alt Hacker NewsHow I discovered a hidden microphone on a Chinese NanoKVM
Comments
A lot of the complaints here don't make a lot of sense and read like the author has never used an embedded linux device. The previously reported bugs are more substantial - hardcoded secrets for JWT access and firmware encryption, everything running as root, etc.
However, "Chinese product uses Chinese DNS servers and it's hard to change them" or "no systemd nor apt installed" are totally expected and hardly make it "riddled with security flaws". Same with tcpdump and aircrack being installed - these hardly compromise the security more than having everything run as root.
I would expect most users of this device will not be exposing the web interface externally, and the fact that they ship with Tailscale installed is actually impressive. I can't imagine the lack of CSRF protection will be a vulnerability for 99% of users.
I am curious what the "weird" version of wireguard the author refers to but based on their apparent lack of knowledge on embedded systems in general I would not be shocked to find that it's totally innocuous.
> You can start with your iPhone - last year Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri recorded private conversations. They shared the data with third parties and used them for targeted ads. “Unintentionally”, of course! Yes, that Apple, that cares about your privacy so much
the clickbait title makes sense after reading this paragraph
I recently discovered a similar concerning security issue with my KVM. In my case it was a pretty standard KVM for multiple machines to share a keyboard, mouse, and screen but also Ethernet. One day while looking at my home network I noticed the KVM had its own IP and was transferring GBs of data everyday. I quickly blocked it from my network. But having used it for a number of months I worried that with screen capture and access to all my input devices, someone could have gotten access to pretty much everything I use. I wasn’t able to figure out if any data was actually being sent off my network and I really didn’t want to put myself in any more risk so I just threw it in an electronics recycling bin. Pretty scary what a network connected KVM could maliciously do.
> [...] and runs a heavily stripped-down version of Linux that lacks systemd and apt. And these are just a few of the issues.
?!
Mics have a pretty standard look, and are hard to miss on the board. It would be more insideous if there were cheap film caps leading into a very expensive ADC. I work with with analogue audio, and it’s very important to design around the noise of cheap caps. They are for all intents and purposes microphones and if you were clever about different caps for different frequencies and good digital processing I have no doubt you could build something with comparable fidelity to some of the cheapers MICs in the vocal range.
> [It] runs a heavily stripped-down version of Linux that lacks systemd and apt. And these are just a few of the issues.
You mean it's not Debian-based? How is this an issue?
A kvm that requires Chinese dns servers? Just the fact it KvM over Ethernet should set off alarm bells from here till next Thursday. I would have a hard time trusting an internet based kvm.
This is… not news. The base board has always had a microphone, the NanoKVM was just built around that base board.
> To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone
So like pretty much any BMC out there, just with the benefit that an attacker taking over that thing doesn't have direct access to reflash your bios with a backdoored version?
Any halfway sane person deployed any kind of BMC or networked KVM to a access restricted management VLAN for at least a decade now because all of those things are a big mess, and the impact of them getting owned typically is pretty severe.
I dont see the issue here. Its not like they have not disclosed what board it is based upon. And I do feel like its correct not advertising a mic if you dont have it enabled on this one.
I dont really like nanokvm for being slow with updates and not patching stuff fast enough.
What an amazing device, but also the price is incredible. This kind of device would have been such a game changer 15 to 20 years ago. Thank you for the detailed security analysis. At least the developers are responsive, that does seem like a green flag.
Whoa I have a bunch of these.
But I never trusted them in the first place so they don't have internet access anyway. They're on a separate subnet. It'll be fine.
Also where my servers are there's nothing interesting to hear except more servers and 3D printers.
Once I dissected the code of a FDA-approved medical device, Vendys Endothelix. If connected to the internet, the device would covertly send measurement data to a specific email address. The usernames and comments baked in the code suggested Chinese development. I would be curious to know what percentage of our highly sensitive data ends up overseas.
https://wiki.sipeed.com/hardware/en/kvm/NanoKVM/introduction...
Probably an older NanoKVM.
"NanoKVM-Cube hardware is built on the LicheeRV Nano platform. To coordinate production and maintain consistency with the LicheeRV Nano for the SMT project, the hardware retains the display, touch, MIC, and amplifier circuits. To address potential privacy concerns, versions 2.2.6 of the application and 1.4.1 of the firmware and above will remove the relevant drivers. We will also eliminate these components in future productions."
Gotta be careful about them hidden microphones, they could be listening and recording all the keyboard clicks and translating them to the device.
> The device initially came with a default password, and SSH access was enabled using this preset password
That alone ends my trust in the brand.
Anyone got a link to some community work on the open source side? Sounds like useful devices, if you fix the issues mentioned.
You are using a KVM. When not trusting the manufacturer a microphone is the least of your problems xD
If someone hacks your KVM, I’m thinking the onboard microphone is the least of your problems.
is there a recording sample to hear the quality?
Such a cool device.
Is it possible to buy something like this which is intended to be user installable for Linux that I could test/mess around with?
any speaker can be tapped into as a microphone by a motivated government.
Wow, HN is really desperate for the clickbait today.
(And no! Don't just say this isn't a substantive comment! Do better! This isn't the first ragebait top story that made commenters foam at the mouth today, and thanks to the bullshit asymmetry of AI slop, it's even easier to churn out posts like 'this cheap shitbox SBC lacks systemd but includes tcpdump'.)
Please stop upvoting AI clickbait slop.
To be fair, the microphone _is_ listed on the specsheet of the LicheeRV Nano
https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.h...
I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.
Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander