this post was submitted on 06 Dec 2025
236 points (91.0% liked)

Technology

78393 readers
4787 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
236
How I discovered a hidden microphone on a Chinese NanoKVM (telefoncek.si)
submitted 1 month ago by doopinglouie@feddit.org to c/technology@lemmy.world
46 comments fedilink hide all child comments
all 47 comments
sorted by: hot top controversial new old
[–] NuXCOM_90Percent@lemmy.zip 109 points 1 month ago (1 children)

Apalrd has done some great "popular computer science" videos on the various remote KVM devices that is well worth looking up. One of them specifically goes into the ridiculously sketchy methods that are used to fetch and execute unsigned code in random buckets to handle firmware updates.

But as for the mic? Honestly, if you open up a LOT of consumer devices you are going to find random microphones. Not because they are all secretly spying on you. But because they use "off the shelf" chips and boards that already have those embedded. Especially since microphones and speakers are kind of the same hardware in most cases and we ALL love a good beep.

I 100% agree the software stack shouldn't be on there. But, as the blog post points out, there is a LOT of developmental code and packages in that image that shouldn't be. It is likely just a case of not removing unnecessary packages from the base image.

Because... the entire point of a device like this is that you plug it in somewhere you aren't. MAYBE JetKVM corp can hear me muttering profanity or wondering where I left that USB c splitter when I am trying to assemble it the first time. The rest of the time? It is plugged into the back of a server that I am booting up so that I can install proxmox without having to drag a monitor over. And while you can potentially get some juicy info out of that? It is not at all worth the hassle to set up fake companies and market a fake (moderately high demand in the right circles) device.

[–] BCOVertigo@lemmy.world 80 points 1 month ago* (last edited 1 month ago) (1 children)

Yeah you 100% have the right of this. Not a secret at all and very clearly documented on their github.

https://github.com/sipeed/NanoKVM

https://github.com/sipeed/sipeed_wiki/blob/main/docs/hardware/en/lichee/RV_Nano/1_intro.md

[–] MonkderVierte@lemmy.zip 4 points 1 month ago (2 children)

Two-core (1 GHz / 750MHz) Risc-V with 265 MB RAM for a development board?

[–] planish@sh.itjust.works 4 points 1 month ago

You don't do the development on the board.

[–] kbobabob@lemmy.dbzer0.com 3 points 1 month ago (1 children)

Note: Out of the 256MB memory in SG2002, 158MB is currently allocated for the multimedia subsystem, which NanoKVM will use for video image acquisition and processing.

[–] ArsonButCute@lemmy.dbzer0.com 3 points 1 month ago

Oh wow 256 MB, that's so much more than I'm used to working with!

[–] paraphrand@lemmy.world 57 points 1 month ago* (last edited 1 month ago) (4 children)

To summarize: the device is riddled with security flaws, originally shipped with default passwords, communicates with servers in China, comes preinstalled with hacking tools, and even includes a built-in microphone - fully equipped for recording audio - without clear mention of it in the documentation. Could it get any worse?

I am pretty sure these issues stem from extreme negligence and rushed development rather than malicious intent. However, that doesn’t make them any less concerning.

Slop everywhere. As far as the eye can see.

[–] BanMe@lemmy.world 12 points 1 month ago

Nest's security system shipped with an undocumented microphone they activated later, sadly this isn't totally limited to Chinese crap.

[–] Natanael@infosec.pub 2 points 1 month ago

Is it a mobile SoC?

[–] Auli@lemmy.ca 2 points 1 month ago

They have fixed most of the security flaws.

[–] isVeryLoud@lemmy.ca 1 points 1 month ago

Yeah the author clearly searched and replaced all the em dashes with hyphens, yet still used an ellipsis character. Certified slop.

[–] GreenKnight23@lemmy.world 38 points 1 month ago (3 children)

I had several IOT smart plugs that have GPS built in.

why? why would it need to know its exact geographic location?!

after that I created an entire hardware segmented network that's specifically used for IOT and cameras.

last I checked the router/firewall it's on has blocked over 11million requests a month trying to access the outside.

I will never have a "smart" device in my home that's connected to the internet. I'll live like it's the 1930s if I ever have to.

[–] phoenixz@lemmy.ca 25 points 1 month ago (1 children)

Likely because the manufacturer used of off the shelf hardware that just happened to have GPS built in? That's just how these things go, it's easier to just use pre designed hardware for what you need, even if it has functionalities you won't use.

Hell, I'd argue that the vast majority of computer hardware out there isn't using half of the features that it has.

Just because features are there doesn't mean they're used, and definitely doesn't automatically mean that there are evil or nefarious intentions with its design

[–] BCOVertigo@lemmy.world 11 points 1 month ago* (last edited 1 month ago)

I agree with you in principle but that doesn't really help us much when poorly wrought digital devices get compromised en masse. I can say "Mirai" and way too much of the population knows that it's an IoT botnet.

Those default passwords and superfluous software packages are cut corners, and directly translate to risk in your own home. Maybe you don't feel that 2025 has been enough years of neglect to start calling it malfeasance , but if they're tired of shit breaking and getting hacked and losing support I can definitely see the point of keeping more analog devices to minimize those risks.

Opportunity makes the thief, right?

[–] Nighed@feddit.uk 23 points 1 month ago

GPS is a great way to get an accurate time.

[–] Auli@lemmy.ca 1 points 1 month ago

I've done the same but that request number is BS. Of course it keeps retrying cause it couldn't get an answer. It does not mean if it could connect it would connect 21 million times.

[–] phoenixz@lemmy.ca 29 points 1 month ago (2 children)

How I discovered a microphone by reading the he documentation on GitHub?

[–] cyberpunk007@lemmy.ca 6 points 1 month ago* (last edited 1 month ago) (1 children)

Is that a question or a statement?

[–] phoenixz@lemmy.ca 2 points 1 month ago

It's the headline rewritten for reality

[–] beerclue@lemmy.world 19 points 1 month ago (1 children)

I mean, I wouldn't call tcpdump a "hacking tool"..

[–] ripcord@lemmy.world 14 points 1 month ago (1 children)

I have this hacking tool called "passwd" which is useful for hacking. Also one called "Linux"

[–] MonkderVierte@lemmy.zip 5 points 1 month ago

Also the hackers pro-tools: cat, strings, less, hxd, text-editor.

[–] BlackEco@lemmy.blackeco.com 13 points 1 month ago (5 children)

FFS... I'm never going to buy anything hyped by LTT before doing more thorough research on it.

[–] ImgurRefugee114@reddthat.com 28 points 1 month ago (1 children)

Obviously never rely on a single source before buying something, but this isn't news. See the other dude's comment https://lemmy.world/comment/20879776

[–] Appoxo@lemmy.dbzer0.com 0 points 1 month ago

Literally what LTT itself preaches...

[–] moonshadow@slrpnk.net 13 points 1 month ago

Paid hype is a red flag imo

[–] myfunnyaccountname@lemmy.zip 11 points 1 month ago (2 children)

Well it’s LTT. They would sell shit in a box for the right price.

[–] planish@sh.itjust.works 1 points 1 month ago

Mostly so they could say they did.

[–] kbobabob@lemmy.dbzer0.com 1 points 1 month ago (1 children)

Are you saying the products they sell are shit?

[–] myfunnyaccountname@lemmy.zip 2 points 1 month ago

Not all. But they are a marketing company more than anything at this point. They would push anything for the right price.

[–] paraphrand@lemmy.world 2 points 1 month ago

Their reviewers are always so flippant and trying to be cool and casual about it all. I don’t know how anyone can take them seriously.

[–] NuXCOM_90Percent@lemmy.zip -5 points 1 month ago (1 children)

Yeah. Believe it or not but the sex pest who actively didn't warn his contemporaries about the impact of the honey plugin and who now advertises on kiwi farms might be kind of a piece of shit who will say anything for a buck?

And now for a word from d-brand!

[–] Auli@lemmy.ca 1 points 1 month ago

Oh come on this honey thing is so over blown. Honey was known to be bad even then but I guess no one made a YouTube video about it and people can't read anymore.

[–] MonkderVierte@lemmy.zip 9 points 1 month ago* (last edited 1 month ago) (1 children)

and runs a heavily stripped-down version of Linux that lacks systemd and apt.

Ok, that's a plus in my book. Probably Alpine (often used in containers) or something.

Edit: cut the first question into another one, since this one here likely derails into a System discussion.

[–] nomidor@lemmy.zip 2 points 1 month ago (2 children)

On a side note, why do you dislike systemd and apt? I just stumbled into Linux and didn't much consider such questions yet

[–] MonkderVierte@lemmy.zip 2 points 1 month ago* (last edited 1 month ago) (1 children)

Scope creep and not-invented-here syndrome; replaces a lot of unix/gnu tooling/specifications with poorer ones, while shitting on some that made *nix great. Which is why your distro is either Systemd or not, and not-Systemd distros still need wrappers and shims, because Systemd also enforces some things in apps.

Then there was only hackjob SysV scripts or Systemd, so it's understandable that most big distros switched to it but now there's s6, runit, Dinit and you need to create a extra distro for them for above reasons. I'm using Artix btw.

[–] krooklochurm@lemmy.ca 0 points 1 month ago

What's runit

[–] HiTekRedNek@lemmy.world 1 points 1 month ago

Can't speak to him, but I have used unix-like software since the 1990s.

The entire UNIX philosophy boils down to one simple fact. Everything is a file.

This makes maintenance a breeze as no special tools are needed.

You don't need to install anything to read log files.

You can pull a hard drive from a dead system, and just read all the logs.

Most of systemd is just a solution in search of a problem.

[–] Krudler@lemmy.world 8 points 1 month ago (2 children)

Guys I discovered a hidden microphone in my headphones speaker!!!

[–] FauxLiving@lemmy.world 4 points 1 month ago

And poorly designed software in my… everything

[–] sem@lemmy.blahaj.zone 1 points 1 month ago

Spies hate him

[–] Retro_unlimited@lemmy.world 6 points 1 month ago (1 children)

I was really sketched out with my BLI-KVM. I had a server that was off, when I booted it the bios was in Chinese. Although someone did say that motherboard had a flaw that would do that, I wasn’t Sure if it was the KVM or the motherboard, but still…

[–] Auli@lemmy.ca 2 points 1 month ago (1 children)

No critical thinking I guess. How the hell would a KVM flash your BIOS or more likely UEFI.

[–] planish@sh.itjust.works 1 points 1 month ago

It could probably change the language selector.

If I'm an elite hacker spy who works for the hacker spy division of the Chinese army, am I going to change the system language of the thing I am hacking to Chinese and forget to change it back?

[–] MonkderVierte@lemmy.zip 4 points 1 month ago* (last edited 1 month ago)

(though JavaScript JIT must be enabled)

How did they manage this? Is there a JS command to check that?

I disabled JIT/ion in my FF profiles, because js got so complex that it only speeds up the heavy webapps i avoid and has huge security concerns otherwise.