Cybersecurity researchers have disclosed vulnerabilities in select model webcams from Lenovo that could turn them into BadUSB attack devices.
“This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system,” Eclypsium researchers Paul Asadoorian, Mickey Shkatov, and Jesse Michael said in a report shared with The Hacker News.
The vulnerabilities have been codenamed BadCam by the firmware security company. The findings were presented at the DEF CON 33 security conference today.
The development likely marks the first time it has been demonstrated that threat actors who gain control of a Linux-based USB peripheral that’s already attached to a computer can be weaponized for malicious intent.
In a hypothetical attack scenario, an adversary can take advantage of the vulnerability to send a victim a backdoored webcam, or attach it to a computer if they are able to secure physical access, and remotely issue commands to compromise a computer in order to carry out post-exploitation activity.
BadUSB, first demonstrated over a decade ago by security researchers Karsten Nohl and Jakob Lell at the 2014 Black Hat conference, is an attack that exploits an inherent vulnerability in USB firmware, essentially reprogramming it to discreetly execute commands or run malicious programs on the victim’s computer.
“Unlike traditional malware, which lives in the file system and can often be detected by antivirus tools, BadUSB lives in the firmware layer,” Ivanti notes in an explanation of the threat published late last month. “Once connected to a computer, a BadUSB device can: Emulate a keyboard to type malicious commands, install back doors or keyloggers, redirect internet traffic, [and] exfiltrate sensitive data.”
In recent years, Google-owned Mandiant and the U.S. Federal Bureau of Investigation (FBI) have warned that the financially motivated threat group tracked as FIN7 has resorted to mailing U.S.-based organizations “BadUSB” malicious USB devices to deliver a malware called DICELOADER.
The latest discovery from Eclypsium shows that a USB-based peripheral, such as webcams running Linux, that was not initially intended to be malicious, can be a vector for a BadUSB attack, marking a significant escalation. Specifically, it has been found that such devices can be remotely hijacked and transformed into BadUSB devices without ever being physically unplugged or replaced.
“An attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices,” the researchers explained.
“Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.”
Furthermore, threat actors with the ability to modify the firmware of the webcam can achieve a greater level of persistence, allowing them to re-infect the victim computer with malware even after it has been wiped and the operating system is reinstalled.
The vulnerabilities uncovered in Lenovo 510 FHD and Lenovo Performance FHD webcams relate to how the devices do not validate firmware, as a result of which they are susceptible to a complete compromise of the camera software via BadUSB-style attacks, given that they run Linux with USB Gadget support.
Following responsible disclosure with Lenovo in April 2025, the PC manufacturer has released firmware updates (version 4.8.0) to mitigate the vulnerabilities and has worked with the Chinese company SigmaStar to release a tool that plugs the issue.
“This first-of-its-kind attack highlights a subtle but deeply problematic vector: enterprise and consumer computers often trust their internal and external peripherals, even when those peripherals are capable of running their own operating systems and accepting remote instructions,” Eclypsium said.
“In the context of Linux webcams, unsigned or poorly protected firmware allows an attacker to subvert not just the host but also any future hosts the camera connects to, propagating the infection and sidestepping traditional controls.”
