U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

BadCam: Linux-based Lenovo webcam bugs enable BadUSB attacks

Lenovo webcam flaws, dubbed BadCam, let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks. Eclypsium researchers found vulnerabilities in some Lenovo webcams, collectively dubbed BadCam, that could let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks. Principal security researchers Jesse Michael and Mickey Shkatov demonstrated […]

BadCam

Lenovo webcam flaws, dubbed BadCam, let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks.

Eclypsium researchers found vulnerabilities in some Lenovo webcams, collectively dubbed BadCam, that could let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks. Principal security researchers Jesse Michael and Mickey Shkatov demonstrated the flaws at DEF CON 33. This is likely the first proof that a compromised Linux-based USB peripheral already connected to a computer can be weaponized for malicious purposes.

“Eclypsium researchers discovered that select model webcams from Lenovo run Linux, do not validate firmware, and can be weaponized as BadUSB devices.” reads the report published by Eclypsium.

“To our knowledge, this is the first time it has been demonstrated that attackers can weaponize a USB device that is already attached to a computer that was not initially intended to be malicious.”

BadUSB exploits trust in USB devices by reprogramming firmware to mimic HIDs and execute malicious commands, bypassing OS defenses. First demonstrated at Black Hat 2014 by Karsten Nohl and Jakob Lell in 2014, it’s now weaponized with tools like Rubber Ducky, Flipper Zero, and open-source payloads. Attacks are stealthy, modular, and persistent, often evading detection and enabling data theft, privilege escalation, and ransomware.

Eclypsium researchers demonstrated that Linux-based USB peripherals, such as webcams, can be remotely hijacked and converted into BadUSB devices without requiring physical access. By reflashing firmware, attackers can make them act as malicious HIDs, inject payloads, or persistently re-infect hosts, even after users reinstall the operating systems. The Linux USB gadget feature enables such devices to mimic trusted peripherals, widening the threat to many Linux-powered USB devices.

“Eclypsium researchers Jesse Michael and Mickey Shaktov have expanded the BadUSB threat landscape by demonstrating that specific USB peripherals, such as webcams running Linux, can themselves be remotely hijacked and transformed into BadUSB devices without ever being physically unplugged or replaced. This marks a notable evolution: an attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices.” continues the report. “Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.”

Eclypsium discovered that Lenovo 510 FHD and Performance FHD webcams are vulnerable to insecure firmware updates, allowing full camera compromise. Both use SigmaStar ARM-based SoCs running Linux with USB Gadget support, enabling BadUSB-style attacks to hijack a host. The reseaarchers found that the update process lacks safeguards, simple USB commands can erase and overwrite the 8MB SPI flash, letting attackers replace firmware and weaponize the camera while retaining normal functionality.

Below is a video PoC of the attack:

Eclypsium urged Lenovo and SigmaStar to add firmware verification to affected SoCs. Lenovo responded by creating an updated installation tool with signature validation to fix the flaw. Users of the impacted webcams should download the update from Lenovo’s support site to mitigate risks. The company worked with SigmaStar to assess and address the vulnerability promptly.

“As device supply chains continue to diversify and USB peripherals grow more complex, these attacks underscore the urgent need for firmware signing, device attestation, and more granular visibility into precisely what is plugged into enterprise endpoints.” concludes the report. “With BadUSB now possible through not just physical access but also remote manipulation of everyday peripherals, organizations must rethink both endpoint and hardware trust models.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BadCam)