Hacker Fails for the Win

  /     /     /  
Publicated : 23/11/2024   Category : security


Hacker Fails for the Win


Security researchers share their biggest initial screwups in some of their key vulnerability discoveries.



BLACK HAT EUROPE 2022 – London – Researcher Douglas McKee was having no luck extracting the passwords in a medical patient-monitor device he was probing for vulnerabilities. The GPU password-cracking tool he had run to lift the layers of credentials needed to dissect the device came up empty. It wasnt until a few months later when he sat down to read the medical devices documentation that he discovered that the passwords had been right there in print the whole time.
I finally got around reading the documentation, which clearly had all the passwords in plaintext right in the documents, McKee, director of vulnerability research at Trellix, recounted in a presentation here today. It turned out the passwords were hardcoded into the system as well, so his failed password-cracking process was massive overkill. He and his team later discovered bugs in the device that allowed them to falsify patient information on the monitor device.
Failing to pore over documentation is a common misstep by security researchers eager to dig into the hardware devices and software they are studying and reverse-engineering, according to McKee. He and his colleague Philippe Laulheret, senior security researcher at Trellix, in their
Fail Harder: Finding Critical 0-Days in Spite of Ourselves
presentation here, shared some of their war stories over mistakes or miscalculations they made in their hacking projects: mishaps that they say serve as useful lessons for researchers.
At all conferences we go to [they] show the shiny results and successes in security research like zero-days, Laulheret said. You dont always get to hear about the strings of failures and setbacks along the way when sniffing out vulns, the researchers said. In their case, thats been everything from hardware hacks that burned circuit boards to a crisp, to long-winded shellcode that failed to run.
In the latter case, McKee and his team had discovered a vulnerability in the Belkin Wemo Insight SmartPlug, a Wi-Fi-enabled consumer device for remotely powering on and off devices connected to it. My shellcode was not getting through to the stack. If I had read the XML library, it was clear that XML filters out characters and theres a limited character set allowed through the XML filter. This was another example of lost time if I had read through the code I was actually working with, he says. When we deconstructed it, we found a buffer overflow that allowed you to remotely control the device.
In another project, the researchers studied a distance-learning software tool by Netop called Vision Pro that, among other things, includes the ability for teachers to remote into students machines and exchange files with their students. The Remote Desktop Protocol-based feature seemed straightforward enough: It allows teachers to log in using Microsoft credentials to get full access to a students machine, McKee explained.
The researchers had assumed that the credentials were encrypted on the wire, which would have been the logical security best practice. But while monitoring their network captures from Wireshark, they were shocked to discover credentials traveling across the network unencrypted. A lot of times assumptions can be the death of the way you do a research project, McKee said.
Meantime, they recommend having in hand multiple versions of a product youre researching in case one gets damaged. McKee admitted getting a bit overzealous in deconstructing the battery and internals of the B Bruan Infusomat infusion pump. He and his team took apart the battery after spotting a MAC address on a sticker affixed to it. They found a circuit board and flash chip inside, and they ended up physically damaging the chip while trying to get to the software on it.
Try to do the least invasive process first, McKee said, and dont jump into breaking open the hardware from the start. Breaking things is part of the hardware hacking process, he said.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hacker Fails for the Win