zlacker

[return to "How I discovered a hidden microphone on a Chinese NanoKVM"]
1. jlward+Cc[view] [source] 2025-12-06 15:41:18
>>ementa+(OP)
I recently discovered a similar concerning security issue with my KVM. In my case it was a pretty standard KVM for multiple machines to share a keyboard, mouse, and screen but also Ethernet. One day while looking at my home network I noticed the KVM had its own IP and was transferring GBs of data everyday. I quickly blocked it from my network. But having used it for a number of months I worried that with screen capture and access to all my input devices, someone could have gotten access to pretty much everything I use. I wasn’t able to figure out if any data was actually being sent off my network and I really didn’t want to put myself in any more risk so I just threw it in an electronics recycling bin. Pretty scary what a network connected KVM could maliciously do.
◧◩
2. Coasta+Fh[view] [source] 2025-12-06 16:20:59
>>jlward+Cc
Is it possible for you to name the KVM model?

It sounds like a potential risk is to the public.

◧◩◪
3. jlward+RI[view] [source] 2025-12-06 19:59:32
>>Coasta+Fh
It is this one: https://www.amazon.com/dp/B0CP4PD3SM

I did post a review there citing my security concerns.

Honestly I didn't go further with the investigation because if someone really has all my data, I'm worried about retribution.

◧◩◪◨
4. stragi+a11[view] [source] 2025-12-06 22:49:35
>>jlward+RI
Was the network port bridged to both PCs all the time (as the description makes it sound, or did only the "active" PC get a functioning network connection? Could you tell from the FDB of the upstream device, if there were more than two MAC addresses active on the port? Did you (hopefully) open it up and make PCB pictures before chucking it?
◧◩◪◨⬒
5. simonc+N31[view] [source] 2025-12-06 23:11:57
>>stragi+a11
This picture from the list of product pictures [0] indicates that the thing acts as an Ethernet bridge. It probably exposes itself as a USB-C gigabit Ethernet device to the machine it's plugged into.

Page four of TFM [1] supports this theory.

Also, this functionality is called out in the product listing and in the manual. I'm over here laughing my ass off because OP got so frightened by this clearly-documented feature that they immediately threw the thing in the trash, rather than first investigating to see if the source of the network traffic was the machines plugged into the device.

[0] <https://m.media-amazon.com/images/I/71GglDmzCYL._SL1500_.jpg> (If this direct link fails, it's the image that has the header "A Stable Gigabit Ethernet Port".

[1] <https://avaccess.com/wp-content/uploads/2024/01/UM-_-iDock-C...> (This is the "DOWNLOAD USER MANUAL" link in the Downloads subsection of the More Information section of [2])

[2] <https://www.avaccess.com/products/idock-c20-kvm-switch-docki...>

◧◩◪◨⬒⬓
6. stragi+c61[view] [source] 2025-12-06 23:32:32
>>simonc+N31
The manual, as OP said, does not offer any explanation, why the device might show up with an additional MAC/IP at the upstream switch port, and which services it might offer. OP sounds knowledgeable enough to be able to exclude the possibility, that the additional MAC/IP could be from one of the PCs, like e.g. when playing with VMs using an internal bridge in the Hypervisor.

Maybe the device has a bigger "cousin" device, that includes "control via APP", and this feature was not properly/fully disabled on this one.

[go to top]