{"id":24606,"date":"2025-08-27T20:00:51","date_gmt":"2025-08-27T16:00:51","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/badcam-usb-attacks-detection-hardening\/24606\/"},"modified":"2025-08-27T20:00:51","modified_gmt":"2025-08-27T16:00:51","slug":"badcam-usb-attacks-detection-hardening","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/badcam-usb-attacks-detection-hardening\/24606\/","title":{"rendered":"An APT\u2026 through your webcam"},"content":{"rendered":"

Computer webcams have long been suspected of peeping<\/a> on folks; nothing unusual about that. But now they\u2019ve found a new role in conventional cyberattacks. At the recent BlackHat conference in Las Vegas, researchers presented the BadCam<\/a> attack, which allows an attacker to reflash a webcam and execute malicious actions on the computer it\u2019s connected to. Essentially, it\u2019s a variation of the well-known BadUSB<\/a> attack; the key difference is that with BadCam attackers don\u2019t need to prepare a malicious device in advance \u2014 they can use a \u201cclean\u201d webcam already connected to the computer. Another unwelcome novelty is that the attack can be carried out completely remotely. Although the research was conducted by ethical hackers, and BadCam hasn\u2019t yet been observed in real-world attacks, it won\u2019t be difficult for criminals to figure it out and reproduce the necessary steps. That\u2019s why organizations should understand how BadCam works and implement protective measures.<\/p>\n

The return of BadUSB<\/h2>\n

It was also at BlackHat that BadUSB<\/a> was unveiled to the world \u2014 back in 2014. It works by taking a seemingly harmless device (say, a USB stick) and reprogramming its firmware. When it connects to a computer, the malicious gadget presents itself as a composite USB device with multiple components, such as a flash drive, keyboard, or network adapter. Its storage functions work normally, so the user interacts with the flash drive as usual. Meanwhile, a hidden firmware component impersonating a keyboard sends commands to the computer \u2014 for example, a key combination to launch PowerShell and enter commands to download malware from the internet, or to open a tunnel to the attackers\u2019 server. BadUSB techniques are still widely used in red team exercises \u2014 often implemented via specialized hacker multitools like Hak5 Rubber Ducky or Flipper Zero.<\/p>\n

From BadUSB to BadCam<\/h2>\n

Researchers at Eclypsium managed to replicate this firmware-rewriting trick on Lenovo 510 FHD and Lenovo Performance FHD webcams. Both use a SigmaStar SoC<\/a>, which has two interesting features. First, the webcam software is Linux-based and supports USB Gadget extensions. This Linux kernel feature allows the device to present itself as a USB peripheral such as a keyboard or network adapter. Second, the webcam\u2019s firmware update process lacks cryptographic protection \u2014 it\u2019s enough to send a couple of commands and a new memory image over the USB interface. Reflashing can be carried out by running software on the computer with standard user privileges. With this altered firmware, Lenovo webcams turn into a keyboard-camera hybrid capable of sending predefined commands to the computer.<\/p>\n

Although the researchers tested only Lenovo webcams, they note that other Linux-based USB devices may be similarly vulnerable.<\/p>\n

Cyber-risks of the BadCam attack<\/h2>\n

Potential attack vectors for BadCam against an organization include:<\/p>\n