qweary
Louis Piano (Qweary) is a red teamer who happens to also be a locksmith for the US Department of the Army. He researches the collision of physical and digital security; demonstrating that the boundary between them was always imaginary. His hardware work includes a year-long reverse engineering project against institutional electronic locks, from NAND flash dumps to hand-patched TI assembly firmware hooks. On the cyber side, he builds multi-agent AI swarms with agentic capabilities for red team operations. Most recently, he deployed them at WRCCDC regionals, where Anthropic sponsored a blue team of 30-40 Claude instances defending against both his swarm and the human red team; this was a first-of-its-kind experiment to see the impact of augmented red team operations vs agentic blue team defense in a live competition. Based in Olympia, WA, he volunteers with OlyMega makerspace and believes persistence matters more than pedigree. This is his first conference talk.
Sessions
Learn the fine art of lock bypass with a drill from a professional locksmith. When lockpicking fails it's good to know the nuclear kinetic option.
I spent years installing Trilogy Alarm Locks for the military. Other locksmiths asked for recommendations, I let them know of Trilogy's fast response to responsible disclosures (at that time), and I soon started seeing them in pharmacies, more government buildings, and banks. Then, after the company stopped responding to my vulnerability disclosures, I spent a year figuring out how to hack them. Nearly every angle I approached it from, I found a new vulnerability. The company never responded, despite acknowledging through a third party.
This talk walks through a five-layer attack chain against the T2/T3 lock platform: physical bypasses that leave little to no trace, NAND flash manipulation that injects ghost users with master privileges, a firmware hook on the MSP430 microcontroller that writes a persistent backdoor code during factory reset (using hand-patched TI assembly, because apparently that's a thing I do now), and USB emulation of the proprietary audit cable using FaceDancer and a GreatFET One.
Over a year later, I was able to prove that a lock deployed in critical infrastructure has credentials that can be cloned from the trash, firmware that can be rewritten through an unblown JTAG fuse, and whose audit trail (the one used as legal evidence) can be fooled by a device that costs less than the lock itself.
I'm not a firmware engineer; I'm a locksmith who got curious, bricked a lot of boards, filled a notebook with bad hypotheses, and eventually taught myself enough TI assembly to write a 38-byte payload that survives every factory reset method. The tools were a $30 flash programmer, a soldering iron, and an unreasonable amount of stubbornness.
The talk closes with a constructive argument: self-auditing endpoints are fundamentally broken. If the lock controls access AND writes the audit log, you have a suspect writing their own alibi, not a log that should be used in legal evidence. I'll propose an Observer System Model where independent sensors verify what the lock claims, and discuss why even cheap mitigations (blow the JTAG fuse, encrypt the NAND, authenticate the cable, use a TPM) would have stopped every attack in this chain.
Everything is published: code, dumps, patches, pcaps, 33 pages of handwritten notes, and a 4,000-word research journal documenting every wrong turn.
Repo:
https://github.com/Qweary/T2-T3-Lock-Exploitation-Research
Blog:
https://qweary.github.io/backburner/
Live jam: Relax with classical and jazz music played on trombone by a guy named Piano (Qweary). Jazz backgrounds over speaker, bring an instrument if you want to join.
Somewhere in a pharmacy right now, there's a lock protecting a drug cabinet. The lock stores every user code, privilege level, and active flag in plaintext on a NAND flash chip. No encryption. No MAC. No checksums. No TPM. Just raw bytes in a predictable layout, readable with a $30 programmer and a clip.
In this workshop, you'll learn to decode that layout by hand.
We'll work through real NAND dumps extracted from Alarm Lock Trilogy T3 units; the same locks deployed across healthcare, government, and financial facilities in the US. You'll learn how to identify page boundaries (hint: look for 0xFD), decode 6-digit user codes stored as interleaved ASCII nibbles with a delightful quirk where zero is encoded as “B”, parse permission flags to determine who has master access, and spot the forensic artifacts that indicate flash tampering (like the "Power Up Complete, Data Restored From Flash Memory" audit entry that appears after injection).
Along the way, I'll explain the lazy write model that makes all of this possible: the MSP430 microcontroller only commits volatile RAM to NAND on battery removal or low-voltage interrupt, creating a window where the flash doesn't reflect the lock's current state. We'll also look at what happens when you inject malformed data: some edits will show injected codes in its "Print Users" output (using the vendor's older and less used infrared printer) but silently omit them from "Export Users” in DL-Windows (the vendor audit software used on a computer), creating a stealth window where printed and digital records disagree.
No soldering required. Bring a laptop with a hex editor (HxD, wxHexEditor, or whatever you prefer). I'll provide printed reference sheets with the full NAND page layout and sample binary dumps to work through. If time permits and curiosity demands, I'll have a T48 universal programmer and a lock board on hand for a live read/write demo.
You'll leave knowing how to read embedded flash memory from a class of devices that assumed nobody would bother, and take part in showing that assumption is a security failure.