Detecting IP KVMs, (Tue, Mar 24th)

I have written about how to use IP KVMs securely , and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities. But there is another issue I haven't mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent to them by their employers. The laptops were located in the US, and the North Korean workers used IP KVMs to remotely connect to them. IP KVMs could also be used to access office PCs, either to enable undetected work from home or by threat actors who use them to gain remote access after installing the device on site. IP KVMs usually connect to the system in two ways: USB for keyboard/mouse HDMI for the monitor connection (some older variants may also use VGA) For my testing, I used two different IP KVMs. A PiKVM and a NanoKVM (Sipeed). Both were connected to Linux systems, but the techniques should work on other operating systems as well. USB For the Sipeed NanoKVM, lsusb give away the device: $ lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 0bda:c821 Realtek Semiconductor Corp. Bluetooth Radio Bus 001 Device 004: ID 051d:0002 American Power Conversion Uninterruptible Power Supply Bus 001 Device 005: ID 3346:1009 sipeed NanoKVM Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub PiKVM is a little bit less obvious, but this USB entry appears to be associated with PiVKM Bus 001 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget Bus 001 Device 017: ID 1b3f:2008 Generalplus Technology Inc. USB Audio Device This needs a bit more testing for the PiKVM. HDMI HDMI devices send EDID (Extended Display Identification Data) to the system the display is connected to. The main purpose of EDID is to communicate available video modes and resolutions. But it also includes manufacturer information. For the NanoKVM: sudo get-edid | parse-edid ... Section Monitor Identifier Connector ModelName Connector VendorName VCS ... Not very obvious, but the VCS vendor name could be a reasonable indicator (check for false positives) For PiKVM, the Identified and ModelName are more telling: Section Monitor Identifier PiKVM V3 ModelName PiKVM V3 VendorName LNX Evasion Of course, a more sophisticated attacker can modify these strings. PiKVM offers a configuration file to do so, in part to allow for better compatibility. I do not know whether the NanoKVM provides a similar, simple way to evade detection (but it is likely not terribly hard). So sophisticated attacker may translate to able and willing to read the manual . Many endpoint protection solutions monitor USB devices and may alert on odd devices being connected. But I am not aware of any that check monitor EDID strings. This may be another neat feature for any solutions. In office environments, most organizations provide a limited set of monitor types. For home office use, things may be more complex as users often