ROGUE IP KVMs are highlighted as another risk factor in the realm of IP-based remote access, with the author noting criminals already exploit these devices. For example, North Koreans were described as using KVMs to remotely connect to laptops located in the United States, implying potential remote access after a device is installed on site.
The piece explains that IP KVMs typically connect via USB for keyboard/mouse or HDMI for the monitor, with older variants possibly using VGA, and it details testing of two devices, PiKVM and NanoKVM, on Linux systems. It includes concrete USB identification data, such as the NanoKVM showing Bus 001 Device 005: ID 3346:1009 sipeed NanoKVM, and PiKVM-related entries like a Linux Foundation Multifunction Composite Gadget and a USB Audio Device.
On HDMI/EDID, the article points to EDID data that can reveal the vendor and model, giving examples such as a Monitor section with ModelName "PiKVM V3" and VendorName "LNX", while noting attackers could alter these strings to evade detection. Finally, it suggests that many endpoint protection solutions monitor USB but not EDID strings, and hints at a practical detection approach in office environments and home offices, according to SANS[.]edu.