Experts from Eclypsium demonstrated at DEF CON 33 an attack codenamed BadCam, which exploits vulnerabilities in certain Lenovo webcam models, turning them into tools for remote BadUSB-style attacks.
“This allows remote attackers to perform stealthy keystroke injections and launch attacks regardless of the host operating system,” the authors of the attack say.
The BadCam issue has been assigned CVE-2025-4371, and the researchers claim it is the first real-world demonstration that attackers who remotely seize control of Linux‑based USB peripherals can use them for malicious purposes.
BadUSB attacks were first demonstrated more than 10 years ago by security researchers Karsten Nohl and Jakob Lell at the Black Hat 2014 conference.
Today this term refers to a whole class of attacks that, for example, can exploit vulnerabilities in device firmware, causing a connected device to masquerade as something else—such as an HID device (keyboard or mouse), Ethernet (network adapter), or Mass Storage (removable drive). This allows the device to be used to covertly execute commands or launch malicious software on the victim’s computer.
However, BadUSB devices are usually created in advance and deliberately. For example, in 2022 the FIN7 hacking group sent malicious USB devices to U.S. companies in the hope of infecting their systems and gaining an initial foothold for attacks. Similarly, in 2020, a U.S. company in the hospitality industry was mailed a fake Best Buy gift card along with a malicious USB flash drive.
Now researchers at Eclypsium have demonstrated that ordinary USB peripherals, never intended for malicious activity, can also become a vector for BadUSB attacks. In particular, it turned out that such devices can be remotely hijacked and turned into BadUSB devices without physically unplugging or replacing them.
“An attacker who has obtained remote code execution on the system can reflash a connected webcam running Linux, repurposing it to function as a malicious HID device or to emulate additional USB devices,” the researchers explain. “After that, the innocuous webcam could perform keystroke injections, deliver malicious payloads, or serve as a beachhead for deeper persistence in the system, all while retaining its normal appearance and primary functionality.”
It is also noted that the infection would allow an attacker to establish a persistent foothold in the system and re-compromise the victim’s computer even after a full wipe and OS reinstallation.
Vulnerabilities enabling the BadCam attack were discovered in the Lenovo 510 FHD and Lenovo Performance FHD webcams, whose firmware was developed by the Chinese company SigmaStar. The issues stemmed from the devices not validating firmware—there was no signature verification—so the cameras were susceptible to full compromise, since they run Linux with USB Gadget support.
Researchers say that a known Linux kernel vulnerability (CVE-2024-53104), for example, could have been used to gain control of the host in order to deploy malicious firmware to a connected USB camera.
Experts notified Lenovo about the discovered issues in April 2025, after which the manufacturer released a firmware update (version 4.8.0) to address the vulnerabilities and, together with SigmaStar, developed a tool that fixed the issue.
“This first-of-its-kind attack clearly illustrates a subtle yet extremely dangerous vector: enterprise and consumer computers often trust their internal and external peripherals, even when those peripheral devices are capable of running their own operating systems and receiving remote instructions,” Eclypsium says. “In the context of Linux webcams, unsigned or poorly protected firmware allows an attacker to compromise not only the host, but also any other hosts to which this camera will be connected in the future, spreading the infection and bypassing traditional defenses.”
Although Eclypsium’s research focused on Lenovo webcams, other peripheral USB devices running Linux may also have similar vulnerabilities.
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →