Have you ever felt like someone is listening to your conversations, watching you on your webcam? Would you believe that this is true?

In one of our red team engagements we had just managed to gain foothold to the company’s network and gain high privileges. The goal was now to gather trophies that was decided on the engagement.  

One of the trophies was to show the executives the possibility to spy on the employee’s computers by recording their microphones and seeing their webcams. Our team searched for computers around the network and finally found one computer with a working webcam. We recorded the microphone and were able to hear conversations that were done with clients, see the employee’s webcam and fully control his computer.

What should we learn from this first of all? Besides the lack of security that let us control the employee’s computer, the webcam was also not covered. This let us spy on the employee.

