

Researchers have discovered a critical vulnerability that can weaponize ordinary Linux webcams into BadUSB (malicious USB) attack tools, allowing remote hackers to inject malicious keystrokes and infiltrate target systems undetected.
This research, presented at DEF CON 2025, is the first to confirm that attackers can remotely weaponize USB devices connected to computers, marking a significant evolution in cyber attack methods.
Part01
Weaponization Process of Linux Webcams
The Eclypsium report indicates that the vulnerability affects Lenovo 510 FHD and Performance FHD webcams that utilize the SigmaStar SSC9351D system-on-chip (SoC). This chip features a dual-core ARM Cortex-A7 CPU architecture and built-in DDR3 memory.
These devices run a complete Linux operating system (specifically, “Linux (none) 4.9.84 #445 SMP PREEMPT Tue Mar 22 17:08:22 CST 2022 armv7l GNU/Linux”), making them susceptible to firmware tampering attacks.
The root of the vulnerability lies in the lack of a signature verification mechanism during firmware updates. Attackers can exploit the USB interface to send specific commands, gaining full control over the camera’s 8MB SPI flash memory.

The attack chain involves executing a series of commands: first using sf probe 0 to probe the flash memory, then using sf erase 0x50000 0x7B0000 to erase the specified area, followed by tftp 0x21000000 lenovo_hd510_ota_v4.6.2.bin to download the malicious firmware, and finally using sf write 0x21000000 0x50000 0x7B0000 to completely overwrite the original firmware.
The attack exploits the Linux USB gadget feature—this kernel capability allows Linux-based devices to masquerade as various USB peripherals, including keyboards, mass storage devices, or network adapters. This feature can transform the webcam into a human interface device (HID) capable of injecting keystrokes, executing malicious commands, and maintaining persistent access to the infected system.
Unlike traditional BadUSB attacks that require physical device replacement, this technique enables remote attackers with initial system access to reflash the webcam firmware, establishing a persistent backdoor. Even after a complete system reinstall, the weaponized webcam can reinfect the host, providing unprecedented persistence capabilities.
Part02
Mitigation Measures
Lenovo has developed a firmware update tool to address the signature verification flaw, releasing version 4.8.0 firmware updates for the two affected webcams. The company has assigned CVE-2025-4371 to this vulnerability and is collaborating with SigmaStar to implement appropriate security measures.
Part03
Vulnerability Warning
The research reveals a broader threat landscape: in addition to webcams, other USB peripherals may also contain similarly weaponizable Linux architectures. Security experts warn that any USB-connected device running Linux and lacking firmware verification could be exploited through similar attack vectors, fundamentally challenging traditional endpoint security models and necessitating enhanced hardware trust verification mechanisms.
References:
Hackers Weaponized Linux Webcams as Attack Tools to Inject Keystrokes and Launch Attacks
https://cybersecuritynews.com/hackers-weaponized-linux-webcams/Recommended Reading
