A Seattle-based security firm says it needed just hours to hack into a version of the laptop tracking system that the Lower Merion School District used, suggesting that tech-savvy outsiders could have commandeered the computers and watched students through their webcams.
The company, Leviathan Security Group, said it launched the review after realizing that some of its clients were using the same system, LANrev, that drew an international spotlight to Lower Merion.
Leviathan executives said they had no reason to believe anyone had breached Lower Merion's system. And district officials reiterated that their internal investigation found no proof that anyone had hacked into the system or used it to spy on students.
But the Leviathan review, first reported last week by Wired magazine, represents the latest example of how the furor over Lower Merion's system has rippled across the country, stoking new questions and concerns about technology and surveillance.
"This is not about just one school in Pennsylvania," said Leviathan chief executive officer Frank Heidt. "There are thousands and thousands of copies out there."
LANrev is a software package that lets administrators remotely access and manage multiple computers on a network at the same time. The LANrev feature that drew so much scrutiny was a theft-tracking tool that can pinpoint a computer's location, remotely activate its webcam and store copies of the images on its screen.
In a few hours, Leviathan executives said, one of their engineers was able to decipher a password - lines from a German poem - to gain administrative access on the network. The engineer could then install software to essentially take over a user's laptop - sorting through its e-mail, using its webcam or deleting or changing files.
"You could make the computer do anything at that point," Heidt said.
Heidt and Leviathan's chief operating officer, Chad Thunberg, said their examination wasn't meant to be a critique of Lower Merion's actions or an attempt to promote their company.
They said their engineers spent two weeks developing a repair for the breach, but won't sell or release it - except to send it for free to Absolute Software, the Vancouver-based firm that acquired LANrev late last year.
A spokesman for Absolute Software said the company had no comment. It previously has said it was disabling and retooling the theft-tracking feature.
Lower Merion's technicians used the feature to secretly snap and store tens of thousands of photos and images from student laptops that had been reported lost or stolen, even after some were returned to students.
The district disabled the software tracking program in February, after its use came to light in a lawsuit filed by Harriton High School sophomore Blake Robbins and his parents.
Robbins claimed his privacy was invaded when a laptop he borrowed from school secretly shot hundreds of photos, including images of him sleeping in his Penn Valley home and shirtless after a shower.
His lawsuit is still pending.
Mark Haltzman, the lawyer for the Robbins family, said he knew about the LANrev system's security flaw.
"The computer expert employed by us on behalf of the plaintiff has been aware of this security vulnerability almost since the day he was retained," Haltzman said.
Nearly 40 other Lower Merion students' photos were also surreptitiously taken by their school-issued laptops since September 2008. Last week, the district began sending letters to those students, offering to arrange for them and their parents to privately view the images.
District spokesman Doug Young said the flaw pointed out by Leviathan "is exactly the kind of matter that has been subject to the technical evaluation, expertise and inquiry" of L3, the computer experts the district hired and has paid more than $240,000 to assist in its internal investigation of the webcam controversy.
Young also noted the other steps Lower Merion officials have taken in recent weeks.
The district has agreed to honor a court injunction barring it from using any sort of tracking technology on laptops without first getting consent from students and their parents. And last week, the school board hired SunGard, a Wayne-based computer services company, to help develop a comprehensive technology plan.
Next week, Young said, an expanded Technology Advisory Council of more than 50 students, teachers, staff and community members will gather for the first time.
Heidt, who founded his company five years ago, said he didn't know all the details of the Lower Merion case. But he said use of the webcams to track down missing computers struck him as misguided overkill.
"This cure was so much worse than the disease they purported to fix," he said.