How I discovered a hidden microphone on a Chinese NanoKVM
85 comments
·December 6, 2025tayiorrobinson
LorenPechtel
Given it's history I suspect there is nothing malicious going on here, just a Chinesium approach to building something. Security isn't documented so it's made of tissue paper.
ndsipa_pomu
It doesn't strike me as that useful to have a hidden microphone in a KVM product as most of the time, they're going to be stuck in server rooms with just lots of fan noise to record.
Far more of an issue would be any kind of keylogger built into the software, which is why it's best to go for devices that support open source software.
hinkley
Ultrawideband never caught on because it turns out that the speed of light and sound in air is frequency dependent, so you have to know the distance to the target pretty accurately and then skew the signal to send or receive. (Imagine a phased array antenna but also with a frequency domain to work out as well).
But that doesn’t mean you can’t make it function in a loud server room. The whole point of it is working in and around noise.
PunchyHamster
The KVM just uses a devboard that's also sold separately and just happens to have a microphone, given how cheap the mics are having one extra SKU would probably just cost them more than savings.
Also I wouldn't really consider it "server room" product. Pretty much any new server has KVM, this is more "a hobbyist needing KVM for their home server"
null
Y_Y
just fan noise?
https://arxiv.org/abs/1606.05915
Any signal that you can modulate can be an exfiltration channel, and fan noise is no different.
overfeed
> Any signal that you can modulate can be an exfiltration channel, and fan noise is no different.
This KVM has HDMI input and can directly emulate USB mass storage; fan-modulation is the lowest-bandwidth (side-)channel available to the attackers.
ndsipa_pomu
I wonder if that's feasible in a room filled with many servers and fans going?
i_am_proteus
It is possible to keylog via audio.
seszett
It would take an especially perverse mind to keylog using audio on a KVM, though. The KVM basically has access to everything, any secondary spying using a microphone or a camera would provide very little added value.
BenjiWiebe
But the point of a device like this is that you (and your keyboard) are NOT physically present.
ErroneousBosh
A long time ago (maybe in the mid-90s) I knew an elderly radio amateur who could not just "copy" CW by ear, but also RTTY. He could also pretty much tell what a teleprinter was printing just by listening to the noises it made, like he'd be facing away from it on the other side of the room reading out entire words from what was coming through.
Apparently in the 50s when he did his National Service he'd been in the Signals but "not in the regiment that's on his papers", make of that what you will.
I have noticed that with PSK modes and particularly PSK31 you can hear "CQ CQ CQ" as a distinctive pattern much in the same way as it is with CW.
IBM spent a fortune developing ATM keypads that - when correctly mounted - had keys that made the exact same noise no matter how you pressed them or how worn they were.
So I don't doubt that someone suitably clever could extract audio from a room and work out what was being typed.
parineum
The Chinese part makes one think the Chinese could access the microphone.
Nevermind that, if they could access the device, they'd also be able to read your kvm i/o.
motbus3
You might be right but I think we cannot assume malice when it could be laziness. It might be that the exact same board has multiple target audiences and they just rebrand it for different purposes with different pricing.
That said, the microphone is so weirdly positioned that it gets suspicious indeed.
b00ty4breakfast
> I think we cannot assume malice when it could be laziness
If you are too lazy to go back and check if you left the gas on, you bear responsibility if the place explodes.
At the very least, it's negligent to leave something like that in and not be very upfront about it.
inetknght
> I think we cannot assume malice when it could be laziness
Why can't it be both?
Ekaros
>That said, the microphone is so weirdly positioned that it gets suspicious indeed.
How is it weirdly positioned? To me it seems there is rather few options for such small board.
hinkley
Microphones and LEDs have been used famously for side channel attacks and also to circumvent air gaps. From a Least Power point of view this is troubling.
TheRealPomax
And rather than "the Chinese", how about "anyone robo-dialling some SSH connections"?
Rygian
"hidden microphone in a Chinese KVM" is the correct way to describe what is going on.
"Reusing existing stock" is not a valid excuse. They are currently selling this device without advertising that it contains a working microphone.
mintplant
A working microphone and recording software and hacking tools like aircrack-ng on an otherwise stripped-down OS image...
ghostpepper
A lot of the complaints here don't make a lot of sense and read like the author has never used an embedded linux device. The previously reported bugs are more substantial - hardcoded secrets for JWT access and firmware encryption, everything running as root, etc.
However, "Chinese product uses Chinese DNS servers and it's hard to change them" or "no systemd nor apt installed" are totally expected and hardly make it "riddled with security flaws". Same with tcpdump and aircrack being installed - these hardly compromise the security more than having everything run as root.
I would expect most users of this device will not be exposing the web interface externally, and the fact that they ship with Tailscale installed is actually impressive. I can't imagine the lack of CSRF protection will be a vulnerability for 99% of users.
I am curious what the "weird" version of wireguard the author refers to but based on their apparent lack of knowledge on embedded systems in general I would not be shocked to find that it's totally innocuous.
itopaloglu83
Hanlon's Razor at work; most of the shortfalls described in the article points to incompetence more than malice.
Though I find it strange though, because I would call this the shortcomings of a crowdfunded project, but the author took it as a malicious and planned act to take over target computers and networks.
As far as I remember, some of the botnets are formed by routers that vendors refused to patch, because they're no longer being sold and not profitable to do so.
pirbull
> You can start with your iPhone - last year Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri recorded private conversations. They shared the data with third parties and used them for targeted ads. “Unintentionally”, of course! Yes, that Apple, that cares about your privacy so much
the clickbait title makes sense after reading this paragraph
gruez
Not really, because the paragraph you quoted was highly misleading. Even the plaintiffs admit that the recordings were caused by accidental activation, not some sort of nefarious conspiracy by Apple. Moreover there's no evidence that Apple "used them for targeted ads", only that they handed over to third party contractors for improving siri.
LorenPechtel
And Siri promptly got disabled on my wife's iPad because she kept triggering it inadvertently. Something about her accent kept tripping it. (And, in reverse, Alexa will often not trigger when my wife tries. She comes from a tonal language and it creeps into her English extensively.)
jlward4th
I recently discovered a similar concerning security issue with my KVM. In my case it was a pretty standard KVM for multiple machines to share a keyboard, mouse, and screen but also Ethernet. One day while looking at my home network I noticed the KVM had its own IP and was transferring GBs of data everyday. I quickly blocked it from my network. But having used it for a number of months I worried that with screen capture and access to all my input devices, someone could have gotten access to pretty much everything I use. I wasn’t able to figure out if any data was actually being sent off my network and I really didn’t want to put myself in any more risk so I just threw it in an electronics recycling bin. Pretty scary what a network connected KVM could maliciously do.
Renaud
Shame you threw it away. It would have been useful to collect the traffic with Wireshark and share that with info about the device in a post or a blog for others to investigate and be warned about that brand and model.
stragies
Why did you not just login to the device, and switched off "Broadcast to multicast", or changed the destination address?
Edit: Some brands of Network-KVM use this, so that you can control the target device from another device, like e.g. an App on a tablet. That way you don't have to stand next to the target device in the noisy and cold machine room
jlward4th
The KVM didn't have any documentation on anything related to its network interface. I ran a port scan on it but didn't know if there was a way to log into it.
CoastalCoder
Is it possible for you to name the KVM model?
It sounds like a potential risk is to the public.
jlward4th
It is this one: https://www.amazon.com/dp/B0CP4PD3SM
I did post a review there citing my security concerns.
Honestly I didn't go further with the investigation because if someone really has all my data, I'm worried about retribution.
Milpotel
> [...] and runs a heavily stripped-down version of Linux that lacks systemd and apt. And these are just a few of the issues.
?!
kps
Presumably Alpine. I bet it doesn't run GNOME either. And these are just a few of the issues!
whalesalad
I don’t see this as noteworthy myself. It’s expected on a small embedded device such as this. You’re usually lucky to have busybox.
stefan_
> But what additionally raised red flags was the presence of tcpdump and aircrack - tools commonly used for network packet analysis and wireless security testing. While these are useful for debugging and development, they are also hacking tools that can be dangerously exploited.
Must be another AI slop article. Stop feeding your writings into GPT & co to turn into extra long nonsense.
kenjackson
What was wrong with the above paragraph?
nottorp
Let's see:
1. It lacks systemd and apt.
systemd is so resource hungry that i'm sure they removed it to reduce the RAM bill. Apt... why install apt if the distro has a different means of updating?
2. While these are useful for debugging and development, they are also hacking tools that can be dangerously exploited.
This is purely fear mongering. Even the shell could be a "hacking tool that can be dangerously exploited". Let's remove the shell too.
There are some legitimate complaints in the article, like the use of the same key on all installs. The rest looks more like fear mongering and security theater.
Including the microphone. What were they supposed to do, desolder it manually and add $10 to the price of each device?
I don't see the article complaining that a PiKVM has so many unused peripherals when used as a KVM. To go in the spirit of item #2, the usb ports could be used as "dangerous hacking tools" so you should desolder your usb ports from a Pi used as a KVM, right?
null
null
wkat4242
Whoa I have a bunch of these.
But I never trusted them in the first place so they don't have internet access anyway. They're on a separate subnet. It'll be fine.
Also where my servers are there's nothing interesting to hear except more servers and 3D printers.
snapdeficit
A kvm that requires Chinese dns servers? Just the fact it KvM over Ethernet should set off alarm bells from here till next Thursday. I would have a hard time trusting an internet based kvm.
Ekaros
Should I really be more trusting of some NSA controlled DNS server?
snapdeficit
Yes. Hahaha. Of course not. Or maybe?? No, just kidding. But am i?
macki0
wait till you find out about iLO/iDRAC or vPro
kyrofa
> [It] runs a heavily stripped-down version of Linux that lacks systemd and apt. And these are just a few of the issues.
You mean it's not Debian-based? How is this an issue?
finaard
> To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone
So like pretty much any BMC out there, just with the benefit that an attacker taking over that thing doesn't have direct access to reflash your bios with a backdoored version?
Any halfway sane person deployed any kind of BMC or networked KVM to a access restricted management VLAN for at least a decade now because all of those things are a big mess, and the impact of them getting owned typically is pretty severe.
gunalx
I dont see the issue here. Its not like they have not disclosed what board it is based upon. And I do feel like its correct not advertising a mic if you dont have it enabled on this one.
I dont really like nanokvm for being slow with updates and not patching stuff fast enough.
unknown_rookie
Once I dissected the code of a FDA-approved medical device, Vendys Endothelix. If connected to the internet, the device would covertly send measurement data to a specific email address. The usernames and comments baked in the code suggested Chinese development. I would be curious to know what percentage of our highly sensitive data ends up overseas.
SoftTalker
I think it's safe (or maybe prudent) to assume that pretty much all phones, computers, and network switching gear are backdoored by someone.
To be fair, the microphone _is_ listed on the specsheet of the LicheeRV Nano
https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.h...
I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.
Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander