A critical vulnerability was uncovered that transforms ordinary Linux-powered webcams into weaponized BadUSB attack tools, enabling remote hackers to inject malicious keystrokes and compromise target systems without detection.
The research, presented at DEF CON 2025, demonstrates the first known case where attackers can remotely weaponize USB devices already connected to computers, marking a significant evolution in cyber attack methodologies.
Key Takeaways
1. Hackers remotely weaponize Lenovo webcams into keystroke-injecting BadUSB tools.
2. Attack survives system wipes by exploiting firmware validation flaws.
3. Lenovo issued fixes, but other Linux USB devices remain vulnerable.
Weaponizing Linux Webcams
Eclypsium reports that the security flaw affects Lenovo 510 FHD and Performance FHD webcams manufactured by SigmaStar, which utilize the ARM-powered SSC9351D System-on-Chip (SoC) processor featuring dual-core ARM Cortex-A7 CPU architecture with embedded DDR3 memory.
These devices run a complete Linux operating system, specifically “Linux (none) 4.9.84 #445 SMP PREEMPT Tue Mar 22 17:08:22 CST 2022 armv7l GNU/Linux,” making them vulnerable to firmware manipulation attacks.
The critical vulnerability stems from the absence of firmware signature validation during the update process. Attackers can exploit this weakness by sending specific commands over USB to completely compromise the camera’s 8MB SPI flash memory.
The attack sequence involves executing commands such as sf probe 0, sf erase 0x50000 0x7B0000, and tftp 0x21000000 lenovo_hd510_ota_v4.6.2.bin, followed by sf write 0x21000000 0x50000 0x7B0000 to overwrite the firmware entirely.
The attack leverages Linux USB gadget functionality, a kernel feature that allows Linux-based devices to masquerade as various USB peripherals, including keyboards, mass storage devices, or network adapters.
This capability transforms the webcam into a Human Interface Device (HID) capable of injecting keystrokes, executing malicious commands, and maintaining persistent access to compromised systems.
Unlike traditional BadUSB attacks that require physical device replacement, this technique enables remote attackers who have gained initial system access to reflash webcam firmware and establish a persistent backdoor.
The weaponized webcam can subsequently re-infect the host computer even after a complete system reinstallation, providing unprecedented persistence capabilities.
Mitigations
Lenovo has responded by developing an updated firmware installation tool that addresses the signature validation flaw, releasing version 4.8.0 firmware updates for both affected webcam models.
The company assigned CVE-2025-4371 to track this vulnerability and worked with SigmaStar to implement proper security measures.
The research reveals a broader threat landscape, as numerous USB peripherals beyond webcams may contain similar Linux-based architectures vulnerable to weaponization.
Security experts warn that any USB-attached device running Linux without firmware validation could potentially be exploited using similar attack vectors, fundamentally challenging traditional endpoint security models and necessitating enhanced hardware trust verification mechanisms.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
