Edit 12/8/2025 5:25 pm PT: Adjusted article to reflect that the report was published in February.
In February, a Slovenian security researcher published an analysis of Sipeed’s NanoKVM that raised far-reaching concerns about the €30-€60 ($35-70) remote management device. Alarmingly, the researcher’s teardown showed the device shipped with a catalogue of security failures and an undocumented microphone that could be activated over SSH. After reporting the issues, many of those problems have been addressed over the intervening months.
The compact RISC-V board, which arrived on the market last year as a budget alternative to PiKVM, offers HDMI capture, USB HID emulation, remote power control, and browser-based access to a connected PC. It is beginning to show up in IT environments precisely because it requires no software on the target machine and can operate from BIOS to OS install.
The researcher says the device’s software stack exposes weak points from the moment it boots. Early units arrived with a pre-set password and open SSH access, a problem the researcher reported to Sipeed and which the company later corrected. The web interface still lacks basic protections, including CSRF defence and any mechanism to invalidate active sessions.
More troubling, the encryption key used to protect login passwords in the browser is hardcoded and identical across all devices. According to the researcher, this had to be explained to the developers “multiple times” before they acknowledged the issue.
(Image credit: telefoncek.si)
The NanoKVM’s network behavior raised further questions, as it routed DNS queries through Chinese servers by default and made routine connections to Sipeed infrastructure to fetch updates and a closed-source binary component. The key verifying that component was stored in plain text on the device, and there was no integrity check for downloaded firmware.
The underlying Linux build was also a heavily pared-down image without common management tools, yet it included tcpdump and aircrack, utilities normally associated with packet inspection and wireless testing rather than production hardware intended to sit on privileged networks.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
All this, paired with the discovery of a tiny surface-mount microphone, should make any user suspicious of the device’s true intentions. The researcher said the microphone is not documented in product materials, yet the operating system includes ALSA tools such as amixer and arecord that can activate it immediately. With default SSH credentials still present on many deployed units, the researcher demonstrated that audio could be recorded and exfiltrated with minimal effort, and streaming that audio in real time would require only modest additional scripting.
... continue reading