How spyware on rental PCs captured users’ most intimate moments | Ars Technica

In September, the US Federal Trade Commission secured an agreement that settled accusations that seven rent-to-own RTO stores and a software design firm surreptitiously captured end users most intimate moments. The charges of unfair and deceptive gathering of consumers personal information stemmed from the use of PC Rental Agent, a software package that is also the subject of a federal lawsuit accusing Pennsylvania-based DesignerWare, the rent-to-own stores, and their corporate parent of violating federal wiretap statutes.

As its name suggests, PC Rental Agent was designed to streamline the administration of computers offered by rent-to-own stores, which sell or rent furniture, appliances, and other merchandise to consumers, often in exchange for weekly payments until they are paid off. By default, the program includes functionality that allows store employees to wipe PC hard drives at the press of a key. The feature is used to permanently remove confidential data left by one customer before the machine is given to a new customer. PC Rental Agent also includes a “kill switch” that allows computers to be remotely disabled. Store managers can invoke the switch in the event that the machine is stolen or a customer fails to make payments as promised. Activating the feature makes the PCs unusable, in theory creating an incentive for delinquent end users to pay up.

As the Byrds learned first-hand, the program included yet another feature: a backdoor that allowed a store manager to remotely install a powerful spyware module that can surreptitiously track the location of the PC, collect pictures every two minutes of whoever was in front of the PCs built-in webcam, and capture keystrokes along with screenshots of whatever was being displayed on their monitors. When activated, this so-called “Detective Mode” operated at various levels. The first siphoned a screenshot and 30 characters worth of key strokes every two minutes for an hour. It then used DesignerWare servers to attach the data to e-mails that were sent to a designated manager—dubbed the “master account holder” in Designerware parlance—at the RTO store that issued the machine.

via How spyware on rental PCs captured users’ most intimate moments | Ars Technica.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s