Consumer-grade IP KVM (Keyboard, Video, Mouse) devices that are increasingly popular are a security nightmare, researchers from Eclypsium said on Tuesday.
Reynaldo Vasquez Garcia and Paul Asadoorian reported finding a total of nine vulnerabilities across devices from four different vendors. One rates as a CVSS 9.8, another comes in at 8.8, and neither has been fixed.
The vendor Angeet/Yeeso, responsible for those flaws, had not committed to fixing them at the time of public disclosure.
The price of cheap
Rack-mounted, multi-port, and quite expensive KVM-over-IP has been around for years, offering the next best thing to actually sitting in front of a machine for purposes up to and including messing with BIOS settings.
Single-port KVMs are a newer phenomenon, with prices as low as $30, appealing to "homelabbers, small IT shops, MSPs," said the researchers, as well as increasingly "enterprises seeking per-machine out-of-band access."
Per-machine KVMs are sometimes used for branch offices or edge computing to run dedicated VMs for local services without central orchestration, offering isolation and flexibility on modest hardware.
Under the hood these KVMs have several hallmarks of terrible security engineering, said Eclypsium: "missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces."
