Computer webcams have long been suspected of spying on users, which isn’t exactly new. However, they are now being used in more sophisticated cyberattacks. At the recent BlackHat conference in Las Vegas, researchers introduced the BadCam attack, which allows attackers to reflash a webcam and execute malicious commands on the connected computer. This attack is similar to the well-known BadUSB technique, with a key difference: BadCam can exploit an already-connected “clean” webcam without needing a pre-infected device. Another alarming aspect is that this attack can be performed entirely remotely. Although ethical hackers conducted the research and no real-world cases have been reported yet, it’s likely that criminals could replicate it. Organizations should be aware of BadCam and take precautions accordingly.
The return of BadUSB
BadUSB first made headlines back in 2014 at BlackHat as a new threat. It works by reprogramming the firmware of a seemingly harmless device, such as a USB stick. When connected, the device presents itself as multiple USB components, like a flash drive, keyboard, or network adapter. While its storage functions appear normal, hidden firmware can mimic a keyboard to send commands—like launching PowerShell to download malware or opening a tunnel to an attacker’s server. BadUSB remains popular in red team exercises, often executed using hacker tools like Hak5 Rubber Ducky or Flipper Zero.
From BadUSB to BadCam
Eclypsium researchers demonstrated that the same firmware-rewriting technique can be applied to Lenovo 510 FHD and Lenovo Performance FHD webcams. Both webcams use a SigmaStar SoC with two notable features: the webcam software runs on Linux and supports USB Gadget extensions, allowing the device to emulate peripherals such as keyboards or network adapters; and the firmware update process lacks cryptographic protection, meaning a few commands and a new memory image over USB are enough to reflash it. The process can be executed from software with standard user privileges, turning the webcam into a keyboard-camera hybrid capable of sending predefined commands to the host computer.
Although the tests were limited to Lenovo webcams, other Linux-based USB devices could be similarly at risk.
Cyber-risks of the BadCam attack
Potential ways BadCam could target an organization include:
- Receiving a new camera sent by an attacker
- Temporarily disconnecting a corporate webcam and connecting it to an attacker’s device for reflashing
- Compromising a webcam remotely without physical removal, using malware
Detecting BadCam is challenging because it does not necessarily alter the registry, files, or network; it simply communicates with the webcam. Once the first stage succeeds, the malicious firmware could send keyboard commands to:
- disable security software;
- download and execute additional malware;
- launch legitimate tools for Living Off the Land (LotL) attacks;
- respond to system prompts, like privilege escalation;
- exfiltrate data from the computer over the network.
Standard software scans may not detect the threat, and even a full system reinstall may not remove the implant. Logs show actions originating from the logged-in user’s keyboard, making BadCam particularly persistent. In the MITRE ATT&CK framework, BadUSB techniques fall under T1200 (Hardware Additions) in the Initial Access phase.