February report from researcher found Chinese KVM had undocumented microphone and communicated with China-based servers, but many of the security issues are now addressed [Updated]

Edit 12/8/2025 5:25 pm PT: Adjusted article to reflect that the report was published in February.

In February, a Slovenian security researcher published an analysis of Sipeed’s NanoKVM that raised far-reaching concerns about the €30-€60 ($35-70) remote management device. Alarmingly, the researcher’s teardown showed the device shipped with a catalogue of security failures and an undocumented microphone that could be activated over SSH. After reporting the issues, many of those problems have been addressed over the intervening months.

The compact RISC-V board, which arrived on the market last year as a budget alternative to PiKVM, offers HDMI capture, USB HID emulation, remote power control, and browser-based access to a connected PC. It is beginning to show up in IT environments precisely because it requires no software on the target machine and can operate from BIOS to OS install.

The researcher says the device’s software stack exposes weak points from the moment it boots. Early units arrived with a pre-set password and open SSH access, a problem the researcher reported to Sipeed and which the company later corrected. The web interface still lacks basic protections, including CSRF defence and any mechanism to invalidate active sessions.

More troubling, the encryption key used to protect login passwords in the browser is hardcoded and identical across all devices. According to the researcher, this had to be explained to the developers “multiple times” before they acknowledged the issue.

The NanoKVM’s network behavior raised further questions, as it routed DNS queries through Chinese servers by default and made routine connections to Sipeed infrastructure to fetch updates and a closed-source binary component. The key verifying that component was stored in plain text on the device, and there was no integrity check for downloaded firmware.

The underlying Linux build was also a heavily pared-down image without common management tools, yet it included tcpdump and aircrack, utilities normally associated with packet inspection and wireless testing rather than production hardware intended to sit on privileged networks.

All this, paired with the discovery of a tiny surface-mount microphone, should make any user suspicious of the device’s true intentions. The researcher said the microphone is not documented in product materials, yet the operating system includes ALSA tools such as amixer and arecord that can activate it immediately. With default SSH credentials still present on many deployed units, the researcher demonstrated that audio could be recorded and exfiltrated with minimal effort, and streaming that audio in real time would require only modest additional scripting.

Thankfully, because NanoKVM is nominally open source, community members have begun porting alternative Linux distributions, first on Debian and later Ubuntu. Reflashing requires opening the case and writing a new image to the internal microSD card, but early builds already support Sipeed’s modified KVM code. Physically removing the microphone is possible, though the component’s size and placement make it a fiddly job without magnification. Sipeed has since addressed many of the security concerns around the device. However, the general consensus is that users should flash these devices to custom Linux distributions to mitigate potential issues, and many reviewers currently recommend Sipeed products for use in homelab environments.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.