1. Linux Cameras Weaponized as Remote BadUSB Attack Tools

A critical vulnerability has been disclosed, revealing how cameras running on ordinary Linux systems can be transformed by remote attackers into BadUSB attack tools capable of injecting malicious keystrokes, silently compromising target systems.
This research was first presented at the DEF CON 2025 conference, showcasing how attackers can remotely weaponize connected USB devices, marking a significant evolution in cyber attack methods.
1.1 Key Points
- 1. Hackers remotely turned a Lenovo camera into a BadUSB device that injects keystrokes.
- 2. The attack can bypass system reinstalls, achieving persistent control through firmware verification flaws.
- 3. Lenovo has released a fix, but other Linux USB devices remain at risk.
2. Firmware Vulnerabilities in Linux Cameras
Eclypsium reports that this vulnerability affects Lenovo 510 FHD and Performance FHD cameras produced by SigmaStar, which are based on the ARM architecture’s SSC9351D SoC, featuring a dual-core ARM Cortex-A7 CPU and embedded DDR3 memory.
These devices run a complete Linux operating system, specifically version:
<span>Linux (none) 4.9.84 #445 SMP PREEMPT Tue Mar 22 17:08:22 CST 2022 armv7l GNU/Linux</span>
This environment makes the devices susceptible to firmware tampering attacks.
3. Vulnerability Mechanism and Attack Chain
3.1 Lack of Firmware Signature Verification
The vulnerability arises from the absence of firmware signature verification during updates, allowing attackers to send specific commands via USB to gain complete control over the 8MB SPI flash memory within the camera.

3.2 Attack Steps
The attacker executes the following command chain:
- •
<span>sf probe 0</span> - •
<span>sf erase 0x50000 0x7B0000</span> - •
<span>tftp 0x21000000 lenovo_hd510_ota_v4.6.2.bin</span> - •
<span>sf write 0x21000000 0x50000 0x7B0000</span>
The above steps overwrite and refresh the camera firmware.
3.3 Exploiting Linux USB Gadget Functionality
The attack exploits the USB gadget functionality of the Linux kernel, allowing the device to masquerade as a keyboard, storage device, or network adapter.
This turns the camera into a Human Interface Device (HID), capable of injecting keystrokes, executing malicious commands, and establishing a persistent backdoor.
4. Attack Characteristics and Impact
Traditional BadUSB attacks require physical device replacement, whereas this technique allows remote attackers to leverage initial system access to rewrite camera firmware, enabling repeated infections even after system reinstalls.
This attack possesses unprecedented persistence, significantly challenging traditional endpoint security defenses.
5. Mitigation Measures and Security Recommendations
Lenovo has released a remediation tool to address the firmware signature verification flaw and has issued a firmware update to version 4.8.0. This vulnerability is assigned the identifier CVE-2025-4371, and Lenovo is collaborating with SigmaStar to enhance security measures.
Research highlights:
- • Other USB devices running Linux, besides cameras, may also be at similar risk.
- • Any Linux USB device with unverified firmware could be remotely weaponized.
- • The traditional endpoint security model faces challenges and requires strengthening hardware trust verification mechanisms.
For more technical details and to exchange insights with peers, feel free to join the Beijing Haowang – Cybersecurity Technology Exchange Group, and explore the infinite possibilities of cybersecurity technology together.
