Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.
203 Comments
Tomi Engdahl says:
Hidden HID v2 Puts a “Rubber Ducky” Keystroke Injector Inside Any USB Type-A Port
Second-generation revision is harder to spot and easier to trigger, thanks to a light-based arm/disarm system.
https://www.hackster.io/news/hidden-hid-v2-puts-a-rubber-ducky-keystroke-injector-inside-any-usb-type-a-port-9257c6458176
Tomi Engdahl says:
https://hackaday.com/2025/06/16/an-open-source-justification-for-usb-cable-paranoia/
Tomi Engdahl says:
BadCam: New BadUSB Attack Turns Linux Webcams Into Persistent Threats
https://www.securityweek.com/badcam-new-badusb-attack-turns-linux-webcams-into-persistent-threats/
Eclypsium researchers have demonstrated a BadCam attack against Lenovo cameras, but others may be impacted as well.
Researchers at supply chain risk management firm Eclypsium have shown how Linux-based webcams can be weaponized and turned into persistent threats.
The attack method was demonstrated by Eclypsium researchers against two Lenovo-branded webcams — Lenovo 510 FHD and Lenovo Performance FHD Web — that are powered by a System on Chip (SoC) and firmware made by Chinese company SigmaStar.
The researchers showed how these types of cameras can be leveraged for BadUSB attacks, a type of attack that has been known for more than a decade. In a BadUSB attack, the attacker modifies the firmware of a harmless-looking USB device such as a flash drive or keyboard to execute malicious commands when connected to a computer.
A BadUSB device can be used to launch malware, escalate privileges, inject keystrokes, and steal valuable data from the targeted computer.
Eclypsium researchers have identified a variant of the attack that targets Linux-based webcams. The method, dubbed BadCam, does not necessarily require physical access to the USB device that is about to be weaponized, as is the case with typical BadUSB attacks.
Instead, an attacker who can achieve remote code execution on a computer can reflash the firmware of the attached webcam and turn it into a BadUSB device.
“Attackers can achieve a level of persistence far greater than other techniques,” Eclypsium explained. “Once the attacker has modified the firmware, the webcam can be used to re-infect the host computer. Even if the host computer is completely wiped and the operating system is reinstalled, the attacker can consistently re-infect the host computer.”
The attack is possible in the case of the Lenovo webcams due to a missing firmware signature validation vulnerability. An attacker can use two commands present in the firmware update software to easily deploy malicious firmware from the compromised computer.
The security firm pointed out that a Linux kernel vulnerability tracked as CVE-2024-53104, which is known to have been exploited in the wild, can be leveraged to take control of the host in order to deploy malicious firmware on the connected USB camera.
Lenovo has been notified and it has assigned CVE-2025-4371 to the vulnerability.