An APT… through your webcam

How attackers can hijack your computer through its webcam — and how to stop it.

BadCam attack: malicious firmware in "clean" webcams

Computer webcams have long been suspected of peeping on folks; nothing unusual about that. But now they’ve found a new role in conventional cyberattacks. At the recent BlackHat conference in Las Vegas, researchers presented the BadCam attack, which allows an attacker to reflash a webcam and execute malicious actions on the computer it’s connected to. Essentially, it’s a variation of the well-known BadUSB attack; the key difference is that with BadCam attackers don’t need to prepare a malicious device in advance — they can use a “clean” webcam already connected to the computer. Another unwelcome novelty is that the attack can be carried out completely remotely. Although the research was conducted by ethical hackers, and BadCam hasn’t yet been observed in real-world attacks, it won’t be difficult for criminals to figure it out and reproduce the necessary steps. That’s why organizations should understand how BadCam works and implement protective measures.

The return of BadUSB

It was also at BlackHat that BadUSB was unveiled to the world — back in 2014. It works by taking a seemingly harmless device (say, a USB stick) and reprogramming its firmware. When it connects to a computer, the malicious gadget presents itself as a composite USB device with multiple components, such as a flash drive, keyboard, or network adapter. Its storage functions work normally, so the user interacts with the flash drive as usual. Meanwhile, a hidden firmware component impersonating a keyboard sends commands to the computer — for example, a key combination to launch PowerShell and enter commands to download malware from the internet, or to open a tunnel to the attackers’ server. BadUSB techniques are still widely used in red team exercises — often implemented via specialized hacker multitools like Hak5 Rubber Ducky or Flipper Zero.

From BadUSB to BadCam

Researchers at Eclypsium managed to replicate this firmware-rewriting trick on Lenovo 510 FHD and Lenovo Performance FHD webcams. Both use a SigmaStar SoC, which has two interesting features. First, the webcam software is Linux-based and supports USB Gadget extensions. This Linux kernel feature allows the device to present itself as a USB peripheral such as a keyboard or network adapter. Second, the webcam’s firmware update process lacks cryptographic protection — it’s enough to send a couple of commands and a new memory image over the USB interface. Reflashing can be carried out by running software on the computer with standard user privileges. With this altered firmware, Lenovo webcams turn into a keyboard-camera hybrid capable of sending predefined commands to the computer.

Although the researchers tested only Lenovo webcams, they note that other Linux-based USB devices may be similarly vulnerable.

Cyber-risks of the BadCam attack

Potential attack vectors for BadCam against an organization include:

  • A new camera sent by the attacker
  • A camera temporarily disconnected from a corporate computer and connected to the attacker’s laptop for reflashing
  • A camera that was never disconnected from the organization’s computer, and compromised remotely via malware

Detecting this malware through behavior analysis can be tricky, since it doesn’t need to make suspicious changes to the registry, files, or network — it only has to communicate with the webcam. If the first phase of the attack succeeds, the malicious firmware can then send keyboard commands to:

  • disable security tools;
  • download and execute additional malware;
  • launch legitimate tools for a Living Off the Land (LotL) attack;
  • respond to system prompts, for example for elevating privileges;
  • exfiltrate data from the computer over the network.

At the same time, standard software scans won’t detect the threat, and even a full system reinstall won’t remove the implant. System logs will show that the malicious actions were performed from the logged-in user’s keyboard. For this reason, such attacks will most likely be deployed for persistence in the compromised system — although in the MITRE ATT&CK matrix, BadUSB techniques are listed under T1200 (Hardware Additions) and assigned to the Initial Access phase.

How to defend against BadCam attacks

The attack can be stopped at several stages using standard security tools that block trojanized peripherals and make LotL attacks more difficult. We recommend that you:

  • Configure your EDR/EPP solution to monitor connected HID devices. In Kaspersky Next, this feature is called BadUSB Attack Prevention. When a device with keyboard functionality is connected, the user must enter a numeric code displayed on the screen, without which the new keyboard can't control the system.
  • Configure your SIEM and XDR solutions to collect and analyze detailed telemetry for HID device connections and disconnections.
  • Set up USB port control in your MDM/EMM solution. Depending on its capabilities, you can disable USB ports altogether or create an allowlist of devices (by VID/PID identifiers) permitted to connect to the computer.
  • Where possible, enforce an application allowlist on employee computers so that only approved software can run and all other applications are blocked.
  • Regularly update not only the software but also the firmware of standard equipment. For example, Lenovo has released patches for the two camera models used in the research, making malicious firmware updates more difficult.
  • Apply the Principle of Least Privilege, ensuring each employee has only the access rights strictly necessary for their role.
  • Include BadUSB and BadCam in employee security-awareness training, with simple guidance on what to do if a USB device behaves unexpectedly — for example, if it starts typing commands on its own.
Tips
  • For all other countries