Lenovo webcam flaws, dubbed BadCam, let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks.
Eclypsium researchers found vulnerabilities in some Lenovo webcams, collectively dubbed BadCam, that could let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks. Principal security researchers Jesse Michael and Mickey Shkatov demonstrated the flaws at DEF CON 33. This is likely the first proof that a compromised Linux-based USB peripheral already connected to a computer can be weaponized for malicious purposes.
“Eclypsium researchers discovered that select model webcams from Lenovo run Linux, do not validate firmware, and can be weaponized as BadUSB devices.” reads the report published by Eclypsium.
“To our knowledge, this is the first time it has been demonstrated that attackers can weaponize a USB device that is already attached to a computer that was not initially intended to be malicious.”
BadUSB exploits trust in USB devices by reprogramming firmware to mimic HIDs and execute malicious commands, bypassing OS defenses. First demonstrated at Black Hat 2014 by Karsten Nohl and Jakob Lell in 2014, it’s now weaponized with tools like Rubber Ducky, Flipper Zero, and open-source payloads. Attacks are stealthy, modular, and persistent, often evading detection and enabling data theft, privilege escalation, and ransomware.
Eclypsium researchers demonstrated that Linux-based USB peripherals, such as webcams, can be remotely hijacked and converted into BadUSB devices without requiring physical access. By reflashing firmware, attackers can make them act as malicious HIDs, inject payloads, or persistently re-infect hosts, even after users reinstall the operating systems. The Linux USB gadget feature enables such devices to mimic trusted peripherals, widening the threat to many Linux-powered USB devices.
“Eclypsium researchers Jesse Michael and Mickey Shaktov have expanded the BadUSB threat landscape by demonstrating that specific USB peripherals, such as webcams running Linux, can themselves be remotely hijacked and transformed into BadUSB devices without ever being physically unplugged or replaced. This marks a notable evolution: an attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices.” continues the report. “Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.”
Eclypsium discovered that Lenovo 510 FHD and Performance FHD webcams are vulnerable to insecure firmware updates, allowing full camera compromise. Both use SigmaStar ARM-based SoCs running Linux with USB Gadget support, enabling BadUSB-style attacks to hijack a host. The reseaarchers found that the update process lacks safeguards, simple USB commands can erase and overwrite the 8MB SPI flash, letting attackers replace firmware and weaponize the camera while retaining normal functionality.
Below is a video PoC of the attack:
Eclypsium urged Lenovo and SigmaStar to add firmware verification to affected SoCs. Lenovo responded by creating an updated installation tool with signature validation to fix the flaw. Users of the impacted webcams should download the update from Lenovo’s support site to mitigate risks. The company worked with SigmaStar to assess and address the vulnerability promptly.
“As device supply chains continue to diversify and USB peripherals grow more complex, these attacks underscore the urgent need for firmware signing, device attestation, and more granular visibility into precisely what is plugged into enterprise endpoints.” concludes the report. “With BadUSB now possible through not just physical access but also remote manipulation of everyday peripherals, organizations must rethink both endpoint and hardware trust models.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, BadCam)
