Ask HN: Security of Hardware Nano KVM

2•WorldDev•3mo ago

Hi all, I am looking at this product: [Sipeed NanoKVM-USB](https://wiki.sipeed.com/hardware/en/kvm/NanoKVM_USB/development.html).

It would work very well for my need, but the company has a [terrible track-record for security](https://www.youtube.com/watch?v=plJGZQ35Q6I).

So I am trying to approach it from a fully paranoid perspective. Can I use this device and protect myself fully from it?

They provide the source code for the client side. SO that's fine, I can read that code, recompile it, and convince myself it is fully safe (I am only human, but let's assume it's good enough).

I have strong doubts about the firmware side though. I am not familiar with the hardware side, but could there be any security issue there?

The guys making the device are claiming ["there is no firmware code"](https://github.com/sipeed/NanoKVM-USB/issues/5#issuecomment-2785035753). I do not understand that statement. Can anyone more knowledgeable shed some light as to what that means, and how I could verify it?

They point to a link to corroborate that claim, but the link is broken.

Thanks in advance for any insights!

Comments

galaxy_gas•3mo ago

https://www.wch-ic.com/downloads/CH9329DS1_PDF.html

They dont have the. The chip convert the ecltrical signal into keypress

The ch9329 they link is the chip they use. It is certainliy off the shelf and purchased from another, that does not provide much more information to them past implementation

The firm: Check the https://github.com/sipeed/NanoKVM/tree/main/server there is quite a bit of .so committed to the repo sadly. The NanoKVM in NanoKVM USB use CH9329.

WorldDev•3mo ago

That makes sense, thanks!

mcsniff•3mo ago

Just isolate it on the network so it doesn't have outside internet access.

There are also similar alternative devices like JetKVM, TinyPilot, etc.

Seedance 2.0 Is Coming

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

Dexterous robotic hands: 2009 – 2014 – 2025

Interop 2025: A Year of Convergence

JobArena – Human Intuition vs. Artificial Intelligence

Concept Artists Say Generative AI References Only Make Their Jobs Harder

Show HN: PaySentry – Open-source control plane for AI agent payments

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

The Crumbling Workflow Moat: Aggregation Theory's Final Chapter

Pax Historia – User and AI powered gaming platform

Show HN: I built a RAG engine to search Singaporean laws

Scams, Fraud, and Fake Apps: How to Protect Your Money in a Mobile-First Economy

Porting Doom to My WebAssembly VM

Cognitive Style and Visual Attention in Multimodal Museum Exhibitions

Full-Blown Cross-Assembler in a Bash Script

Logic Puzzles: Why the Liar Is the Helpful One

Optical Combs Help Radio Telescopes Work Together

Show HN: Myanon – fast, deterministic MySQL dump anonymizer

The Tao of Programming

Forcing Rust: How Big Tech Lobbied the Government into a Language Mandate

PanelBench: We evaluated Cursor's Visual Editor on 89 test cases. 43 fail

Can You Draw Every Flag in PowerPoint? (Part 2) [video]

Show HN: MCP-baepsae – MCP server for iOS Simulator automation

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

Show HN: Sem – Semantic diffs and patches for Git

Hello world does not compile

Show HN: ZigZag – A Bubble Tea-Inspired TUI Framework for Zig

Metaphor+Metonymy: "To love that well which thou must leave ere long"(Sonnet73)

Show HN: Django N+1 Queries Checker

Emacs-tramp-RPC: High-performance TRAMP back end using JSON-RPC instead of shell