519: The Password Is All Zeros

Mark Omo and James Rowley spoke with us about safecracking, security, and the ethics of doing a bad job.

Mark and James gave an excellent talk on the development of their safecracking tools at DEF CON 33: Cash, Drugs, and Guns: Why Your Safes Aren't Safe. It included a section of interaction involving the lock maker's lawyers bullying them and how the Electronic Frontier Foundation (EFF) has a Coders' Rights Project to support security research.

As mentioned in the show, the US Cyber Trust Mark baseline has a very straightforward checklist; NISTIR 8259 is the overall standard, NISTIR 8259A is the technical checklist, NISTIR 8259B is the non-technical (process/maintenance) checklist. Roughly the process is NISTIR 8259 -> Plan/Guidance; NISTIR 8259A -> Build; NISTIR 8259B -> Support.

We discussed ETSI EN 303 645 V3.1.3 (2024-09) Cyber Security for Consumer Internet of Things: Baseline Requirement and the EU's CRA: Cyber Resilience Act which requires manufacturers to implement security by design, have security by default, provide free security updates, and protect confidentiality. See more here: How to prepare for the Cyber Resilience Act (CRA): A guide for manufacturers.

We didn't mention Ghidra in the show specifically, but it is a tool for reverse engineering software: given a binary image, what was the code?

Some of the safecracking was helped by the lock maker using the same processor in the PS4 which has many people looking to crack it. See fail0verflow :: PS4 Aux Hax 1: Intro & Aeolia for an introduction.

Mark and James have presented multiple times at Hardwear.io, a series of conferences and webinars about security (not wearables). Some related highlights:

• 2024: Breaking Into Chips By Reading The Datasheet is about the exploit developed for the older lock version on the safes discussed in the show.

• USA 2025: Extracting Protected Flash With STM32-TraceRip is about STM32 exploits.