{"id":2098,"date":"2026-03-24T14:05:27","date_gmt":"2026-03-24T14:05:27","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/"},"modified":"2026-03-24T14:05:27","modified_gmt":"2026-03-24T14:05:27","slug":"detecting-ip-kvms-tue-mar-24th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/","title":{"rendered":"Detecting IP KVMs, (Tue, Mar 24th)"},"content":{"rendered":"<div>\n<p>I have written about how to\u00a0<a href=\"https:\/\/isc.sans.edu\/diary\/32598\">use IP KVMs securely<\/a>, and recently, researchers at Eclypsium published yet another report on <a href=\"https:\/\/eclypsium.com\/blog\/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network\/\">IP KVM vulnerabilities.<\/a>\u00a0But there is another issue I haven&#8217;t mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent to them by their employers. The laptops were located in the US, and the North Korean workers used IP KVMs to remotely connect to them. IP KVMs could also be used to access office PCs, either to enable undetected &#8220;work from home&#8221;\u00a0or by threat actors who use them to gain remote access after installing the device on site.<\/p>\n<p>IP KVMs usually connect to the system in two ways:<\/p>\n<ul>\n<li>USB for keyboard\/mouse<\/li>\n<li>HDMI for the monitor connection (some older variants may also use VGA)<\/li>\n<\/ul>\n<p>For my testing, I used two different IP KVMs. A &#8220;PiKVM&#8221; and a &#8220;NanoKVM&#8221; (Sipeed). Both were connected to Linux systems, but the techniques should work on other operating systems as well.<\/p>\n<h3>USB<\/h3>\n<p>For the Sipeed NanoKVM, &#8220;lsusb&#8221; give away the device:\u00a0<\/p>\n<blockquote>\n<p><tt>$ lsusb<br \/>\nBus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub<br \/>\nBus 001 Device 002: ID 0bda:c821 Realtek Semiconductor Corp. Bluetooth Radio<br \/>\nBus 001 Device 004: ID 051d:0002 American Power Conversion Uninterruptible Power Supply<br \/>\n<u><strong>Bus 001 Device 005: ID 3346:1009 sipeed NanoKVM<\/strong><\/u><br \/>\nBus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub<\/tt><\/p>\n<\/blockquote>\n<p>PiKVM is a little bit less obvious, but this USB entry appears to be associated with PiVKM<\/p>\n<blockquote>\n<p><code>Bus 001 Device 004: ID 1d6b:0104 Linux Foundation Multifunction Composite Gadget<br \/>\nBus 001 Device 017: ID 1b3f:2008 Generalplus Technology Inc. USB Audio Device<\/code><\/p>\n<\/blockquote>\n<p>This needs a bit more testing for the PiKVM.<\/p>\n<h3>HDMI<\/h3>\n<p>HDMI devices send &#8220;EDID&#8221; (Extended Display Identification Data) to the system the display is connected to. The main purpose of EDID is to communicate available video modes and resolutions. But it also includes manufacturer information.\u00a0<\/p>\n<p>For the NanoKVM:<\/p>\n<blockquote>\n<p><code>sudo get-edid | parse-edid<br \/>\n...<br \/>\nSection \"Monitor\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 Identifier \"Connector\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 ModelName \"Connector\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 VendorName \"VCS\"<br \/>\n...<\/code><\/p>\n<\/blockquote>\n<p>Not very obvious, but the &#8220;VCS&#8221; vendor name could be a reasonable indicator (check for false positives)<\/p>\n<p>For PiKVM, the &#8220;Identified&#8221; and &#8220;ModelName&#8221;\u00a0\u00a0are\u00a0more telling:<\/p>\n<blockquote>\n<p><code>Section \"Monitor\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 Identifier \"PiKVM V3\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 ModelName \"PiKVM V3\"<br \/>\n\u00a0 \u00a0 \u00a0 \u00a0 VendorName \"LNX\"<\/code><\/p>\n<\/blockquote>\n<h3>Evasion<\/h3>\n<p>Of course, a more sophisticated attacker can modify these strings. PiKVM offers a configuration file to do so, in part to allow for better compatibility. I do not know whether the NanoKVM provides a similar, simple way to evade detection (but\u00a0it is likely not terribly hard). So &#8220;sophisticated attacker&#8221; may translate to &#8220;able and willing to read the manual&#8221;.\u00a0<\/p>\n<p>Many endpoint protection solutions monitor USB devices and may alert on odd devices being connected. But I am not aware of any that check monitor EDID strings. This may be another neat feature for any solutions. In office environments, most organizations provide a limited set of monitor types. For home office use, things may be more complex as users often connect their own monitors.<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>I have written about how to\u00a0use IP KVMs securely, and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities.\u00a0But there is another issue I haven&#8217;t mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2098","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"I have written about how to\u00a0use IP KVMs securely, and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities.\u00a0But there is another issue I haven&#8217;t mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-24T14:05:27+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Detecting IP KVMs, (Tue, Mar 24th)\",\"datePublished\":\"2026-03-24T14:05:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\"},\"wordCount\":478,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\",\"name\":\"Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-03-24T14:05:27+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting IP KVMs, (Tue, Mar 24th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/","og_locale":"en_US","og_type":"article","og_title":"Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited","og_description":"I have written about how to\u00a0use IP KVMs securely, and recently, researchers at Eclypsium published yet another report on IP KVM vulnerabilities.\u00a0But there is another issue I haven&#8217;t mentioned yet with IP KVMs: rogue IP KVMs. IP KVMs are often used by criminals. For example, North Koreans used KVMs to connect remotely to laptops sent [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-24T14:05:27+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Detecting IP KVMs, (Tue, Mar 24th)","datePublished":"2026-03-24T14:05:27+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/"},"wordCount":478,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/","name":"Detecting IP KVMs, (Tue, Mar 24th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-03-24T14:05:27+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/24\/detecting-ip-kvms-tue-mar-24th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Detecting IP KVMs, (Tue, Mar 24th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2098"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2098\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}