Offical Declaration on the Built in Microphone of NanoKVM Cube/Lite #693
Description
- Is there have undocumented hidden mic in nanokvm?
This is the most direct factual error in these reports.
refer to this page: https://wiki.sipeed.com/hardware/en/kvm/NanoKVM/introduction.html#NanoKVM-Hardware-and-Software-Resources
Our wiki is auto generated from github repo, so any commit is traceable.
This is the wiki source commit history, you can see all edit history in the timeline:
https://github.com/sipeed/sipeed_wiki/commits/main/docs/hardware/en/kvm/NanoKVM/introduction.md
At the very beginning, the en wiki first version: Commit 003739d, committed on Aug 16, 2024
It is already said:
The NanoKVM image is built on the LicheeRV Nano SDK and MaixCDK, and it is compatible with materials that use the LicheeRV Nano.
And link to the licheerv nano wiki page which have clearly annotation the mic: https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.html#Specifications
As the first batch of NanoKVM users is come from LicheeRV-Nano users (they are both our "Nano" product series), this introduction is enough for them.
And half years later, NanoKVM become popular, we noticed that new users aren't aware of our product history, leading to questions about the microphone.
So we have added a full explanation to the Wiki homepage so everyone can get the facts immediately without extra navigation
It is commit fedd3a4, committed on Apr 18.
-
Is the mic increased security risks?
No.
Because IP-KVM itself support bidirectional audio function.
It means even there is no mic on the board, when hacker control the KVM, he can do anythinf he want, include record audio from PC's own mic.
So, the physical mic won't increase the security risky. the true risky is from user's network config.
And many users have joked, the NanoKVM would only pick up a bunch of server room noise anyway.
Another thing, the mic driver is removed since 9 month ago. -
Which model has a built-in mic? and why it not removed?
NanoKVM-Cube and NanoKVM-Lite, as they are built based on LicheeRV-Nano.
LicheeRV-Nano is a standard RISC-V Linux SOM SKU, it also include mipi lcd, touch screen connector, Speaker PA, etc.
Not only NanoKVM use it, but also MaixCAM:
https://www.aliexpress.com/item/1005007136031019.html
https://www.youtube.com/watch?v=qV1lw0UVUYI
https://www.youtube.com/watch?v=hSv498VxOtE
It is a standard som like raspberrypi CM0, any change on it will introduce additional inventory and production costs.
Considering various factors including security, cost, and inventory, we have retained the microphone on the NanoKVM. -
Is the security vulnerability in the article is real?
The "security vulnerability" in the article is growing from a simple engineer bias to media rumor.
refer to: youtu.be/-ycIKvCrZOQ
Most of the vulnerabilities mentioned in the reports are exaggerated, or have become increasingly alarmist due to distortion through repeated circulation.
But NanoKVM is not "non-vulnerability" device, we have received multiple alerts regarding real security vulnerabilities from independent developers and professional agencies—
unlike the sensationalist scaremongering currently online that looks dangerous but is actually just a gimmick.
Benefiting from our open-source nature, they can use both white-box and black-box testing to help us better improve our security.
we would like to remind users that rather than attempting to find "absolutely secure" or "non-Chinese manufactured" devices.
The most effective defense lies in learning and properly configuring network isolation and security measures. -
more infos:
https://www.reddit.com/r/cybersecurity/comments/1phk6f5/researcher_finds_chinese_kvm_has_undocumented/
https://news.ycombinator.com/item?id=46173383
https://www.youtube.com/watch?v=RSUqyyAs5TE
https://www.youtube.com/watch?v=USptt6s4-KM
https://www.youtube.com/watch?v=99twqvxFsoM