Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

How I discovered a hidden microphone on a Chinese NanoKVM

⁨177⁩ ⁨likes⁩

Submitted ⁨⁨15⁩ ⁨hours⁩ ago⁩ by ⁨doopinglouie@feddit.org⁩ to ⁨technology@lemmy.world⁩

https://telefoncek.si/2025/02/2025-02-10-hidden-microphone-on-nanokvm/

source

Comments

Sort:hotnewtop
  • NuXCOM_90Percent@lemmy.zip ⁨15⁩ ⁨hours⁩ ago

    Apalrd has done some great “popular computer science” videos on the various remote KVM devices that is well worth looking up. One of them specifically goes into the ridiculously sketchy methods that are used to fetch and execute unsigned code in random buckets to handle firmware updates.

    But as for the mic? Honestly, if you open up a LOT of consumer devices you are going to find random microphones. Not because they are all secretly spying on you. But because they use “off the shelf” chips and boards that already have those embedded. Especially since microphones and speakers are kind of the same hardware in most cases and we ALL love a good beep.

    I 100% agree the software stack shouldn’t be on there. But, as the blog post points out, there is a LOT of developmental code and packages in that image that shouldn’t be. It is likely just a case of not removing unnecessary packages from the base image.

    Because… the entire point of a device like this is that you plug it in somewhere you aren’t. MAYBE JetKVM corp can hear me muttering profanity or wondering where I left that USB c splitter when I am trying to assemble it the first time. The rest of the time? It is plugged into the back of a server that I am booting up so that I can install proxmox without having to drag a monitor over. And while you can potentially get some juicy info out of that? It is not at all worth the hassle to set up fake companies and market a fake (moderately high demand in the right circles) device.

    source
    • BCOVertigo@lemmy.world ⁨14⁩ ⁨hours⁩ ago

      Yeah you 100% have the right of this. Not a secret at all and very clearly documented on their github. Don’t give this dude ad revenue.

      github.com/sipeed/NanoKVM

      Image

      github.com/sipeed/sipeed_wiki/blob/…/1_intro.md

      Image

      source
  • paraphrand@lemmy.world ⁨12⁩ ⁨hours⁩ ago

    To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone - fully equipped for recording audio - without clear mention of it in the documentation. Could it get any worse?

    I am pretty sure these issues stem from extreme negligence and rushed development rather than malicious intent. However, that doesn’t make them any less concerning.

    Slop everywhere. As far as the eyes can see.

    source
  • GreenKnight23@lemmy.world ⁨14⁩ ⁨hours⁩ ago

    I had several IOT smart plugs that have GPS built in.

    why? why would it need to know its exact geographic location?!

    after that I created an entire hardware segmented network that’s specifically used for IOT and cameras.

    last I checked the router/firewall it’s on has blocked over 11million requests a month trying to access the outside.

    I will never have a “smart” device in my home that’s connected to the internet. I’ll live like it’s the 1930s if I ever have to.

    source
    • Nighed@feddit.uk ⁨10⁩ ⁨hours⁩ ago

      GPS is a great way to get an accurate time.

      source
    • phoenixz@lemmy.ca ⁨13⁩ ⁨hours⁩ ago

      Likely because the manufacturer used of off the shelf hardware that just happened to have GPS built in? That’s just how these things go, it’s easier to just use pre designed hardware for what you need, even if it has functionalities you won’t use.

      Hell, I’d argue that the vast majority of computer hardware out there isn’t using half of the features that it has.

      Just because features are there doesn’t mean they’re used, and definitely doesn’t automatically mean that there are evil or nefarious intentions with its design

      source
      • BCOVertigo@lemmy.world ⁨13⁩ ⁨hours⁩ ago

        I agree with you in principle but that doesn’t really help us much when poorly wrought digital devices get compromised en masse. I can say “Mirai” and way too much of the population knows that it’s an IoT botnet.

        Those default passwords and superfluous software packages are cut corners, and directly translate to risk in your own home. Maybe you don’t feel that 2025 hsd been enough years of neglect to start calling it malfeasance , but if they’re tired of shit breaking and getting hacked and losing support I can definitely see the point of keeping more analog devices to minimize those risks.

        Opportunity makes the thief, right?

        source
  • BlackEco@lemmy.blackeco.com ⁨14⁩ ⁨hours⁩ ago

    FFS… I’m never going to buy anything hyped by LTT before doing more thorough research on it.

    source
    • ImgurRefugee114@reddthat.com ⁨14⁩ ⁨hours⁩ ago

      Obviously never rely on a single source before buying something, but this isn’t news. See the other dude’s comment lemmy.world/comment/20879776

      source
    • myfunnyaccountname@lemmy.zip ⁨9⁩ ⁨hours⁩ ago

      Well it’s LTT. They would sell shit in a box for the right price.

      source
    • moonshadow@slrpnk.net ⁨13⁩ ⁨hours⁩ ago

      Paid hype is a red flag imo

      source
    • NuXCOM_90Percent@lemmy.zip ⁨12⁩ ⁨hours⁩ ago

      Yeah. Believe it or not but the sex pest who actively didn’t warn his contemporaries about the impact of the honey plugin and who now advertises on kiwi farms might be kind of a piece of shit who will say anything for a buck?

      And now for a word from d-brand!

      source
    • paraphrand@lemmy.world ⁨12⁩ ⁨hours⁩ ago

      Their reviewers are always so flippant and trying to be cool and casual about it all. I don’t know how anyone can take them seriously.

      source
  • phoenixz@lemmy.ca ⁨13⁩ ⁨hours⁩ ago

    How I discovered a microphone by reading the he documentation on GitHub?

    source
    • cyberpunk007@lemmy.ca ⁨10⁩ ⁨hours⁩ ago

      Is this a question or a statement?

      source
      • AceBonobo@lemmy.world ⁨10⁩ ⁨hours⁩ ago

        Yes?

        source
  • beerclue@lemmy.world ⁨10⁩ ⁨hours⁩ ago

    I mean, I wouldn’t call tcpdump a “hacking tool”…

    source
    • ripcord@lemmy.world ⁨10⁩ ⁨hours⁩ ago

      I have this hacking tool called “passwd” which is useful for hacking. Also one called “Linux”

      source
  • Krudler@lemmy.world ⁨14⁩ ⁨hours⁩ ago

    Guys I discovered a hidden microphone in my headphones speaker!!!

    source
    • FauxLiving@lemmy.world ⁨11⁩ ⁨hours⁩ ago

      And poorly designed software in my… everything

      source
  • Retro_unlimited@lemmy.world ⁨15⁩ ⁨hours⁩ ago

    I was really sketched out with my BLI-KVM. I had a server that was off, when I booted it the bios was in Chinese. Although someone did say that motherboard had a flaw that would do that, I wasn’t Sure if it was the KVM or the motherboard, but still…

    source