Edit 12/8/2025 5:25 pm PT: Adjusted article to reflect that the report was published in February.
In February, a Slovenian security researcher published an analysis of Sipeed’s NanoKVM that raised far-reaching concerns about the €30-€60 ($35-70) remote management device. Alarmingly, the researcher’s teardown showed the device shipped with a catalogue of security failures and an undocumented microphone that could be activated over SSH. After reporting the issues, many of those problems have been addressed over the intervening months.
The NanoKVM’s network behavior raised further questions, as it routed DNS queries through Chinese servers by default and made routine connections to Sipeed infrastructure to fetch updates and a closed-source binary component. The key verifying that component was stored in plain text on the device, and there was no integrity check for downloaded firmware.
The underlying Linux build was also a heavily pared-down image without common management tools, yet it included tcpdump and aircrack, utilities normally associated with packet inspection and wireless testing rather than production hardware intended to sit on privileged networks.
All this, paired with the discovery of a tiny surface-mount microphone, should make any user suspicious of the device’s true intentions. The researcher said the microphone is not documented in product materials, yet the operating system includes ALSA tools such as amixer and arecord that can activate it immediately. With default SSH credentials still present on many deployed units, the researcher demonstrated that audio could be recorded and exfiltrated with minimal effort, and streaming that audio in real time would require only modest additional scripting.
Thankfully, because NanoKVM is nominally open source, community members have begun porting alternative Linux distributions, first on Debian and later Ubuntu. Reflashing requires opening the case and writing a new image to the internal microSD card, but early builds already support Sipeed’s modified KVM code. Physically removing the microphone is possible, though the component’s size and placement make it a fiddly job without magnification. Sipeed has since addressed many of the security concerns around the device. However, the general consensus is that users should flash these devices to custom Linux distributions to mitigate potential issues, and many reviewers currently recommend Sipeed products for use in homelab environments.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.