Cybersecurity researchers have discovered serious vulnerabilities in Lenovo’s 510 FHD and Performance FHD webcams. These vulnerabilities may allow attackers to repurpose the devices for BadUSB attacks. Conducted by a team from Eclypsium, the findings were presented at the DEF CON 33 security conference, revealing alarming implications for both enterprise and consumer users.
The root of the vulnerabilities lie in the fact that these webcams run a version of Linux with USB Gadget support with no firmware update validation at all. This failure leaves remote adversaries with the ability to take control of the camera’s software, completely subverting these webcams into powerful vectors for harmful exploits. An important shoutout to the researchers involved in this study, Paul Asadoorian, Mickey Shkatov, and Jesse Michael.
Overview of the Vulnerabilities
If these Lenovo webcams are vulnerable, they can be weaponized to do pretty much whatever malicious action you would want. An attacker only needs to find one vulnerability to completely compromise the device and have it act like a keyboard. They can then enter powerful, dangerous commands, install back doors or keyloggers, redirect internet traffic and exfiltrate sensitive data.
“This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system,” stated the Eclypsium researchers. Beyond that, they raised an alarm on the paper’s most prominent theme — vulnerability fatigue. This is the first time we’ve seen Linux-based USB peripherals weaponized in this way.
The implications go beyond just the potential abuse of the webcams. As noted by the researchers, “An attacker who gains remote code execution on a system can reflash the firmware of an attached Linux-powered webcam, repurposing it to behave as a malicious HID or to emulate additional USB devices.” This functionality allows it to spread infections to other computers, bypassing a lot of conventional security defenses.
Implications of BadUSB Attacks
The basic idea behind BadUSB attacks is to commandeer USB devices in order to make them execute malicious tasks invisibly. Unlike traditional malware that infects a file system, BadUSB attacks work at the firmware level which makes them unique and especially difficult to detect. This special trait makes BadUSB attacks uniquely hard to defend against, even for antivirus software.
Ivanti, a cybersecurity firm, explained that “once connected to a computer, a BadUSB device can: emulate a keyboard to type malicious commands, install back doors or keyloggers, redirect internet traffic, and exfiltrate sensitive data.” This kind of access is simply an unacceptable risk to the users who put their faith—often unknowingly—into the integrity of their webcams and other peripherals.
The implications are dire given recent attacks from the cyber world. The infamous cybercrime organization FIN7 has used BadUSB tricks to deliver malware such as DICELOADER. Cybersecurity companies—specifically Google-owned Mandiant—and the U.S. Federal Bureau of Investigation (FBI) have warned of FIN7’s methods. These warnings underscore the growing sophistication of cyber threats that can compromise privacy and security on devices we use every day.
Recommendations for Users
Given these vulnerabilities, users of Lenovo’s affected webcams should stop using their devices right away. Remove these devices from your computers when not in use. Consider turning off automatic firmware updates until Lenovo has released patches to address those security vulnerabilities.
Eclypsium researchers assert that “this first-of-its-kind attack highlights a subtle but deeply problematic vector.” They cautioned that enterprise/business and consumer computers traditionally have had full trust of their internal and external peripherals. This trust creates an attack surface that takes advantage of these devices’ functionality paired with the absence of secure firmware.