Cheap devices from China may come with hidden sensors and hacking tools
Cheap devices for remotely managing hardware can themselves pose a significant security risk. Dr. Matej Kovačič, a security researcher from Slovenia, found that a popular NanoKVM contained a hidden microphone, together with hacking tools and dangerous exploits that would make exploitation trivial.
KVM (keyboard, video, and mouse) devices offer a convenient way to remotely manage a server. They plug directly into computers, emulate input devices, and stream video of the screen to the remote operator, providing nearly complete access, including access to the BIOS.
This level of access, however, is also a huge attack vector that attackers have already exploited to compromise servers undetected. Cybernews has previously reported that KVMs have weaker security than the systems they control.
However, it seems that some KVM devices may have come compromised out of the box. Tom’s Hardware found Kovačič’s analysis, published in February, of a hardware KVM switch from the Chinese company Sipeed, which contained many hidden secrets.
While many bugs may have been ironed out by now, the report highlights the dangers of KVM devices, which can be acquired for just $35-70.
“Rushed development often leads to stupid mistakes. But some of the security flaws I discovered in my quick (and by no means exhaustive) review are genuinely concerning,” the researcher said in a report.
Hidden undocumented microphone
The researcher disassembled the Sipeed’s KVM device and discovered a tiny built-in microphone, hidden under the large connector.
“You’d need a microscope or magnifying glass to properly desolder it,” the researcher noted.
Despite its small 2 x 1 mm size, the device was “capable of recording surprisingly high-quality audio.”
Now Sipeed lists “Audio Transmission” as a feature of its devices.
The researcher also detailed many critical security flaws and hacking tools present on the device that attackers could easily exploit.
The device initially had SSH access enabled, with the default password. The manufacturer fixed this relatively quickly after disclosure, the researcher noted.
The encryption key, supposed to protect passwords during browser login, was hardcoded and identical across all devices, allowing attackers to easily decrypt passwords. The user interface lacked CSRF (Cross-Site Request Forgery) protection and had no mechanism to invalidate sessions.
The device relied on Chinese DNS servers, and it was “quite complicated” to change DNS settings. It constantly communicated with Sipeed’s servers, downloading updates and closed source components.
Even worse, it was shipped with tcpdump and aircrack, hacking tools used for network packet analysis and wireless security testing. The researcher assured that they had “absolutely no place on a production version of the device.”
“All the necessary recording tools are already installed on the device!” the report reads.
“With a little extra effort, it would even be possible to stream the audio over a network, allowing an attacker to eavesdrop in real time.”
Tom’s Hardware notes that, due to the open-source nature, admins often rely on reflashing devices to alternative Linux distributions, and out-of-the-box software should not be trusted. Sipeed likely addressed many of the mentioned issues, but the issue of IoT security is broader.
“How many similar devices with hidden functionalities might be lurking in your home, just waiting to be discovered? And not just those of Chinese origin. Are you absolutely sure none of them have built-in miniature microphones or cameras?” Kovačič concluded.
Unlock Cybernews content on YouTube.
