How Hackers Exploit Linux Webcams as Attack Vectors to Inject Keystrokes and Execute Cyber Attacks

A critical vulnerability has been uncovered that transforms ordinary Linux-powered webcams into weaponised BadUSB attack tools, enabling remote hackers to inject malicious keystrokes and compromise target systems without detection. This research, presented at DEF CON 2025, marks the first known case where attackers can remotely weaponise USB devices already connected to computers, representing a significant evolution in cyber attack methodologies. Key takeaways include the ability of hackers to remotely weaponise Lenovo webcams into keystroke-injecting BadUSB tools, the attack’s survival of system wipes by exploiting firmware validation flaws, and the issuance of fixes by Lenovo, although other Linux USB devices remain vulnerable.

Eclypsium reports that the security flaw affects Lenovo 510 FHD and Performance FHD webcams manufactured by SigmaStar, which utilise the ARM-powered SSC9351D System-on-Chip (SoC) processor featuring dual-core ARM Cortex-A7 CPU architecture with embedded DDR3 memory. These devices run a complete Linux operating system, specifically “Linux (none) 4.9.84 #445 SMP PREEMPT Tue Mar 22 17:08:22 CST 2022 armv7l GNU/Linux,” making them susceptible to firmware manipulation attacks. The critical vulnerability arises from the absence of firmware signature validation during the update process, allowing attackers to exploit this weakness by sending specific commands over USB to compromise the camera’s 8MB SPI flash memory. The attack sequence involves executing commands that leverage Linux USB gadget functionality, transforming the webcam into a Human Interface Device (HID) capable of injecting keystrokes and maintaining persistent access to compromised systems. 

Categories: Cybersecurity Vulnerabilities, Remote Exploitation Techniques, Firmware Manipulation 

Tags: Vulnerability, Linux, Webcams, BadUSB, Keystrokes, Firmware, Exploit, Cybersecurity, Attack, Persistence