Security Researcher Warns on Sipeed's NanoKVM "It's as Bad as IoT [Stuff] Comes"

A security researcher known as "lichtlos" has identified multiple vulnerabilities in the firmware of Sipeed's NanoKVM, a network-connected keyboard, video, and mouse control device. The researcher described the firmware as having serious security flaws, including hard-coded secrets, a lack of input validation, and configurations that grant root privileges to all operations. Sipeed's Caesar Wu acknowledged these issues, attributing them to a rapid development process and confirming that a more secure firmware version is expected to be released by mid-August 2024. The NanoKVM, which was launched in beta form, allows users to control devices remotely via a web interface but is currently not recommended for production use due to its security shortcomings. Plans are underway to port the PiKVM software, which is designed for Raspberry Pi, to the NanoKVM to address these vulnerabilities, although no specific timeline has been provided. The firmware is currently closed source, but users can access its components for analysis.

- Security researcher "lichtlos" found serious vulnerabilities in Sipeed's NanoKVM firmware.

- Issues include hard-coded secrets, lack of input validation, and root privilege configurations.

- Sipeed plans to release a more secure firmware version by mid-August 2024.

- The NanoKVM is not recommended for production use until security issues are resolved.

- A port of the PiKVM software is planned to enhance security features.