Cybersecurity researchers have revealed vulnerabilities in Lenovo’s selected model webcams and can turn them into BADUSB attack devices.
“This allows remote attackers to secretly inject keystrokes and launch attacks independently of the host operating system,” Eclipsium researchers Paul Assadrian, Mickey Schkatov and Jesse Michael said in a report they shared with Hacker News.
The vulnerability is called the codename badcam by the firmware security company. The findings were presented at today’s DEF Con 33 Security Conference.
This development may have been marked when it was first demonstrated that threat actors controlling Linux-based USB peripherals already connected to a computer can be weaponized for malicious intent.
In a hypothetical attack scenario, the enemy can exploit the vulnerability to send a background webcam to the victim, or attach it to the computer if physical access is available, and remotely issue commands that compromise the computer to perform post-inspection activities.
First demonstrated over a decade ago by security researchers Karsten Nohl and Jakob Lell at the 2014 Black Hat Conference, Badsb is an attack that exploits a unique vulnerability in USB firmware, essentially reprogramming commands carefully and running malicious programs on victim computers.
“Unlike traditional malware that resides in file systems and can often be detected with antivirus tools, Badsb lives in the firmware layer,” Ivanti said in a description of the threat released last month. “Once you’ve connected to your computer, your BADUSB device is: emulate your keyboard and enter malicious commands, install a backdoor or keylogger, redirect internet traffic, [and] Remove sensitive data. ”
In recent years, Google-owned Mandiant and the US Federal Bureau of Investigation (FBI) have warned that FIN7 was tracked to mail malicious USB devices from the US-based organization BADUSB to deliver malware called Diceloader, causing financially motivated threat groups to be tracked.
The latest discoveries from Eclypsium show that USB-based peripherals, such as webcams running Linux, were not intended to be malicious at first, but become a vector of Badsub attacks, marking a serious escalation. Specifically, we know that such devices can be hijacked remotely and converted to BADUSB devices without physically pulling away or replacing them.
“Attackers who gain remote code execution on a system can reflash the attached Linux-powered webcam firmware, reusing it to act as a malicious HID, or emulating additional USB devices,” the researchers explained.
“When it comes to weapons, a seemingly harmless webcam can inject keystrokes, provide malicious payloads, and act as a deeper, persistent scaffold.
Additionally, threat actors with the ability to change the webcam firmware can achieve a greater level of persistence, allowing them to reinfect the victim’s computer with malware even after it has been wiped off and the operating system has been reinstalled.
The vulnerabilities revealed in the Lenovo 510 FHD and Lenovo Performance FHD WebCams are related to how devices do not validate firmware.
Following its responsible disclosure with Lenovo in April 2025, PC manufacturers released a firmware update (version 4.8.0) to mitigate the vulnerability and released a tool to work with Chinese company Sigmastar to plug in the issue.
“This first-time attack highlights a subtle but deeply problematic vector. Companies and consumer computers often trust internal and external peripherals.
“In the context of a Linux webcam, unsigned or unprotected firmware allows an attacker to destroy not only the host, but the camera can connect, transmit infection, and future hosts that circumvent traditional control.”
Source link
