(Image credit: telefoncek.si)

A Slovenian security researcher has published an analysis of Sipeed’s NanoKVM that raises far-reaching concerns about the €30-€60 ($35-70) remote management device.

The compact RISC-V board, which arrived on the market last year as a budget alternative to PiKVM, offers HDMI capture, USB HID emulation, remote power control, and browser-based access to a connected PC. It is beginning to show up in IT environments precisely because it requires no software on the target machine and can operate from BIOS to OS install. Alarmingly, the researcher’s teardown shows that it also shipped with a catalogue of security failures and an undocumented microphone that can be activated over SSH.

(Image credit: telefoncek.si)

The NanoKVM’s network behavior raises further questions, as it routes DNS queries through Chinese servers by default and makes routine connections to Sipeed infrastructure to fetch updates and a closed-source binary component. The key verifying that component is stored in plain text on the device, and there is no integrity check for downloaded firmware.

The underlying Linux build is also a heavily pared-down image without common management tools, yet it includes tcpdump and aircrack, utilities normally associated with packet inspection and wireless testing rather than production hardware intended to sit on privileged networks.

All this, paired with the discovery of a tiny surface-mount microphone, should make any user suspicious of the device’s true intentions. The microphone is not documented in product materials, yet the operating system includes ALSA tools such as amixer and arecord that can activate it immediately. With default SSH credentials still present on many deployed units, the researcher demonstrated that audio could be recorded and exfiltrated with minimal effort, and streaming that audio in real time would require only modest additional scripting.

Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.

Thankfully, because NanoKVM is nominally open source, community members have begun porting alternative Linux distributions, first on Debian and later Ubuntu. Reflashing requires opening the case and writing a new image to the internal microSD card, but early builds already support Sipeed’s modified KVM code. Physically removing the microphone is possible, though the component’s size and placement make it a fiddly job without magnification.

FollowTom’s Hardware on Google News, oradd us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.