• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • BadCam: Linux-based Lenovo webcam bugs enable BadUSB attacks

BadCam: Linux-based Lenovo webcam bugs enable BadUSB attacks

Pierluigi Paganini August 10, 2025

Lenovo webcam flaws, dubbed BadCam, let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks.

Eclypsium researchers found vulnerabilities in some Lenovo webcams, collectively dubbed BadCam, that could let attackers turn them into BadUSB devices to inject keystrokes and launch OS-independent attacks. Principal security researchers Jesse Michael and Mickey Shkatov demonstrated the flaws at DEF CON 33. This is likely the first proof that a compromised Linux-based USB peripheral already connected to a computer can be weaponized for malicious purposes.

“Eclypsium researchers discovered that select model webcams from Lenovo run Linux, do not validate firmware, and can be weaponized as BadUSB devices.” reads the report published by Eclypsium.

“To our knowledge, this is the first time it has been demonstrated that attackers can weaponize a USB device that is already attached to a computer that was not initially intended to be malicious.”

BadUSB exploits trust in USB devices by reprogramming firmware to mimic HIDs and execute malicious commands, bypassing OS defenses. First demonstrated at Black Hat 2014 by Karsten Nohl and Jakob Lell in 2014, it’s now weaponized with tools like Rubber Ducky, Flipper Zero, and open-source payloads. Attacks are stealthy, modular, and persistent, often evading detection and enabling data theft, privilege escalation, and ransomware.

Eclypsium researchers demonstrated that Linux-based USB peripherals, such as webcams, can be remotely hijacked and converted into BadUSB devices without requiring physical access. By reflashing firmware, attackers can make them act as malicious HIDs, inject payloads, or persistently re-infect hosts, even after users reinstall the operating systems. The Linux USB gadget feature enables such devices to mimic trusted peripherals, widening the threat to many Linux-powered USB devices.

“Eclypsium researchers Jesse Michael and Mickey Shaktov have expanded the BadUSB threat landscape by demonstrating that specific USB peripherals, such as webcams running Linux, can themselves be remotely hijacked and transformed into BadUSB devices without ever being physically unplugged or replaced. This marks a notable evolution: an attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices.” continues the report. “Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.”

Eclypsium discovered that Lenovo 510 FHD and Performance FHD webcams are vulnerable to insecure firmware updates, allowing full camera compromise. Both use SigmaStar ARM-based SoCs running Linux with USB Gadget support, enabling BadUSB-style attacks to hijack a host. The reseaarchers found that the update process lacks safeguards, simple USB commands can erase and overwrite the 8MB SPI flash, letting attackers replace firmware and weaponize the camera while retaining normal functionality.

Below is a video PoC of the attack:

Eclypsium urged Lenovo and SigmaStar to add firmware verification to affected SoCs. Lenovo responded by creating an updated installation tool with signature validation to fix the flaw. Users of the impacted webcams should download the update from Lenovo’s support site to mitigate risks. The company worked with SigmaStar to assess and address the vulnerability promptly.

“As device supply chains continue to diversify and USB peripherals grow more complex, these attacks underscore the urgent need for firmware signing, device attestation, and more granular visibility into precisely what is plugged into enterprise endpoints.” concludes the report. “With BadUSB now possible through not just physical access but also remote manipulation of everyday peripherals, organizations must rethink both endpoint and hardware trust models.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BadCam)


facebook linkedin twitter

BadCam BadUSB Cybercrime Hacking information security news IoT IT Information Security Lenovo LINUX Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini October 08, 2025
Qilin ransomware claimed responsibility for the attack on the beer giant Asahi
Read more
Pierluigi Paganini October 08, 2025
DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT