Eclypsium researchers have discovered vulnerabilities in USB webcams that allow attackers to turn them into BadUSB attack tools. This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system. Principal security researchers Jesse Michael and Mickey Shkatov presented this research at DEF CON 2025.
TL;DR
Eclypsium researchers discovered that select model webcams from Lenovo run Linux, do not validate firmware, and can be weaponized as BadUSB devices.
To our knowledge, this is the first time it has been demonstrated that attackers can weaponize a USB device that is already attached to a computer that was not initially intended to be malicious.
Two attack paths are possible: 1) An attacker can send someone a backdoored webcam (or, with physical access, attach a weaponized webcam to a computer) or 2) remotely compromise a computer and infect the Linux-based webcam to perform attacks.
While this research focuses on two models of Lenovo webcams, other webcams and USB peripherals that run Linux may also be vulnerable.
Attackers who gain control of Linux-based USB peripherals could also launch other attacks, depending on the device capabilities, including interacting with WiFi and/or Bluetooth.
Detecting these attacks is challenging, as the malicious USB device could re-infect the host and provide stealth and persistence to the attacker(s).
Introduction to BadUSB Attacks
BadUSB attacks represent a powerful and nefarious class of threats that exploit the fundamental trust placed between platforms and USB devices. First demonstrated at Black Hat 2014 by Karsten Nohl and Jakob Lell, the BadUSB attack leverages the ability to reprogram the firmware of common USB peripherals—like flash drives, keyboards, and even webcams—to masquerade as human interface devices (HID) and silently execute malicious commands when connected to a computer.
The flaw lies in the USB specification itself, which lacks firm protections against unauthorized firmware modification. As a result, attackers have been able to turn USB devices into a stealthy attack tool capable of bypassing traditional endpoint defenses, launching malware, exfiltrating data, and elevating privileges on the host system.
Over the years, BadUSB attacks have evolved and have been weaponized in real-world campaigns. Criminal groups (and penetration testers) have dropped malicious USB keys in public places or mailed them in deceptive packages, tricking victims into plugging them into corporate machines. Once inserted, BadUSB devices often emulate keyboards and rapidly issue keystrokes to open terminals, execute commands, and install malware, sometimes leading to ransomware outbreaks targeting enterprise networks.
BadUSB: Modern Tools and Techniques
The ecosystem of BadUSB tools and techniques has grown since its discovery in 2014:
Hardware platforms, such as Hak5 Rubber Ducky, Hak5 Bash Bunny, Flipper Zero, and custom Arduino boards, enable attackers and penetration testers to craft programmable USB devices that can mimic keyboards, mice, storage devices, or combinations thereof.
The USB Army Knife project converts an ESP32-S3-based Lilygo T-Dongle S3 into a BadUSB attack tool for $11.99.
Open source payloads and scripting frameworks are now widely available, allowing even novice attackers to develop sophisticated USB-based exploits.
BadUSB attacks frequently go undetected by antivirus/antimalware software, as malicious code resides in the device controller, hidden from the operating system and endpoint detection tools.
These developments have made BadUSB attacks more modular and persistent, complicating the job of defenders tasked with securing physical ports and the USB stack.
The Next Evolution: Weaponizing Linux Webcams
Eclypsium researchers Jesse Michael and Mickey Shaktov have expanded the BadUSB threat landscape by demonstrating that specific USB peripherals, such as webcams running Linux, can themselves be remotely hijacked and transformed into BadUSB devices without ever being physically unplugged or replaced. This marks a notable evolution: an attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices. Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.
Attackers can achieve a level of persistence far greater than other techniques. Once the attacker has modified the firmware, the webcam can be used to re-infect the host computer. Even if the host computer is completely wiped and the operating system is reinstalled, the attacker can consistently re-infect the host computer.
This first-of-its-kind attack highlights a subtle but deeply problematic vector: enterprise and consumer computers often trust their internal and external peripherals, even when those peripherals are capable of running their own operating systems and accepting remote instructions. In the context of Linux webcams, unsigned or poorly protected firmware allows an attacker to subvert not just the host but also any future hosts the camera connects to, propagating the infection and sidestepping traditional controls.
Linux USB Gadgets: A Key Feature For This Attack
A Linux USB gadget is a kernel feature that allows a Linux-based device to present itself as a USB peripheral—such as a mass storage disk, network adapter, serial port, or even a keyboard—to another computer (the USB host). This capability is widespread on embedded hardware with a USB Device Controller (UDC), such as single-board computers (Raspberry Pi, BeagleBone), smartphones, or other IoT and industrial devices. The Linux USB gadget is the key feature that allows USB peripherals to behave as malicious devices, impersonate trusted USB devices, and essentially become either keyboards (HID devices) or network interfaces.
The scope of this attack vector may also be broader than we expected. Surely the cameras we tested are not the only devices that run Linux and fail to validate the firmware. After a brief investigation, it turns out there are several different makes and models of webcams that use Linux running on similar hardware platforms. Do these devices contain identical (or other) vulnerabilities that allow an attacker to turn them into their own platforms to conduct malicious operations? While further research must be conducted to validate these theories, this attack is not limited to webcams. Conceivably, any USB-attached device that runs Linux and does not validate firmware could be susceptible to the very same attacks.
What does this mean? The cat is out of the bag. The hunt will now continue to discover and weaponize USB-attached devices, turning them into attacker tools, while still maintaining the devices’ intended functionality. There is now a place for attackers to hide, lurk, and wait for the right moments to infect hosts, steal information, and create covert channels.
Detailed Findings: Missing Firmware Signature Validation
Eclyspium research has discovered that both Lenovo 510 FHD and Lenovo Performance FHD Web cameras are vulnerable to an insecure firmware update, leading to a complete compromise of the camera software.
Lenovo 510 FHD Webcam
Lenovo Performance FHD Webcam
SigmaStar is the upstream manufacturer. SigmaStar is a technology company specializing in the design and development of SoCs (System on Chip) and solutions for edge-side devices. They focus on smart vision, smart mobility, smart home, and smart industry applications. Their products include chips for various applications, such as IP cameras, USB cameras, NVRs, DVRs, vehicle electronics, action cameras, and more. SigmaStar is known for its expertise in image signal processing (ISP) and audio/video encoding and decoding. The company was founded in 2017 and is based in Xiamen, China.
Given that these webcams are running Linux with USB Gadget support, this can lead to a complete compromise of the host via BadUSB-style attacks (i.e., Rubber Ducky, O.MG Cable, Bash Bunny).
During the investigation it was found that these webcams use an ARM powered SOC made by SigmaStar (SSC9351D) which is a high-integrated USB Camera SoC Processor using a dual core ARM Cortex-A7 CPU with 1Gb or 2Gb 16-bit DDR3 of embedded memory, which allows for a linux powered software stack to operate on the camera, specifically (for FHD 510):
FW VERSION:CMK-HD510-OT1917-FW-4.6.2,buildate:Jun 7 2022,20:57:26
Linux (none) 4.9.84 #445 SMP PREEMPT Tue Mar 22 17:08:22 CST 2022 armv7l GNU/Linux
The process of the firmware update involves sending the following commands over USB to the camera; these commands are conveniently included with the firmware update software:
#
sf probe 0
sf erase 0x50000 0x7B0000
tftp 0x21000000 lenovo_hd510_ota_v4.6.2.bin
sf write 0x21000000 0x50000 0x7B0000
%
This simple sequence of actions will promptly erase the onboard 8MB SPI flash and write the contents of the specified file directly to the flash at the designated address and offsets, resulting in a complete compromise of the camera.
Attack demo / PoC Code
Note: CISA KEV has a vulnerability released in February 2025 that could be part of the attack chain for this if the host is vulnerable.
Mitigation of Vulnerabilities
Eclypsium recommended that Lenovo investigate with SigmaStar any possible mitigations for firmware verification to be added via existing mechanisms in the relevant SOC SKUs and implement them as soon as possible. There may be other mitigations that Eclypsium is not aware of, and as such, these mitigation recommendations should not be taken verbatim and must be considered appropriately. During the disclosure process, Lenovo created an updated firmware installation tool to address the firmware signature validation flaw. For users of the affected Lenovo webcams, please visit the Lenovo support site to obtain firmware updates to mitigate the vulnerabilities. Lenovo has worked with SigmaStar to assess this issue and has released a tool that addresses the security vulnerability.
Known affected platforms
VendorModelPart NumberFRU NumberFirmware Update LinkLenovo510 FHD WebcamGXC1D660635C21E09202v4.8.0LenovoPerformance FHD Webcam4XC1D660555C21D66059v4.8.0
Conclusion
As device supply chains continue to diversify and USB peripherals grow more complex, these attacks underscore the urgent need for firmware signing, device attestation, and more granular visibility into precisely what is plugged into enterprise endpoints. With BadUSB now possible through not just physical access but also remote manipulation of everyday peripherals, organizations must rethink both endpoint and hardware trust models.
References
Disclosure timeline:
August 8, 2025 – Eclypsium researchers present the findings at the DEF CON security conference, and associated Lenovo advisories and updated tools are published.
August 6, 2025 – Eclypsium responds to Lenovo, stating that the slides have been updated to include accurate information about the support status of both camera models and includes the attachment of the video demo.
August 5, 2025 – Lenovo clarifies that the devices included in this disclosure are currently supported, hence the release of the updated firmware update tool. Lenovo recommends that clearer language on the fixes and security advisories be added to the blog (Note: Eclypsium has added this information to this blog post). Lenovo requests access to the demo videos included in the blog post that were not initially sent to Lenovo. Lenovo states that they are reaching out to SigmaStar to get the missing GPL source code files.
July 30, 2025 – Eclypsium sends Lenovo advanced copies of the DEF CON presentation slides and draft blog post. Eclypsium researchers also communicate that some of the GPL components are missing from the packages that Lenovo shared previously.
July 29, 2025 – Lenovo contacts Eclypsium and states the fixed firmware update tool will be published on August 1, 2025, and a full advisory on August 8, 2025 and shares a copy of the advisory.
July 18, 2025 – Eclypsium responds with feedback on the firmware update tool and plans to share the slides and blog post. Lenovo responds with instructions for downloading the GPL source code.
July 17, 2025 – Lenovo contacts Ecypsium and provides updates on sharing the GPL source code, planning the publication date for the fox, and requesting copies of the blog post and the presentation slides.
July 15, 2025 – Eclypsium contacts Lenovo PSIRT and requests (again) the GPL code and an update on when the advisory from Lenovo will go out.
July 8, 2025 – Eclypsium states that the GPL source code previously shared with Eclypsium doesn’t entirely match the code running on the device and requests the GPL code that matches the devices being tested.
July 7, 2025 – Due to time constraints, Eclypsium can not yet confirm if the firmware update resolves the issue.
July 1, 2025 – Lenovo PSIRT shares the firmware update with Eclypsium, which contains fixes for the issue, and requests that Eclypsium retest.
June 16, 2025 – Lenovo PSIRT inquires whether the DEFCON presentation will be shared with Lenovo before the conference. Eclypsium responds, stating that we will share the presentation once a complete working copy is available.
June 10, 2025 – Eclypsium notified Lenovo PSIRT that the submission to the DEFCON security conference has been accepted.
June 6, 2025 – Lenovo PSIRT communicated that they will provide a fix for this issue in the Lenovo 500 FHD and Performance FHD web cameras and plan to release fixes on July 8, 2025, for these devices.
May 13, 2025 – Lenovo PSIRT confirms they have reserved CVE-2025-4371 for this issue and will issue an advisory on June 10, 2025.
April 30, 2025 – Lenovo PSIRT states that the Lenovo 510 FHD webcam uses Linux rather than an RTOS, and the U-boot and Linux kernel source code will be shared with Eclypsium.
April 24, 2025 – Lenovo PSIRT communicated that the operating system is licensed under the MIT license, and the U-boot implementation is under the GPL license. Firmware for the camera models is developed by SigmaStar, and the U-Boot source code can be shared with Eclypsium.
April 16-18, 2025 – Eclypsium contacted Lenovo PSIRT for an update. Lenovo PSIRT responded and stated that the Lenovo 500 FHD and Performance FHD have reached End of Development Support and do not qualify for a firmware update to mitigate the issue. Eclypsium communicated that we would be presenting our findings at the upcoming DEFCON security conference. Eclypsium requested GPL code per the open-source licensing.
April 3-4, 2025 – Eclypsium contacted Lenovo for an update. Lenovo PSIRT responded and stated they are working with engineering to assess. Eclypsium stated a blog post draft will be shared with Lenovo prior to public announcement.
March 21 2025 – Initial disclosure (set June 20, 2025 as Public disclosure)
March 23, 2025 – Response from Lenovo: “We are tracking this issue as LEN-194466 and it is currently being reviewed by our development team. We will provide an update to you once our initial assessment is complete. Please let us know your disclosure policy, any public disclosure plans and how you prefer to be acknowledged in a security advisory if one is published.”
Eclypsium responded: “Our standard disclosure policy is 90 days, and the public disclosure date is currently June 20, 2025. This information, along with the researchers’ names, is in the attachment in the initial email.”
April 3, 2025 – Eclypsium contacted Lenovo PSIRT for any updates.
April 4, 2025 – Lenovo PSIRT responded and stated they are working with the development teams to assess the issue with the web camera products. Lenovo PSIRT asked if Eclypsium will share the draft blog post with them prior to publication.
April 4, 2025 – Eclypsium responded to Lenovo PSIRT and indicated that the blog post draft will be shared with them prior to publication.