Some bubbling news over the last few days (that I missed, thanks for those that shared last night) on the original NanoKVM. The TL;DR is that this sounds likely to be just a lazy/overlooked early production error, but if you have one, wall it off anyway (as you should have already). I reviewed the Pro model a few weeks ago (https://www.youtube.com/watch?v=iCChf...), but it appears the original first wave released model features/featured** a small on-board microphone that can be activated over SSH with script, but would still need prompting to record and 'send home' successfully needing ports/path open. This seems like it was a case of the brand reusing an existing board and it having the mic onboard (the LicheeRV Nano – which DID mention the microphone in it’s hardware specifications, but it is not detailed on the NanoKVM spec sheets at the time of discovery). I am currently going over the NanoKVM Pro device in this video for any further issues of hardware irregularities or issues discovered since this video was published (the device has been in action for 3 weeks more now), but even early checking has shown up negative/nothing. Bottom line, that device was not released finished, and early reviews of that device absolutely SLAMMED it for security issues (again, see Aparld’s vid from back in Feb that frankly teared the device a new one! https://www.youtube.com/watch?v=plJGZ...) which largely related to poor practices - plain text passwords, chinese DNS, etc, so no one should be deploying it on mission-critical clients anyway. Nevertheless, this sounds like (at best) a stupid mistake by the brand, and (at worst) poorly developed and badly baked hardware that was rushed out the door. Given the deployment scenario of this device AND the fact it has KVM access, there are probably a dozen better ways it could have hijacked a client (in it's launch state) if that was the brand's intention - it sounds more like Johnny English levels of spying, as opposed to James Bond! I have reached out to the brand for more on this and will add here as/when it arrives. In the meantime, check out Jeff’s Level 2 channel for his video on this (here https://www.youtube.com/watch?v=RSUqy... ), which does a solid job of nailing the salient points! You can find the original investigation of the device (here telefoncek.si/2025/02/2025-02-10-hidden-microphone…) .
**still 100% TBC if this was just the first models or all of the original NanoKVM that were shipped
NASCompares
Some bubbling news over the last few days (that I missed, thanks for those that shared last night) on the original NanoKVM. The TL;DR is that this sounds likely to be just a lazy/overlooked early production error, but if you have one, wall it off anyway (as you should have already).
I reviewed the Pro model a few weeks ago (https://www.youtube.com/watch?v=iCChf...), but it appears the original first wave released model features/featured** a small on-board microphone that can be activated over SSH with script, but would still need prompting to record and 'send home' successfully needing ports/path open. This seems like it was a case of the brand reusing an existing board and it having the mic onboard (the LicheeRV Nano – which DID mention the microphone in it’s hardware specifications, but it is not detailed on the NanoKVM spec sheets at the time of discovery).
I am currently going over the NanoKVM Pro device in this video for any further issues of hardware irregularities or issues discovered since this video was published (the device has been in action for 3 weeks more now), but even early checking has shown up negative/nothing. Bottom line, that device was not released finished, and early reviews of that device absolutely SLAMMED it for security issues (again, see Aparld’s vid from back in Feb that frankly teared the device a new one! https://www.youtube.com/watch?v=plJGZ...) which largely related to poor practices - plain text passwords, chinese DNS, etc, so no one should be deploying it on mission-critical clients anyway.
Nevertheless, this sounds like (at best) a stupid mistake by the brand, and (at worst) poorly developed and badly baked hardware that was rushed out the door. Given the deployment scenario of this device AND the fact it has KVM access, there are probably a dozen better ways it could have hijacked a client (in it's launch state) if that was the brand's intention - it sounds more like Johnny English levels of spying, as opposed to James Bond! I have reached out to the brand for more on this and will add here as/when it arrives. In the meantime, check out Jeff’s Level 2 channel for his video on this (here https://www.youtube.com/watch?v=RSUqy... ), which does a solid job of nailing the salient points! You can find the original investigation of the device (here telefoncek.si/2025/02/2025-02-10-hidden-microphone…) .
**still 100% TBC if this was just the first models or all of the original NanoKVM that were shipped
2 days ago | [YT] | 97