit of the doubt, here. I've read a lot of news stories about this event, and never once did I get the impression that any of them were pedophiles. Facts may prove me wrong, but I'd rather wait for the facts. What they did should be obviously wrong to most people, but lets not jump to that conclusion.

    "At my last job I was astounded how little of this stuff was understood by my coworkers, fellow professional programmers; most of them didn't have the first clue about the considerations necessary for even the most rudimentary security concerns."

    Yes, you would hope they would. But remember that IT people tend to be pigeon-holed. If you spend a lot of time writing database apps, you tend to know little about comm. Its also a different world today, and a lot of people still in IT come from a time when security was not a big issue. I wrote a lot of strcpy()s - never once did I have to think about a buffer overflow. Security consciousness requires a sort of 'backward' mindset. Most engineers think about how to write software that works, not how to break it. If you're not a criminal, you tend not to think like that. It takes getting used too. Today's programmers will have to learn to think that way.

    Basically, I think these were people who were trying to protect the kids, and got carried away. Some with voyeuristic tendencies. You would think some of these teachers would have read 1984, and the US Constitution, and tried to understand them both.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    kevinmitnick (profile), May 23rd, 2010 @ 12:28pm

    hacker for hire

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, May 24th, 2010 @ 9:08am

    Re: hacker for hire

    Can you change my A's to F's?

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    kevin, Oct 13th, 2010 @ 4:44pm

    this person robbed me 300us

    its not hacker, its crminal,so dont accept this people.

    whitehat@cyber-wizard.com
    mr.hacker4hire@gmail.com

    this are his emails

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    SG, Oct 28th, 2010 @ 1:37pm

    Kevin response to:( hacker for hire)

    Kevin did you get scammed by hacker4hire@gmail.com?? I'm in process of working wh him now and he is wanting more money

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    derf, Nov 4th, 2010 @ 10:56am

    ad

    dontt busseness with or 4harefire
    hi steeal me 100us its a fake

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    jesse, Dec 14th, 2010 @ 3:10pm

    hACKER

    does anyone know if whitehat@cyber-wizard.com is a real hacker? Let me know please.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous, Dec 24th, 2010 @ 12:23pm

    whitehat@cyber-wizard.com is fake a million times over! Don't believe him or his excuses. He will make you believe anything, but don't believe him.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Danielle, Apr 11th, 2013 @ 4:07pm

    Re: Kevin response to:( hacker for hire)

    What ended up happening with hacker4hire@gmail.com? I contacted him but I can't tell if he's legit or not.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This