BadCam: Critical Flaws in Lenovo Linux Webcams Allow Remote BadUSB Attacks and Persistent Infections

Security researchers at Eclypsium have identified critical vulnerabilities in select Lenovo USB webcams that could allow attackers to remotely weaponize them as BadUSB attack tools — capable of injecting malicious keystrokes, delivering payloads, and even reinfecting hosts after system wipes. The findings, presented by Jesse Michael and Mickey Shkatov at DEF CON 2025, highlight a significant evolution in USB-based threats.

According to Eclypsium, “select model webcams from Lenovo run Linux, do not validate firmware, and can be weaponized as BadUSB devices.” This means attackers can reprogram the webcam’s firmware to behave like a malicious Human Interface Device (HID) or even impersonate other USB peripherals such as network adapters or storage devices.

The research outlines two main attack paths:

1. Physical introduction of a weaponized webcam into a target system.
2. Remote compromise of a host computer, followed by reflashing the attached Linux-based webcam.

Perhaps most alarming is the persistence potential. Once compromised, “the webcam can be used to re-infect the host computer… Even if the host computer is completely wiped and the operating system is reinstalled, the attacker can consistently re-infect the host.” This allows adversaries to bypass traditional reimaging and recovery processes, turning a peripheral into a long-term attack foothold.

The affected devices — Lenovo 510 FHD Webcam and Lenovo Performance FHD Webcam — are powered by SigmaStar SSC9351D ARM-based SoCs running Linux. The flaw stems from missing firmware signature validation, allowing arbitrary firmware to be flashed without authentication.

During testing, Eclypsium found that the firmware update process could be initiated over USB using basic commands to erase and overwrite the onboard SPI flash. As they note, “this simple sequence of actions will promptly erase the onboard 8MB SPI flash and write the contents of the specified file… resulting in a complete compromise of the camera.”

Eclypsium warns that “other webcams and USB peripherals that run Linux may also be vulnerable.” Any USB device with Linux and no firmware validation could be turned into a covert attack platform — including IoT devices, industrial controllers, or even consumer gadgets.

Lenovo, in collaboration with SigmaStar, has released updated firmware tools to address the vulnerability. Users of affected webcams should:

• Update immediately to firmware v4.8.0 via Lenovo’s official support site.
• Restrict physical access to endpoints.
• Monitor USB device behavior for anomalies.

Eclypsium’s conclusion is stark: “With BadUSB now possible through not just physical access but also remote manipulation of everyday peripherals, organizations must rethink both endpoint and hardware trust models.”

Related Posts:

• Trend Micro Linux-based Email Encryption Gateway exist multiple security vulnerabilities
• Hackers vs. LED Indicators: Why Tape Remains the Ultimate Camera Shield
• 4 Open-Source Packages Infect 56,000+ Downloads with Stealthy Spyware