A new class of USB-based attacks has come to light. These attacks are not just targeting removable devices, but existing, trusted peripherals already connected to systems: Linux webcams. Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system.
This threat, now referred to as “BadCam”, builds upon the original concept of BadUSB attacks, first introduced by Karsten Nohl and Jakob Lell at Black Hat 2014. At the core of the issue lies a fundamental flaw in the USB specification, which lacks mandatory enforcement of firmware signature validation. This oversight allows USB devices, like flash drives, keyboards, and now webcams, to be reprogrammed to impersonate trusted Human Interface Devices (HIDs), silently executing commands once plugged into a host.
What sets BadCam apart is its method of exploitation. Unlike traditional BadUSB attacks that rely on unsuspecting users inserting malicious USB sticks, BadCam enables attackers to remotely hijack Linux-powered webcams already attached to a system, making them stealthy and persistent attack vectors without any need for physical access.
This BadCam threat was revealed by cybersecurity researchers Jesse Michael and Mickey Shkatov from Eclypsium.
The BadCam Targets: Lenovo Webcams with Linux Firmware
The research focused on two specific models:
- Lenovo 510 FHD Webcam (GXC1D66063, FRU: 5C21E09202)
- Lenovo Performance FHD Webcam (4XC1D66055, FRU: 5C21D66059)
Both cameras are built on SigmaStar SSC9351D SoCs, dual-core ARM Cortex-A7 processors running embedded Linux with USB Gadget support. This hardware configuration enables these webcams to masquerade as other USB peripherals, such as keyboards or network adapters.
Eclypsium discovered that the firmware on these devices lacks signature validation. As a result, attackers who gain remote access to a system can reflash the webcam’s firmware to install malicious code. Once compromised, the webcam can simulate keyboard input (i.e., emulate a Rubber Ducky or Bash Bunny) and launch stealthy attacks.
Attack Vectors: Physical and Remote
Two primary attack scenarios were outlined:
- Supply Chain or Physical Access: An attacker can deliver a compromised webcam (or physically access a machine) and plug in the weaponized device.
- Remote Firmware Injection: More critically, an attacker with remote access to a computer can identify an attached Linux webcam and push a malicious firmware update to it, converting it into a BadUSB attack platform without user interaction.
In both cases, the weaponized webcam retains its camera functionality, making detection extremely difficult. Moreover, because the malware resides in the peripheral’s firmware and not the host OS, even reformatting the computer won’t remove the threat. The infected camera can re-infect the host repeatedly.
The Implications for USB Security
While this research highlights two Lenovo webcams, the implications extend far beyond them. Many USB peripherals running Linux, from cameras to IoT devices, may lack proper firmware validation.
Any device that supports the Linux USB Gadget subsystem could theoretically be exploited in similar ways. As Eclypsium warns, this is not just about webcams, but a growing class of embedded USB devices that now represent viable targets for BadUSB attacks.
The Linux USB Gadget framework allows devices to present themselves as any USB class (mass storage, HID, serial, etc.). This capability, combined with insufficient firmware protections, creates a potent cocktail for attackers aiming to create stealthy, persistent, and modular BadUSB devices.
Proof-of-Concept
The researchers demonstrated how a malicious firmware update could be delivered using simple commands over USB. A short sequence, such as probing the SPI flash, erasing memory, and writing a new binary, completely replaces the original firmware. They cited the specific build:
objectivec
CopyEdit
FW VERSION: CMK-HD510-OT1917-FW-4.6.2
Linux 4.9.84 armv7l GNU/Linux
This update process essentially enables full control over the camera, turning it into a hidden attacker tool.
Real-World Risks and Persistent Threats
What sets this attack apart is the level of persistence it offers. Once compromised, the webcam becomes a persistent backdoor. Even a wiped and rebuilt host system remains vulnerable if the compromised webcam is plugged back in.
The stealthy nature of these attacks means that traditional endpoint detection tools are ineffective. Since the malicious logic operates at the firmware level, it’s invisible to antivirus software or OS-level monitoring tools.
Timeline and Vendor Response
The vulnerability was responsibly disclosed by Eclypsium to Lenovo starting in March 2025. A series of communications and fixes followed:
- July 29, 2025: Lenovo confirms a firmware fix and schedules advisory publication.
- August 8, 2025: Findings presented, and Lenovo publishes firmware update tools.
Lenovo has since released updated firmware tools addressing the signature validation issues in the affected webcam models. Users can visit Lenovo’s support site to download version 4.8.0 of the firmware.
Conclusion
The weaponization of Linux webcams represents a profound shift in USB attack surfaces. These devices, once thought of as passive input peripherals, are now proven capable of being transformed into active attack components through remote firmware compromise. Organizations must urgently adopt stricter device verification, enforce firmware signature validation, and rethink trust assumptions around USB peripherals, especially those powered by Linux.
