Security Weekly Podcast Network (Audio) Hacking IP KVMs & Reversing with Radare2 - Sergi Àlvarez - PSW #918
Mar 19, 2026
Sergi Àlvarez (Pancake), creator and community leader behind the Radare2 reverse engineering framework, shares his origins in security and why Radare2 became a modular, plugin-first toolkit. He discusses AI-assisted decompilation, defending the project with fuzzing and scans, and upcoming plugins for Unity, Flutter, and React Native. The conversation also covers discovering nine vulnerabilities in low-cost IP KVMs and real-world hardware hacking stories.
AI Snips
Chapters
Transcript
Episode notes
Cheap IP KVMs Drive Large Internet Exposure
- Low-cost IP-KVMs are proliferating online (hundreds to thousands exposed) because they replace expensive enterprise hardware for labs and small deployments.
- Paul cites RunZero/HD Moore Shodan counts and notes some units sell for ~$30, increasing internet exposure.
JetKVM Update Process Revealed Firmware Signing Gaps
- Paul found JetKVM's firmware update URL used HTTP and no signing, then discovered firmware lacked cryptographic signature checks.
- While testing MITM and SSL attacks he later saw JetKVM add SSL and the vendor patched quickly after disclosure.
Use US-CERT To Coordinate Multi-Vendor Disclosures
- Use coordinated disclosure and engage US-CERT/CISA to centralize vendor communication when multiple vendors and CVEs are involved.
- Paul praised US-CERT for pulling vendors into one coordinated case and simplifying triage and CVE assignment.