WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2025 Poal.co

867

Yeah, basically "nothing to see here" as its a pre existing devboard that is repurposed for the KVM.

Archive: https://archive.today/rwRrc

From the post:

>Recently, [Jeff Geerling] dropped into the bad press feeding frenzy around Sipeed’s NanoKVM, most notably because of a ‘hidden’ microphone that should have no business on a remote KVM solution. The problem with that reporting is, as [Jeff] points out in the video below, that the NanoKVM – technically the NanoKVM-Cube – is merely a software solution that got put on an existing development board, the LicheeRV Nano, along with an HDMI-in board. The microphone exists on that board and didn’t get removed for the new project, and it is likely that much of the Linux image is also reused.

Yeah, basically "nothing to see here" as its a pre existing devboard that is repurposed for the KVM. Archive: https://archive.today/rwRrc From the post: >>Recently, [Jeff Geerling] dropped into the bad press feeding frenzy around Sipeed’s NanoKVM, most notably because of a ‘hidden’ microphone that should have no business on a remote KVM solution. The problem with that reporting is, as [Jeff] points out in the video below, that the NanoKVM – technically the NanoKVM-Cube – is merely a software solution that got put on an existing development board, the LicheeRV Nano, along with an HDMI-in board. The microphone exists on that board and didn’t get removed for the new project, and it is likely that much of the Linux image is also reused.
[–] 2 pts (edited )

Be careful, this thing is dangerous af. Good comment below the article:

This is a gross misrepresentation. While it’s true that there is a microphone, that isn’t their most egregious transgression. The software it ships paints a far more damning picture.

Why does this extremely paired-back linux install contain TCPdump? And aricrack? If this microphone is an incidental hardware feature, why did they add ALSA software tools like amixer and arecord which make it immediately available for use by scripts? And of course it routs all it’s DNS queries through chinese servers.

And then on top of that this thing has terrible security. It shipped with a preset password and out-of-box SSH access. The web interface lacks CSRF defenses and doesn’t have any way to invalidate sessions. The key used to protect login passwords is hardcoded and shared across all devices. “According to the researcher, this had to be explained to the developers ‘multiple times’ before they acknowledged the issue.”

In my humble opinion, the picture this paints is that seeed is “seeding” the world with vulnerable KVM modules which are ripe to be taken over later by adversaries who will be able to simply drop a shellscript-based payload and find all the binaries they could ever want for pivoting their attack. And that’s in addition to any high-value targets attached to the KVMs themselves.

[–] 1 pt

All true but the firmware is now publicly available so you can modify it to your hearts content and "defang" if you want to.

[–] 2 pts

Maybe, but aircrack on a device like this just screams bad intentions. I wouldn't touch that thing with a 10-foot pole after reading this. Of course nobody knows what's hidden in other closed hardware/closed source devices, so there's that.

[–] 1 pt

Fair enough, this is what its based off of.

https://www.cnx-software.com/2024/02/08/licheerv-nano-low-cost-sg2002-risc-v-arm-camera-display-board-wifi-6-ethernet/

This is the git repo: https://github.com/sipeed/LicheeRV-Nano-Build

I believe there are a number of 3rd party builds already available though.

[–] 1 pt

It's not defanged until you physically remove the microphone and any other unneeded components yourself.

[–] 1 pt

OH LOOK CHINKS CHOOSING TO USE DEVBOARDS WITH MICS, THEN CLAIMING THAT ALL THE LINUX AUDIO STUFF IS THERE BY COINCIDENCE