I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.
Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander
Given it's history I suspect there is nothing malicious going on here, just a Chinesium approach to building something. Security isn't documented so it's made of tissue paper.
It doesn't strike me as that useful to have a hidden microphone in a KVM product as most of the time, they're going to be stuck in server rooms with just lots of fan noise to record.
Far more of an issue would be any kind of keylogger built into the software, which is why it's best to go for devices that support open source software.
I'm completely fine with there being a microphone in the thing. It's literally a remote eyes/hands interface, so it being an eyes/ears/hands interface is perfectly acceptable.
A lot of the complaints here don't make a lot of sense and read like the author has never used an embedded linux device. The previously reported bugs are more substantial - hardcoded secrets for JWT access and firmware encryption, everything running as root, etc.
However, "Chinese product uses Chinese DNS servers and it's hard to change them" or "no systemd nor apt installed" are totally expected and hardly make it "riddled with security flaws". Same with tcpdump and aircrack being installed - these hardly compromise the security more than having everything run as root.
I would expect most users of this device will not be exposing the web interface externally, and the fact that they ship with Tailscale installed is actually impressive. I can't imagine the lack of CSRF protection will be a vulnerability for 99% of users.
I am curious what the "weird" version of wireguard the author refers to but based on their apparent lack of knowledge on embedded systems in general I would not be shocked to find that it's totally innocuous.
Hanlon's Razor at work; most of the shortfalls described in the article points to incompetence more than malice.
Though I find it strange though, because I would call this the shortcomings of a crowdfunded project, but the author took it as a malicious and planned act to take over target computers and networks.
As far as I remember, some of the botnets are formed by routers that vendors refused to patch, because they're no longer being sold and not profitable to do so.
yeah.. their list of issues speaks more to their lack of experience and understanding of linux and embedded linux devices wrapped in xenophobic nonsense...
> You can start with your iPhone - last year Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri recorded private conversations. They shared the data with third parties and used them for targeted ads. “Unintentionally”, of course! Yes, that Apple, that cares about your privacy so much
the clickbait title makes sense after reading this paragraph
Not really, because the paragraph you quoted was highly misleading. Even the plaintiffs admit that the recordings were caused by accidental activation, not some sort of nefarious conspiracy by Apple. Moreover there's no evidence that Apple "used them for targeted ads", only that they handed over to third party contractors for improving siri.
"NanoKVM-Cube hardware is built on the LicheeRV Nano platform. To coordinate production and maintain consistency with the LicheeRV Nano for the SMT project, the hardware retains the display, touch, MIC, and amplifier circuits. To address potential privacy concerns, versions 2.2.6 of the application and 1.4.1 of the firmware and above will remove the relevant drivers. We will also eliminate these components in future productions."
> But what additionally raised red flags was the presence of tcpdump and aircrack - tools commonly used for network packet analysis and wireless security testing. While these are useful for debugging and development, they are also hacking tools that can be dangerously exploited.
Must be another AI slop article. Stop feeding your writings into GPT & co to turn into extra long nonsense.
Thanks to everyone for following the discussion on NanoKVM security. I think most of you will know exactly what to make of this article the moment you read the complaint that it 'runs a heavily stripped-down version of Linux that lacks systemd and apt.'
Most of the claims in the article are not real vulnerabilities. Some harmless behaviors were indeed easy to misinterpret if viewed with bias, but we actually changed those behaviors and implementations over 10 months ago. It is surprising to see this article coming out today instead of last year.
As for the onboard mic, it is not 'hidden.' It is a component that has been clearly documented and explained in our Wiki: https://wiki.sipeed.com/hardware/en/kvm/NanoKVM/introduction...
We believe open source lets the facts speak for themselves. Thanks to the NanoKVM community for using your technical common sense to help clear this up!
Mics have a pretty standard look, and are hard to miss on the board. It would be more insideous if there were cheap film caps leading into a very expensive ADC. I work with with analogue audio, and it’s very important to design around the noise of cheap caps. They are for all intents and purposes microphones and if you were clever about different caps for different frequencies and good digital processing I have no doubt you could build something with comparable fidelity to some of the cheapers MICs in the vocal range.
Why is there a component on the board that isn't used in the product for any official purpose then? Even if you believe it was an accident and an oversight (which it could have been), you should be upset because it's something that could be pretty serious if you used in your home.
Just because you might claim it's not malicious, doesn't make it not negligence.
I recently discovered a similar concerning security issue with my KVM. In my case it was a pretty standard KVM for multiple machines to share a keyboard, mouse, and screen but also Ethernet. One day while looking at my home network I noticed the KVM had its own IP and was transferring GBs of data everyday. I quickly blocked it from my network. But having used it for a number of months I worried that with screen capture and access to all my input devices, someone could have gotten access to pretty much everything I use. I wasn’t able to figure out if any data was actually being sent off my network and I really didn’t want to put myself in any more risk so I just threw it in an electronics recycling bin. Pretty scary what a network connected KVM could maliciously do.
Shame you threw it away. It would have been useful to collect the traffic with Wireshark and share that with info about the device in a post or a blog for others to investigate and be warned about that brand and model.
Why did you not just login to the device, and switched off "Broadcast to multicast", or changed the destination address?
Edit: Some brands of Network-KVM use this, so that you can control the target device from another device, like e.g. an App on a tablet. That way you don't have to stand next to the target device in the noisy and cold machine room
Once I dissected the code of a FDA-approved medical device, Vendys Endothelix. If connected to the internet, the device would covertly send measurement data to a specific email address. The usernames and comments baked in the code suggested Chinese development. I would be curious to know what percentage of our highly sensitive data ends up overseas.
Why is this article trending again?? The NanoKVM is showcase product for the LicheeRV Nano. A built-in microphone is an advertised feature of that board.
I like Matej's work, especially his GSM stuff, but this article is so overblown. A third are known issues and another third are non-issues. The last third was good security work and I genuinely appreciate he did it. Beat me to it by a feew weeks, since my order was stuck in customs while I tried to explain to them what a KVM was...
This said wildly inappropriate features included do violate the principle of least user authorization. You expect if your KVM gets hacked your servers are pretty fucked, the problem now is any conversation you had by the KVM is suspect too.
Goes along with 'the S in IOT stands for security'.
I dont see the issue here. Its not like they have not disclosed what board it is based upon. And I do feel like its correct not advertising a mic if you dont have it enabled on this one.
I dont really like nanokvm for being slow with updates and not patching stuff fast enough.
What an amazing device, but also the price is incredible. This kind of device would have been such a game changer 15 to 20 years ago. Thank you for the detailed security analysis. At least the developers are responsive, that does seem like a green flag.
> To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone
So like pretty much any BMC out there, just with the benefit that an attacker taking over that thing doesn't have direct access to reflash your bios with a backdoored version?
Any halfway sane person deployed any kind of BMC or networked KVM to a access restricted management VLAN for at least a decade now because all of those things are a big mess, and the impact of them getting owned typically is pretty severe.
A kvm that requires Chinese dns servers? Just the fact it KvM over Ethernet should set off alarm bells from here till next Thursday. I would have a hard time trusting an internet based kvm.
...you need a password to log in onto it to change it. That's hardly unique.
You could say "but they could make random one that is displayed on display!", but they also sell headless version with no display at all so that's not an option
* Includes a microphone? Look at the datasheet of the devboard they used, dummy.
* Running everything as root? Valid point. That's a inexcusable mistake and has been for ever a sign of laziness and ignorance.
* Not including systemd? Yes please.
* Not including a package manager the author nows? Shows the authors ignorance to assume apt would be found on a small embedded system.
No, because the drive circuit for a speaker is the opposite of the circuit for a microphone. The output stage of a speaker amplifier is just that, an output. The only way to record audio from a speaker, which is totally possible, is to have also purposely built an input stage also attached to the speaker. Which at that point you might as well just use a microphone...
From a hardware point of view I've also noticed that speakers work like poor microphones (and LEDs like poor solar panels / light sensors), but is there any way to actually make this work on most devices without physically changing wiring? If the circuits aren't made to take measurements (or the software can't get at the readings) but only set a voltage on the wires, there wouldn't be a way to (ab)use this. I don't know enough about electronics to know whether this is commonly the case
Not that it's not a good thing to be aware of, but do you have any sort of source for what kinds of devices can have their speakers turned into microphones? Then I'll believe you about the government part
tayiorrobinson|2 months ago
https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.h...
I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.
Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander
LorenPechtel|2 months ago
ndsipa_pomu|2 months ago
Far more of an issue would be any kind of keylogger built into the software, which is why it's best to go for devices that support open source software.
Rygian|2 months ago
"Reusing existing stock" is not a valid excuse. They are currently selling this device without advertising that it contains a working microphone.
parineum|2 months ago
Nevermind that, if they could access the device, they'd also be able to read your kvm i/o.
MomsAVoxell|2 months ago
ghostpepper|2 months ago
However, "Chinese product uses Chinese DNS servers and it's hard to change them" or "no systemd nor apt installed" are totally expected and hardly make it "riddled with security flaws". Same with tcpdump and aircrack being installed - these hardly compromise the security more than having everything run as root.
I would expect most users of this device will not be exposing the web interface externally, and the fact that they ship with Tailscale installed is actually impressive. I can't imagine the lack of CSRF protection will be a vulnerability for 99% of users.
I am curious what the "weird" version of wireguard the author refers to but based on their apparent lack of knowledge on embedded systems in general I would not be shocked to find that it's totally innocuous.
butvacuum|2 months ago
1) It's from a company known for dev boards and SoCs- not consumer products.
2) The code is available on GitHub (nice!)
3) SiSpeed actively contributes to the mainline linux kernel for RISC-V in general as well as their SoCs.
4) Security in Embedded Applications is just... Bad. Amercian, Chinese, European, Russian, Indian- it doesn't matter.
itopaloglu83|2 months ago
Though I find it strange though, because I would call this the shortcomings of a crowdfunded project, but the author took it as a malicious and planned act to take over target computers and networks.
As far as I remember, some of the botnets are formed by routers that vendors refused to patch, because they're no longer being sold and not profitable to do so.
nickphx|2 months ago
pirbull|2 months ago
the clickbait title makes sense after reading this paragraph
gruez|2 months ago
kotaKat|2 months ago
Probably an older NanoKVM.
"NanoKVM-Cube hardware is built on the LicheeRV Nano platform. To coordinate production and maintain consistency with the LicheeRV Nano for the SMT project, the hardware retains the display, touch, MIC, and amplifier circuits. To address potential privacy concerns, versions 2.2.6 of the application and 1.4.1 of the firmware and above will remove the relevant drivers. We will also eliminate these components in future productions."
Milpotel|2 months ago
?!
whalesalad|2 months ago
kps|2 months ago
stefan_|2 months ago
Must be another AI slop article. Stop feeding your writings into GPT & co to turn into extra long nonsense.
knallfrosch|2 months ago
zepan|2 months ago
Most of the claims in the article are not real vulnerabilities. Some harmless behaviors were indeed easy to misinterpret if viewed with bias, but we actually changed those behaviors and implementations over 10 months ago. It is surprising to see this article coming out today instead of last year.
As for the onboard mic, it is not 'hidden.' It is a component that has been clearly documented and explained in our Wiki: https://wiki.sipeed.com/hardware/en/kvm/NanoKVM/introduction... We believe open source lets the facts speak for themselves. Thanks to the NanoKVM community for using your technical common sense to help clear this up!
milesvp|2 months ago
nixpulvis|2 months ago
Just because you might claim it's not malicious, doesn't make it not negligence.
kyrofa|2 months ago
You mean it's not Debian-based? How is this an issue?
jlward4th|2 months ago
Renaud|2 months ago
stragies|2 months ago
Edit: Some brands of Network-KVM use this, so that you can control the target device from another device, like e.g. an App on a tablet. That way you don't have to stand next to the target device in the noisy and cold machine room
CoastalCoder|2 months ago
It sounds like a potential risk is to the public.
unknown|2 months ago
[deleted]
unknown_rookie|2 months ago
SoftTalker|2 months ago
n5NOJwkc7kRC|2 months ago
rcarmo|2 months ago
franga2000|2 months ago
I like Matej's work, especially his GSM stuff, but this article is so overblown. A third are known issues and another third are non-issues. The last third was good security work and I genuinely appreciate he did it. Beat me to it by a feew weeks, since my order was stuck in customs while I tried to explain to them what a KVM was...
jxhdh|2 months ago
pixl97|2 months ago
Goes along with 'the S in IOT stands for security'.
bethekidyouwant|2 months ago
gunalx|2 months ago
I dont really like nanokvm for being slow with updates and not patching stuff fast enough.
supportengineer|2 months ago
finaard|2 months ago
So like pretty much any BMC out there, just with the benefit that an attacker taking over that thing doesn't have direct access to reflash your bios with a backdoored version?
Any halfway sane person deployed any kind of BMC or networked KVM to a access restricted management VLAN for at least a decade now because all of those things are a big mess, and the impact of them getting owned typically is pretty severe.
snapdeficit|2 months ago
Ekaros|2 months ago
macki0|2 months ago
iJohnDoe|2 months ago
Is it possible to buy something like this which is intended to be user installable for Linux that I could test/mess around with?
PunchyHamster|2 months ago
mrbluecoat|2 months ago
That alone ends my trust in the brand.
PunchyHamster|2 months ago
You could say "but they could make random one that is displayed on display!", but they also sell headless version with no display at all so that's not an option
wkat4242|2 months ago
But I never trusted them in the first place so they don't have internet access anyway. They're on a separate subnet. It'll be fine.
Also where my servers are there's nothing interesting to hear except more servers and 3D printers.
account42|2 months ago
How can the article not include this picture or at least link to it. Internet, today you have disappointed me.
PeterStuer|2 months ago
neom|2 months ago
_def|2 months ago
eps|2 months ago
crest|2 months ago
mannanj|2 months ago
Workaccount2|2 months ago
Audio input and output are not reversible.
Aachen|2 months ago
Not that it's not a good thing to be aware of, but do you have any sort of source for what kinds of devices can have their speakers turned into microphones? Then I'll believe you about the government part
lousken|2 months ago
thorncorona|2 months ago
[deleted]
da_grift_shift|2 months ago
[deleted]