Researchers at supply chain risk management firm Eclypsium have shown how Linux-based webcams can be weaponized and turned into persistent threats.
The attack method was demonstrated by Eclypsium researchers against two Lenovo-branded webcams — Lenovo 510 FHD and Lenovo Performance FHD Web — that are powered by a System on Chip (SoC) and firmware made by Chinese company SigmaStar.
The researchers showed how these types of cameras can be leveraged for BadUSB attacks, a type of attack that has been known for more than a decade. In a BadUSB attack, the attacker modifies the firmware of a harmless-looking USB device such as a flash drive or keyboard to execute malicious commands when connected to a computer.
A BadUSB device can be used to launch malware, escalate privileges, inject keystrokes, and steal valuable data from the targeted computer.
Eclypsium researchers have identified a variant of the attack that targets Linux-based webcams. The method, dubbed BadCam, does not necessarily require physical access to the USB device that is about to be weaponized, as is the case with typical BadUSB attacks.
Instead, an attacker who can achieve remote code execution on a computer can reflash the firmware of the attached webcam and turn it into a BadUSB device.
“Attackers can achieve a level of persistence far greater than other techniques,” Eclypsium explained. “Once the attacker has modified the firmware, the webcam can be used to re-infect the host computer. Even if the host computer is completely wiped and the operating system is reinstalled, the attacker can consistently re-infect the host computer.”
The attack is possible in the case of the Lenovo webcams due to a missing firmware signature validation vulnerability. An attacker can use two commands present in the firmware update software to easily deploy malicious firmware from the compromised computer.
The security firm pointed out that a Linux kernel vulnerability tracked as CVE-2024-53104, which is known to have been exploited in the wild, can be leveraged to take control of the host in order to deploy malicious firmware on the connected USB camera.
Lenovo has been notified and it has assigned CVE-2025-4371 to the vulnerability. The company has patched the issue with the release of firmware version 4.8.0.
While Eclypsium’s research focused on Lenovo webcams, other cameras and USB peripherals running Linux may be vulnerable as well.
The research was presented over the weekend at the DEF CON hacker convention, and Eclypsium has also published a blog post detailing its findings.
Related: Lenovo Firmware Vulnerabilities Allow Persistent Implant Deployment
Related: Flaws in Gigabyte Firmware Allow Security Bypass, Backdoor Deployment
Related: Flaw in Industrial Computer Maker’s UEFI Apps Enables Secure Boot Bypass on Many Devices
