https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.h...
I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.
Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander
Far more of an issue would be any kind of keylogger built into the software, which is why it's best to go for devices that support open source software.
Apparently in the 50s when he did his National Service he'd been in the Signals but "not in the regiment that's on his papers", make of that what you will.
I have noticed that with PSK modes and particularly PSK31 you can hear "CQ CQ CQ" as a distinctive pattern much in the same way as it is with CW.
IBM spent a fortune developing ATM keypads that - when correctly mounted - had keys that made the exact same noise no matter how you pressed them or how worn they were.
So I don't doubt that someone suitably clever could extract audio from a room and work out what was being typed.
Dell had those on every lab door in the building back in the early 90s. You felt like 007 every time you punched in your access code. I've never seen them anywhere since.
https://arxiv.org/abs/1606.05915
Any signal that you can modulate can be an exfiltration channel, and fan noise is no different.
This KVM has HDMI input and can directly emulate USB mass storage; fan-modulation is the lowest-bandwidth (side-)channel available to the attackers.
If the microphone was used for exfiltrating data, it would work against random targets that happened to let the KVM connect to the internet, and who have a nearby machine infected with some malware. That kind of non-targeted attack can be damaging but is semi-useless to the attacker.
Also I wouldn't really consider it "server room" product. Pretty much any new server has KVM, this is more "a hobbyist needing KVM for their home server"
(However, IMPI is a security nightmare with backdoors, default passwords and weak encryption)
But that doesn’t mean you can’t make it function in a loud server room. The whole point of it is working in and around noise.
Nevermind that, if they could access the device, they'd also be able to read your kvm i/o.
That said, the microphone is so weirdly positioned that it gets suspicious indeed.
Why can't it be both?
How is it weirdly positioned? To me it seems there is rather few options for such small board.
If you are too lazy to go back and check if you left the gas on, you bear responsibility if the place explodes.
At the very least, it's negligent to leave something like that in and not be very upfront about it.
"Reusing existing stock" is not a valid excuse. They are currently selling this device without advertising that it contains a working microphone.
I used one that included everything in C:\Users\<actual dev's name>\Desktop in it.
Not that it's not a good thing to be aware of, but do you have any sort of source for what kinds of devices can have their speakers turned into microphones? Then I'll believe you about the government part
I think most speakers would have that today, most modern speakers. Plain speakers that just take a voltage signal though, probably not. Though how many people use those kinds of speakers today I wonder.
Audio input and output are not reversible.
You moved your device to the purposely built input stage.
Not an expert, but your remark doesn’t compute with the parent comment
It's not a mic slot, it's a general analog I/O port with a 3.5mm form factor.
Physically unplugging and moving a speaker to a mic input works, sure, but very few devices can do this switching electronically.
?!
Must be another AI slop article. Stop feeding your writings into GPT & co to turn into extra long nonsense.
1. It lacks systemd and apt.
systemd is so resource hungry that i'm sure they removed it to reduce the RAM bill. Apt... why install apt if the distro has a different means of updating?
2. While these are useful for debugging and development, they are also hacking tools that can be dangerously exploited.
This is purely fear mongering. Even the shell could be a "hacking tool that can be dangerously exploited". Let's remove the shell too.
There are some legitimate complaints in the article, like the use of the same key on all installs. The rest looks more like fear mongering and security theater.
Including the microphone. What were they supposed to do, desolder it manually and add $10 to the price of each device?
I don't see the article complaining that a PiKVM has so many unused peripherals when used as a KVM. To go in the spirit of item #2, the usb ports could be used as "dangerous hacking tools" so you should desolder your usb ports from a Pi used as a KVM, right?
Cp is a hacktool cause bad files can be copied?
Grep is a hacktool cause only monster hackers use regex?
(This is obvious sarcasm)
Absolutely with systemd and apt. Like apt couldn't be used to install "hacking tools".
Edit: Some brands of Network-KVM use this, so that you can control the target device from another device, like e.g. an App on a tablet. That way you don't have to stand next to the target device in the noisy and cold machine room
My research disagrees. See [0]
It sounds like a potential risk is to the public.
I did post a review there citing my security concerns.
Honestly I didn't go further with the investigation because if someone really has all my data, I'm worried about retribution.
Page four of TFM [1] supports this theory.
Also, this functionality is called out in the product listing and in the manual. I'm over here laughing my ass off because OP got so frightened by this clearly-documented feature that they immediately threw the thing in the trash, rather than first investigating to see if the source of the network traffic was the machines plugged into the device.
[0] <https://m.media-amazon.com/images/I/71GglDmzCYL._SL1500_.jpg> (If this direct link fails, it's the image that has the header "A Stable Gigabit Ethernet Port".
[1] <https://avaccess.com/wp-content/uploads/2024/01/UM-_-iDock-C...> (This is the "DOWNLOAD USER MANUAL" link in the Downloads subsection of the More Information section of [2])
[2] <https://www.avaccess.com/products/idock-c20-kvm-switch-docki...>
Maybe the device has a bigger "cousin" device, that includes "control via APP", and this feature was not properly/fully disabled on this one.
> the thing acts as an Ethernet bridge
A USB-C NIC has its own MAC and would thus get its own IP.
I dont really like nanokvm for being slow with updates and not patching stuff fast enough.
the clickbait title makes sense after reading this paragraph
Goes along with 'the S in IOT stands for security'.
However, "Chinese product uses Chinese DNS servers and it's hard to change them" or "no systemd nor apt installed" are totally expected and hardly make it "riddled with security flaws". Same with tcpdump and aircrack being installed - these hardly compromise the security more than having everything run as root.
I would expect most users of this device will not be exposing the web interface externally, and the fact that they ship with Tailscale installed is actually impressive. I can't imagine the lack of CSRF protection will be a vulnerability for 99% of users.
I am curious what the "weird" version of wireguard the author refers to but based on their apparent lack of knowledge on embedded systems in general I would not be shocked to find that it's totally innocuous.
Though I find it strange though, because I would call this the shortcomings of a crowdfunded project, but the author took it as a malicious and planned act to take over target computers and networks.
As far as I remember, some of the botnets are formed by routers that vendors refused to patch, because they're no longer being sold and not profitable to do so.
1) It's from a company known for dev boards and SoCs- not consumer products.
2) The code is available on GitHub (nice!)
3) SiSpeed actively contributes to the mainline linux kernel for RISC-V in general as well as their SoCs.
4) Security in Embedded Applications is just... Bad. Amercian, Chinese, European, Russian, Indian- it doesn't matter.
So like pretty much any BMC out there, just with the benefit that an attacker taking over that thing doesn't have direct access to reflash your bios with a backdoored version?
Any halfway sane person deployed any kind of BMC or networked KVM to a access restricted management VLAN for at least a decade now because all of those things are a big mess, and the impact of them getting owned typically is pretty severe.
Is it possible to buy something like this which is intended to be user installable for Linux that I could test/mess around with?
You mean it's not Debian-based? How is this an issue?
That alone ends my trust in the brand.
You could say "but they could make random one that is displayed on display!", but they also sell headless version with no display at all so that's not an option
BUT BE WARNED: it runs a web-server by default with no password set from the factory, you have to configure it first run to secure it....
yeah, this article is mostly a no banger, they made some dumb oversights/mistakes with the firmware but fixed them quickly and even documented the issues and concerns. The firmware if open source after all.
But I never trusted them in the first place so they don't have internet access anyway. They're on a separate subnet. It'll be fine.
Also where my servers are there's nothing interesting to hear except more servers and 3D printers.
Just because you might claim it's not malicious, doesn't make it not negligence.
Mind you, I’m not saying a mic in a KVM isn’t sus, just that it’s a little obvious, and certainly not stuxnet level espionage.
I like Matej's work, especially his GSM stuff, but this article is so overblown. A third are known issues and another third are non-issues. The last third was good security work and I genuinely appreciate he did it. Beat me to it by a feew weeks, since my order was stuck in customs while I tried to explain to them what a KVM was...
* Includes a microphone? Look at the datasheet of the devboard they used, dummy.
* Running everything as root? Valid point. That's a inexcusable mistake and has been for ever a sign of laziness and ignorance.
* Not including systemd? Yes please.
* Not including a package manager the author nows? Shows the authors ignorance to assume apt would be found on a small embedded system.How can the article not include this picture or at least link to it. Internet, today you have disappointed me.
Most of the claims in the article are not real vulnerabilities. Some harmless behaviors were indeed easy to misinterpret if viewed with bias, but we actually changed those behaviors and implementations over 10 months ago. It is surprising to see this article coming out today instead of last year.
As for the onboard mic, it is not 'hidden.' It is a component that has been clearly documented and explained in our Wiki: https://wiki.sipeed.com/hardware/en/kvm/NanoKVM/introduction... We believe open source lets the facts speak for themselves. Thanks to the NanoKVM community for using your technical common sense to help clear this up!
kotaKat•2mo ago
Probably an older NanoKVM.
"NanoKVM-Cube hardware is built on the LicheeRV Nano platform. To coordinate production and maintain consistency with the LicheeRV Nano for the SMT project, the hardware retains the display, touch, MIC, and amplifier circuits. To address potential privacy concerns, versions 2.2.6 of the application and 1.4.1 of the firmware and above will remove the relevant drivers. We will also eliminate these components in future productions."