- Researchers claim to have found a way to turn a Lenovo webcam into a BadUSB device
- BadUSB is a firmware vulnerability that turns a USB stick into a malware-writing weapon
- Lenovo released a firmware update, so users should patch now
Your device’s webcam can be reprogrammed to turn on you and serve as a backdoor for a threat actor, experts have warned.
Security researchers at Eclypsium claim certain Lenovo webcam models powered by Linux can be turned into so-called “BadUSB” devices.
The bug is now tracked as CVE-2025-4371. It still doesn’t have a severity score, but it has a nickname – BadCam.
Reflashing firmware
Roughly a decade ago, researchers found a way to reprogram a USB device’s firmware to act maliciously, letting it mimic keyboards, network cards, or other devices. This allows it to run commands, install malware, or steal data, and the biggest advantage compared to traditional malware is that it can successfully bypass traditional security measures.
The vulnerability was dubbed “BadUSB”, and was seen abused in the wild, when threat actors FIN7 started mailing weaponized USB drives to US-based organizations. At one point, the FBI even started warning people not to plug in USB devices found in office toilets, airports, or received in the postbox.
Now, Eclypsium says that the same thing can be done with certain USB webcams, built by Lenovo and powered by Linux.
“This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system,” Eclypsium told The Hacker News.
“An attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices,” the researchers explained.
“Once weaponized, the seemingly innocuous webcam can inject keystrokes, deliver malicious payloads, or serve as a foothold for deeper persistence, all while maintaining the outward appearance and core functionality of a standard camera.
Gaining remote access to a webcam requires the device to be compromised in the first place, in which case the attackers can do what they please anyway. However, users should be careful not to plug in other people’s webcams, or buy such products from shady internet shops.
Lenovo 510 FHD and Lenovo Performance FHD webcams were said to be vulnerable, and a firmware update version 4.8.0 was released to mitigate the threat.