Security Researcher Warns on Sipeed's NanoKVM, Finds Vulnerabilities — and a Cat — in the Firmware

UPDATE (8/7/2024): Sipeed's Caesar Wu has confirmed a report from a pseudonymous security researcher who found numerous security issues in the NanoKVM firmware, stating that the problems, including hard-coded secrets, are the result of a development process focused on speed — and that a more secure version will, hopefully, be released by the end of the month.

"We have sent out [a] few hundreds of NanoKVMs in China," Wu tells us, "and get dozens [of] bugs/suggestions feedback, so we are busy fixing bugs last month and delay[ed] the shipping of foreign orders. We will release [the] first stable FW [firmware] before 8.15, and will [be] looking into secur[ity] problems then."

Wu also admits to issues with the plan to port PiKVM to the platform, as an alternative to Sipeed's own firmware. "PiKVM [is] working now," he tells us, "but [has a] huge delay (~1,000ms). PiKVM may not suit for this small chip, [but] we will add PiKVM in [the] FW as an option."

The original article continues below.

Pseudonymous security researcher "lichtlos" has reached out with an initial analysis of the firmware for Sipeed's NanoKVM network-connected keyboard, video, and mouse control system — and warns of a range of vulnerabilities in its design.

"It's as bad as IoT [Internet of Things] [stuff] comes," lichtlos tells us via email of what appear to be serious security failings in Sipeed's firmware for the device. "Doesn't help that it's written in Go. I hope they soon finish their PiKVM port."

Sipeed unveiled the NanoKVM back in July, promising a pocket-size device for controlling a device from your browser by streaming from its HDMI input and allowing for remote control via USB keyboard and mouse emulation. Powered by a Sophgo SG2002 RISC-V system-on-chip, the gadget went up for sale in beta form for $22 in "Lite" variant or $43 for the full version — but lichtlos warns the firmware is very much not ready for prime time use.

"Until the PiKVM software is ported, the current firmware is closed source," lichtlos explains. "But if you download the latest release […] you can easily take a look at it yourself. The main IP KVM application is closed source as of now, but if you extract the release you can mount the fs [filesystem]."

Investigating the firmware, lichtlos found a Go-based project that uses a range of third-party components including the Gin web framework and logrus logging package. Sadly, the researcher also discovered a range of security vulnerabilities: hard-coded secrets, readable to all, which were supposed to protect JSON web token (JWT) parsing and firmware updating, a configuration that sees everything on the device running with root privileges, and a lack of input validation for over-the-air firmware updating. Also, a JPEG of a cat in the /bin directory.

Plans are already afoot to port PiKVM, a third-party IP KVM project designed for use with a Raspberry Pi single-board computer, to the NanoKVM hardware, which would resolve the issues revealed in lichtlos' analysis, but no timescale has been publicly announced. Sipeed has been approached for comment on lichtlos' findings.

More information is available on lichtlos' blog, while updates will be available on their Mastodon account.