$30 IP-KVM Flaws Could Let Attackers Control BIOS Across All Enterprise Networks

Nine serious security holes have been found in four popular low-cost IP-KVM devices by researchers who recently did a security assessment. These holes give attackers control over the BIOS level across enterprise networks. Eclypsium found these flaws that let attackers take full control of connected systems at the BIOS level, which means they can get around all operating system security controls and Endpoint Detection and Response (EDR) agents.

Find out more about antivirus software, firewalls, digital forensics tools, and how compromising a keyboard, video, and mouse (KVM) device gives an attacker physical access to every machine that is connected. This lets bad people type in keystrokes, boot from removable media to get around disk encryption, and change BIOS settings to turn off Secure Boot.

The KVM works below the host operating system, so attackers can't be seen by host-based security tools. This makes it a very persistent threat vector. People are using this threat in the real world right now.

The FBI has looked into threats involving KVMs, and Microsoft has reported that North Korean state-sponsored hackers are using IP-KVMs to gain remote physical control of corporate laptops. Also, recent scans have found more than 1,600 of these cheap devices that are directly connected to the internet, which makes them an easy target for hackers. The flaws found affect devices made by GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, which usually cost between $30 and $100. The problems are caused by basic security hygiene mistakes, such as not checking the firmware signature, having debug interfaces open, and having broken access controls.

The most serious problem is with the Angeet ES3 KVM, which has an unauthenticated file upload vulnerability that, when combined with a command injection flaw, allows remote code execution with root privileges before authentication.

The GL-iNet Comet RM-1 is also worrisome because it lets anyone access the root level through its UART interface and only uses an MD5 hash that can be easily faked to check the firmware. Mitigation Strategies To keep enterprise networks safe from these serious out-of-band management threats, security teams need to think of IP-KVM devices as important parts of the network. Eclypsium research says that administrators should immediately put all KVM devices on separate management VLANs and make sure they never connect directly to the internet.

Find out more about security breach alerts, identity theft protection, and hacking news updates. Access should only be allowed through strong authentication and Virtual Private Networks (VPNs). Organizations also need to keep track of their environments for undocumented KVMs, watch outbound network traffic for strange behavior, and install the newest firmware patches as soon as they are available from vendors.

, LinkedIn, and X for daily updates on cybersecurity. Get in touch with us to have your stories featured.