School's Laptop Spying Software Exploitable from Anywhere

Absolute Manage is a remote administration program that allows sysadmins to supervise and maintain client computers over the Internet. It has been in the news since early February, when Lower Merion School District in Pennsylvania was alleged to be using it to spy on students at home via their laptop webcams.

The story took a new twist last Thursday, when Threat Level reported that researchers at Leviathan Security Group had discovered serious vulnerabilities in the program. These problems let attackers carry out a number of exploits, including installing malware or running other arbitrary code on the students' laptops. The major limitation in the reported attacks is that the bad guy needs to be on the same local network as the victim, and the program's developers, Absolute Software, says it's a largely theoretical threat.

Unfortunately, the security problems are worse than has been reported so far, and are far from theoretical. In fact, any machine with a public IP address running Absolute Manage can be taken over by attackers anywhere on the Internet. Such an attacker can command the machine to run arbitrary code, steal data, or take photographs using the computer's camera.

We have been investigating Absolute Manage for several months, hoping to gain a better understanding of the security measures it employs to protect users. We are disclosing this information now because, following the Threat Level post, we believe it's only a matter of time until real attackers discover it. Users need to be aware of the vulnerabilities and take proper measures to protect themselves.
There's much more:http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere

Someone may have to be very determined to do this. Unfortunately, there are probably plenty of people with the expertise and the willingness to do just that.

If a computer can be remotely accessed, then anyone can access it.

camera without activating power or status lights. I have a panasonic robo cam inside the house - and noticed one day it had been hacked through a VPN account - running around without any status lights, but clearly tracking me in the kitchen. I guess the remote operator had no idea the camera actually moved when they changed the focus. Lesson learned: do not use cloud accounts and standard port ranges to remote monitor your equipment. A two year old can hack that.