KVM Switches: A Security Threat Some Might Leave Open


Belkin KVM Switch



How much security risk is introduced by something as seemingly innocent as a KVM switch? Apparently a lot, according to Belkin, which earlier this year unveiled the Advanced Secure line of keyboard-video-mouse switches that offer more isolation for connected systems than the protective custody ward at Riker's Island. The company sent a four-port Secure DVI-I KVM Switch to the CRN Test Center, and testers were impressed with what they found.

Everything about the Belkin Secure DVI-I KVM Switch is air-tight, right down to the tamper-evident outer packaging and cabinet labels. Fully redundant circuitry prevents signaling attacks and data leakage across channels. Printed on the unit itself is a warning that it will self-destruct if opened. The real question then becomes whether the "secretary will disavow any knowledge of your actions."

The model we tested, the F1DN104F, is the most hardened, and at $1,129 list the most expensive of the line. The four-port, dual-monitor unit provides USB and PS/2 port for the console keyboard and mouse, plus an extra port a common access card (CAC) reader for each connected system.

The CAC is the secure ID method of choice for government, defense and intelligence agencies, which are among the target users of this particular model, according to Carlos Del Toro, senior product manager of Belkin's KVM group. "Many organizations need to keep systems that access the Internet away from others used for sensitive [corporate or personal] data," he said. Belkin's KVM allows one CAC reader to service all connected systems. "Having separate CAC readers for each system can quickly become confusing and is subject to error," he said.

The dual-monitor unit will appeal to graphic designers, engineers and anyone using two monitors and more than one computer. "This helps you optimize your desktop space" by allowing any combination of up to four Macs, Windows or Linux systems to use a single keyboard and mouse and the same two monitors, Del Toro said. Other major target customers include law firms, health care organizations and financial institutions.

Security is enhanced through the use of dedicated, unidirectional USB ports for keyboard and mouse, and another for the CAC, which is bidirectional. The switch continuously monitors the connected device type, Del Toro said, and will shut down the port if a different type, such as a thumb drive, is introduced. "We're the only [KVM] that does that," he claimed. In our tests, a thumb drive inserted in the keyboard port was not recognized by a connected system, but the keyboard worked immediately when reconnected. Good enough.

Did you know that today's monitors can store data? Hackers certainly do, and they use the EDID system of modern monitors to launch signaling attacks. The F1DN104F also prevents this, Del Toro said, by using redundant circuits to store separate EDID data for each monitor.

The Secure DVI-I KVM offers some nice touches, such as labels and semi-circular plastic chips for color-coding each selector button that are impossible to remove accidentally. Belkin also offers less hardened desktop models that are probably still secure enough for most corporate environments. These start at $549 plus cables. The sturdy F1DN104F is made from a single piece of aluminum to reduce entry points, includes a mounting bracket for under-desk installations and for conditions where security is of the utmost, is a recommended product by the CRN Test Center.