- Cyber Syrup
- Posts
- BadCam Vulnerabilities in Lenovo Webcams Enable BadUSB Attacks
BadCam Vulnerabilities in Lenovo Webcams Enable BadUSB Attacks
Cybersecurity researchers from Eclypsium have identified critical vulnerabilities in select Lenovo webcams that could allow attackers to transform them into BadUSB devices
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Looking for unbiased, fact-based news? Join 1440 today.
Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.
BadCam Vulnerabilities in Lenovo Webcams Enable BadUSB Attacks
Cybersecurity researchers from Eclypsium have identified critical vulnerabilities in select Lenovo webcams that could allow attackers to transform them into BadUSB devices, enabling covert keystroke injection and malicious operations independent of the host operating system.
The flaws, tracked as CVE-2025-4371 and collectively nicknamed "BadCam", were disclosed at the DEF CON 33 security conference.
What is BadUSB?
BadUSB is an attack technique first demonstrated in 2014 by security experts Karsten Nohl and Jakob Lell. It exploits weaknesses in USB firmware, allowing the device to be reprogrammed to:
Emulate keyboards to issue malicious commands.
Install backdoors or keyloggers.
Redirect network traffic.
Exfiltrate sensitive data.
Unlike traditional malware that resides on the file system (and can be detected by antivirus tools), BadUSB operates at the firmware layer, making it stealthier and harder to detect.
How BadCam Works
Eclypsium’s research shows that Linux-powered USB peripherals, like certain Lenovo webcams, can be remotely hijacked and weaponized without being physically replaced or unplugged.
Attack Scenario
An attacker gains remote access to a target system.
They reflash the firmware of an attached webcam.
The webcam is repurposed into a malicious Human Interface Device (HID) or programmed to emulate other USB devices.
Once weaponized, the webcam can:
Inject keystrokes.
Deliver malware payloads.
Maintain persistent access.
The device retains its normal camera functionality, making detection difficult.
This means even after a full OS reinstall, the malicious firmware could reinfect the system.
Vulnerable Devices
The vulnerabilities affect:
Lenovo 510 FHD Webcam
Lenovo Performance FHD Webcam
The issue arises because the devices:
Do not validate firmware signatures.
Run Linux with USB Gadget support, enabling firmware-level USB behavior changes.
Security Implications
This discovery highlights a new attack vector where everyday peripherals, often assumed safe, can become a long-term persistence mechanism for advanced threat actors.
Potential risks include:
Physical access attacks (tampering with a webcam to compromise a system).
Remote exploitation through compromised hosts.
Supply chain threats via tampered peripherals sent to targets.
Past campaigns, such as those by the FIN7 cybercrime group, have used malicious USB devices to deploy malware like DICELOADER—but BadCam marks the first known example of hijacking an existing, legitimate USB device remotely.
Mitigation and Updates
Following responsible disclosure in April 2025, Lenovo:
Released firmware version 4.8.0 to patch the flaws.
Worked with SigmaStar to provide a dedicated security tool.
Recommendations:
Update affected webcams immediately.
Disable or restrict USB peripheral firmware updates where possible.
Treat all USB devices, even trusted peripherals, as potential attack surfaces.
This research underscores that USB trust is a security blind spot—peripherals capable of running their own OS should be subject to the same security scrutiny as any other endpoint.