Researcher finds Chinese KVM has undocumented microphone, communicates with China-based servers — Sipeed's nanoKVM switch has other severe security flaws and allows audio recording, claims researcher

Researcher finds Chinese KVM has undocumented microphone, communicates with China-based servers — Sipeed's nanoKVM switch has other severe security flaws and allows audio recording, claims researcher

The compact RISC-V board, which arrived on the market last year as a budget alternative to PiKVM, offers HDMI capture, USB HID emulation, remote power control, and browser-based access to a connected PC. It is beginning to show up in IT environments precisely because it requires no software on the target machine and can operate from BIOS to OS install.

The researcher says the device’s software stack exposes weak points from the moment it boots. Early units arrived with a pre-set password and open SSH access, a problem the researcher reported to Sipeed and which the company later corrected. The web interface still lacks basic protections, including CSRF defence and any mechanism to invalidate active sessions.

More troubling, the encryption key used to protect login passwords in the browser is hardcoded and identical across all devices. According to the researcher, this had to be explained to the developers “multiple times” before they acknowledged the issue.

The NanoKVM’s network behavior raises further questions, as it routes DNS queries through Chinese servers by default and makes routine connections to Sipeed infrastructure to fetch updates and a closed-source binary component. The key verifying that component is stored in plain text on the device, and there is no integrity check for downloaded firmware.

The underlying Linux build is also a heavily pared-down image without common management tools, yet it includes tcpdump and aircrack, utilities normally associated with packet inspection and wireless testing rather than production hardware intended to sit on privileged networks.

All this, paired with the discovery of a tiny surface-mount microphone, should make any user suspicious of the device’s true intentions. The researcher says the microphone is not documented in product materials, yet the operating system includes ALSA tools such as amixer and arecord that can activate it immediately. With default SSH credentials still present on many deployed units, the researcher demonstrated that audio could be recorded and exfiltrated with minimal effort, and streaming that audio in real time would require only modest additional scripting.

Thankfully, because NanoKVM is nominally open source, community members have begun porting alternative Linux distributions, first on Debian and later Ubuntu. Reflashing requires opening the case and writing a new image to the internal microSD card, but early builds already support Sipeed’s modified KVM code. Physically removing the microphone is possible, though the component’s size and placement make it a fiddly job without magnification.
------

Pls be vigilant

Where is the spy chip CCP planted inside ipong?

china banyak pandai implant thing mcm bat sup in byd

This post has been edited by supermoto: Dec 9 2025, 08:55 AM

The researcher says the microphone is not documented in product materials

This is a big red flag. Why would a kvm even nerds microphone? Server room is noisy anyways, what are they listening for? If used in small office where work station is the server, habislah.

Added
Ok I can think of 1 use case for the mic. To listen to motherboard diagnostic beeps. Kinda cleaver actually. It should be documented tho.

This post has been edited by Rusty Nail: Dec 9 2025, 09:57 AM

what is KVM?

better worry about your phone spying on you

This post has been edited by damonlbs: Dec 9 2025, 04:19 PM

Lol their explanation.
When they going to say camera is also part of KVM switches?

This post has been edited by COOLPINK: Dec 9 2025, 09:22 AM

I scared my screwdriver also communicate to China server. Macamlah WIndows does not sent telemetry data back to their servers without telling you.

This post has been edited by Capt. Marble: Dec 9 2025, 09:26 AM

nothing that cannot be blocked by firewall.

as long as proper firewall rules is in place.

Woi who go report me ?
This is not racial.
It is security awareness

KVM = Klang Valley Macha?

I think they are refering to the switch people use when they want to control different computers using the same keyboard and mouse. Used to be very common in the workplace.

The old ones don't have SSH access. Not sure if that is a good idea.

Edit: i googled it, Keyboard Video Mouse, lol hari ini baru saya tau



This post has been edited by loserguy: Dec 9 2025, 04:15 PM

No, this is bad practice. Basically bypasses most protections on the machine itself, leaving your network as the last line of defence.

Lol wolf 'warriors' proving siapa paling glassheart punya group in /k

So 2 wrong means right?

not really. all these big corporates masks these data collection as "diagnostic", or use the same domain for data collection/update/essential services.
then u cant block without effecting the function of the OS.
microsoft been sending data, even user pc screenshots back to microsoft for years, no 1 bats an eye pun.

Who else? 18 Jan punya gang la.

go to reddit /homelab see people's response to the KVM mic thing.
https://www.reddit.com/r/homelab/comments/1...s_undocumented/

the homelab crowd reply feels more... interesting. hmmm

This post has been edited by yushin: Dec 9 2025, 05:12 PM

They were intended to sell the items to their own people, hence spying by CCP is inevitable, but foreign countries attracted by cheap cheap price all buy, ofcos came with these "features", but in the end upload to CCP server or not dunno la

Must be reasonable la.
Security concerns, this is not an accusation of spying.
Most likely sloppy implementation

Sounds like shitty noob design instead of a sophisticated spying design

in before sendiri open baiting tered play innocent...

the source code is open. you can study it or even use your own source code.

which electrical stuff you have have open source code?

just replying to your security concern.

i dont report people

This post has been edited by brian81st: Dec 9 2025, 05:35 PM

KVM lease of our worries when phone does it all the time.

Oh good tonite sing karaoke can share with CCP

It is voice activated assistant. "Hello Alexa switch to second PC"

all these riscV board are mainly for researchers to make proof of concept for products, never supposed to be used in your company servers or data centers

Open source =/= 100% safe. It just means that it is there, not that there is actually anyone looking at it.

Only last year we had a case where somebody put something naughty in the source code for a very common utility.

https://en.wikipedia.org/wiki/XZ_Utils_backdoor
https://tekkix.com/articles/security/2025/0...e-largest-cyber

The kicker is this, the exploit got caught, not because there was a robust process and a bunch of experienced eyeballs scanning it. But because a nerd noticed a half second delay. A half second delay. This was utter, complete, sheer dumb luck. Without that guy, all of us would be unknowingly running linux OSes with this backdoor built in.

Edit: honestly, who knows what else the alphabet agencies have slipped in over the years.

This post has been edited by loserguy: Dec 9 2025, 07:55 PM