NanoKVM: The S stands for Security

Welcome to the dumpster fire of IoT security! Today I'm taking a look at the Sipeed NanoKVM, a solution for remote control of a computer over a network. It does a lot of things you'd expect from a device in this class, something like a PiKVM or JetKVM, except it does all of it with no regard to data security best practices. Come along on this adventure! Github issues which are still huge security holes that I didn't even get to, and note how none of them are resolved: - NanoKVM is a Router (sysctl enables forwarding): https://github.com/sipeed/NanoKVM/issues/197 - SSH enabled with root:root (this will be changed * after * you login and set a new password, but it's still exposed even on the latest firmware image): https://github.com/sipeed/NanoKVM/issues/198 - NanoKVM bundles an outdated (and Sipeed-hosted) version of Tailscail: https://github.com/sipeed/NanoKVM/issues/192 - NanoKVM presents as an InternetGatewayDevice, but isn't: https://github.com/sipeed/NanoKVM/issues/294 - Setup fails on networks with China geo-blocked: https://github.com/sipeed/NanoKVM/issues/289 - NanoKVM does not support MFA (really this is the least of your problems): https://github.com/sipeed/NanoKVM/issues/295 - tcpdump and aircrack are installed (aircrack is extremely useful for nefarious wifi things, and not useful on a kvm): https://github.com/sipeed/NanoKVM/issues/248 - DNS servers (re)set on every boot (even if you fix 8.8.8.8, it still reverts it 'for' you): https://github.com/sipeed/NanoKVM/issues/245 - Some security issues (the catch-all that I mentioned): - https://github.com/sipeed/NanoKVM/issues/270 -- Default password (admin/admin) is poor, but also not forced to be changed. Same with SSH account (root/root). It will now prompt you to change, but this is not enforced. -- Passwords protected with absolutely raw-dogged AES and a 'secret' key which is just a string hardcoded into the Typescript -- No CSRF protection at all -- Auth token has long life instead of refresh -- User sessions cannot be invalidated -- Downloads .so from Sipeed after sending the devices serial number -- Download .so (and updates) do not check integrity, relying entirely on TLS -- Device uses custom DNS servers and you can't change it Other products which I suggest you buy instead of this: JetKVM - https://youtu.be/KXW9jcUI7ZE All my KVM Reviews - https://www.youtube.com/playlist?list=PLZcFwaChdgSrmpIzDP0_bOx9Hd7MEWuQt Buy one on Taobao: https://item.taobao.com/item.htm?id=811206560480 Buy one on Aliexpress: https://www.aliexpress.com/item/1005007369816019.html As of the release of this video, the product cannot be sold in the US and Russia. I have been told that this is due to FCC compliance in the US, and Aliexpress.us indicates it can ship starting end of Feb 2025. Support me on Ko-Fi if you enjoy my content and find it useful: https://ko-fi.com/apalrd Feel free to chat about my upcoming projects on Discord! https://discord.gg/xJsaEukAr4 Follow me on Mastodon: https://hachyderm.io/@apalrd Timestamps: 00:00 - Intro 01:02 - Unboxing 06:12 - Lite Testing 17:06 - Reverse Engineering 20:12 - Auth Function 28:25 - Linux 32:46 - PCIe Version 34:10 - Passwords 39:25 - Firmware Update 42:26 - 'USB' Dongle 44:49 - Display 45:38 - Thoughts