zlacker

To be fair, the microphone _is_ listed on the specsheet of the LicheeRV Nano

https://wiki.sipeed.com/hardware/en/lichee/RV_Nano/1_intro.h...

I assume they didn't intend to put a mic on the KVM product, but they wanted to make a KVM product, already had this SBC product, which reusing their existing stock of helped keep cost low.

Should they have been more up front about it it? Sure, and it's not great that they had a bunch of security issues in the FW anyway, so not exactly great, but "hidden microphone in a Chinese KVM" lets the mind wander

>>tayior+(OP)
It doesn't strike me as that useful to have a hidden microphone in a KVM product as most of the time, they're going to be stuck in server rooms with just lots of fan noise to record.

Far more of an issue would be any kind of keylogger built into the software, which is why it's best to go for devices that support open source software.

>>ndsipa+B6
It is possible to keylog via audio.

https://ieeexplore.ieee.org/abstract/document/10190721

>>i_am_p+c7
But the point of a device like this is that you (and your keyboard) are NOT physically present.

>>ndsipa+B6
just fan noise?

https://arxiv.org/abs/1606.05915

Any signal that you can modulate can be an exfiltration channel, and fan noise is no different.

>>i_am_p+c7
A long time ago (maybe in the mid-90s) I knew an elderly radio amateur who could not just "copy" CW by ear, but also RTTY. He could also pretty much tell what a teleprinter was printing just by listening to the noises it made, like he'd be facing away from it on the other side of the room reading out entire words from what was coming through.

Apparently in the 50s when he did his National Service he'd been in the Signals but "not in the regiment that's on his papers", make of that what you will.

I have noticed that with PSK modes and particularly PSK31 you can hear "CQ CQ CQ" as a distinctive pattern much in the same way as it is with CW.

IBM spent a fortune developing ATM keypads that - when correctly mounted - had keys that made the exact same noise no matter how you pressed them or how worn they were.

So I don't doubt that someone suitably clever could extract audio from a room and work out what was being typed.

>>Errone+D9
Do you have a pointer to learn more about the ATM keyboards? I would love to learn more about it

>>Y_Y+T8
I wonder if that's feasible in a room filled with many servers and fans going?

>>f1shy+Da
Maybe. They were necessarily very cagey about it back then, but I might have some documentation kicking about in storage. I tended to keep copies of every service manual I could get my hands on back then.

>>tayior+(OP)
The Chinese part makes one think the Chinese could access the microphone.

Nevermind that, if they could access the device, they'd also be able to read your kvm i/o.

>>parine+Ig
You might be right but I think we cannot assume malice when it could be laziness. It might be that the exact same board has multiple target audiences and they just rebrand it for different purposes with different pricing.

That said, the microphone is so weirdly positioned that it gets suspicious indeed.

>>ndsipa+hc
Yes, just modulate the fan noise on the transmitter, and apply a filter on the receiver.

>>i_am_p+c7
It would take an especially perverse mind to keylog using audio on a KVM, though. The KVM basically has access to everything, any secondary spying using a microphone or a camera would provide very little added value.

>>motbus+vh
> I think we cannot assume malice when it could be laziness

Why can't it be both?

>>motbus+vh
>That said, the microphone is so weirdly positioned that it gets suspicious indeed.

How is it weirdly positioned? To me it seems there is rather few options for such small board.

>>seszet+Sh
Maybe it's for the super secret stuff that the datacenter emergency ops worker knows not to type through the KVM? ;-)

>>parine+Ig
And rather than "the Chinese", how about "anyone robo-dialling some SSH connections"?

>>Y_Y+T8
> Any signal that you can modulate can be an exfiltration channel, and fan noise is no different.

This KVM has HDMI input and can directly emulate USB mass storage; fan-modulation is the lowest-bandwidth (side-)channel available to the attackers.

>>tayior+(OP)
"hidden microphone in a Chinese KVM" is the correct way to describe what is going on.

"Reusing existing stock" is not a valid excuse. They are currently selling this device without advertising that it contains a working microphone.

>>Rygian+Lv
A working microphone and recording software and hacking tools like aircrack-ng on an otherwise stripped-down OS image...

>>motbus+vh
> I think we cannot assume malice when it could be laziness

If you are too lazy to go back and check if you left the gas on, you bear responsibility if the place explodes.

At the very least, it's negligent to leave something like that in and not be very upfront about it.

>>tayior+(OP)
Given it's history I suspect there is nothing malicious going on here, just a Chinesium approach to building something. Security isn't documented so it's made of tissue paper.

>>inetkn+Mi
Perception of laziness with an option for later maliciousness and somewhat plausible deniability.

>>overfe+Iv
You can exfiltrate data from a machine which is not connected to the KVM. A high-security machine may be even air-gapped most of the time, but be physically nearby.

>>ndsipa+B6
The KVM just uses a devboard that's also sold separately and just happens to have a microphone, given how cheap the mics are having one extra SKU would probably just cost them more than savings.

Also I wouldn't really consider it "server room" product. Pretty much any new server has KVM, this is more "a hobbyist needing KVM for their home server"

>>parine+Ig
Microphones and LEDs have been used famously for side channel attacks and also to circumvent air gaps. From a Least Power point of view this is troubling.

>>ndsipa+B6
Ultrawideband never caught on because it turns out that the speed of light and sound in air is frequency dependent, so you have to know the distance to the target pretty accurately and then skew the signal to send or receive. (Imagine a phased array antenna but also with a frequency domain to work out as well).

But that doesn’t mean you can’t make it function in a loud server room. The whole point of it is working in and around noise.

>>BenjiW+28
They mean the K in KVM could trivially have a keylogger. For the computers attached to that KVM. Audio is for logging for computers not attached to the device in question. Which could be up to and including a whole server room save a couple machines.

>>nine_k+XA
I don’t think too many of these devices will end up in server rooms as opposed to home labs. And the ones that do end up in a datacenter are very unlikely to be allowed to ever reach the internet.

If the microphone was used for exfiltrating data, it would work against random targets that happened to let the KVM connect to the internet, and who have a nearby machine infected with some malware. That kind of non-targeted attack can be damaging but is semi-useless to the attacker.

>>f1shy+Da
One really-cool way to solve that problem is to embed a 7-segment LED under each keycap. You walk up to the keypad and the 0-9 digits appear in random order. No one can shoulder-surf, look for wear or IR emission from the buttons, or train on the click sounds.

Dell had those on every lab door in the building back in the early 90s. You felt like 007 every time you punched in your access code. I've never seen them anywhere since.

>>Camper+KJ
And now days I can't put in my card's pin without 10 overhead cameras aimed at the register area. All the cameras of which are network-connected, video stored persistently, and high res/fidelity enough to here the little beeps as I press the keys, and to know that I've hit the enter because the screen indicates it immediately. But then Dell cared about its own security, and the grocery store doesn't give a single shit about whether my life is ruined by identity theft.

>>runjak+Rh
Doesn't being able to modulate the fan presume you already control the target device?

>>mintpl+yw
Vendor BSPs are horrible, it would not surprise me if tools like that were included with it.

I used one that included everything in C:\Users\<actual dev's name>\Desktop in it.