**Hidden Microphone Found in Chinese NanoKVM Device**

The discovery of a hidden microphone in the Chinese-made NanoKVM device has left many questioning the true intentions behind its design.

NanoKVM is a hardware KVM switch developed by Sipeed, a Chinese company that released the device last year. The device allows remote control and management of computers or servers using a virtual keyboard, mouse, and monitor. Its compact size, low price, and open-source code made it an attractive option for many users.

However, during a security audit, I discovered several alarming flaws in the device's design and functionality. The user interface lacked CSRF protection, session invalidation, and password encryption was hardcoded and identical across all devices. This allowed an attacker to easily decrypt passwords.

The device also relied on Chinese DNS servers and communicated with Sipeed's servers in China, downloading updates and software components without verifying their integrity. Furthermore, the presence of tcpdump and aircrack tools, commonly used for network packet analysis and wireless security testing, raised concerns about the device's potential use as a hacking tool.

The most alarming discovery, however, was the presence of a tiny built-in microphone measuring just 2 x 1 mm. The microphone was capable of recording high-quality audio and had all the necessary recording tools pre-installed on the device. This meant that an attacker could potentially eavesdrop in real-time using the amixer and arecord tools.

Physically removing the microphone is possible, but it's not straightforward due to its tiny size and the complexity of disassembling the device. The manufacturer's documentation failed to mention the presence of a built-in microphone, adding to the concern about the device's security and potential use as a surveillance tool.

The findings raise questions about the true intentions behind the design of the NanoKVM device. Was it simply an oversight or negligence on the part of the developers? Or was there something more sinister at play?

One thing is certain, however: users should exercise extreme caution when using devices with built-in microphones and cameras, regardless of their origin. The discovery of a hidden microphone in the NanoKVM device serves as a reminder to always inspect devices thoroughly before use.

**Potential Workarounds and Future Developments**

Despite the security concerns surrounding the NanoKVM device, users can still install custom software on it. One user has already begun porting his own Linux distribution, starting with Debian and later switching to Ubuntu. This work could soon lead to official Ubuntu Linux support for the device.

To address the issue of the built-in microphone, users can simply remove it or connect a speaker to turn the device into a tiny music player. This raises an interesting question: How many similar devices with hidden functionalities might be lurking in our homes, just waiting to be discovered?

**Example Code for Recording Audio on NanoKVM**

If you want to test the built-in microphone yourself, simply connect to the device via SSH and run the following two commands:

sudo amixer sset 'Capture' cap 0
arecord -D default -f cd -t wav test.wav

Speak or sing near the device, then press Ctrl + C to stop recording. Copy the test.wav file to your computer and listen to the recording.

**Conclusion**

The discovery of a hidden microphone in the NanoKVM device highlights the importance of security auditing and due diligence when purchasing devices with remote access capabilities. While the manufacturer's negligence may be unintentional, it raises concerns about the true intentions behind the design of such devices.