"Hacker Fails for the Win"
Douglas McKee, director of vulnerability research at Trellix, struggled to extract passwords from a medical patient-monitor device that he was probing for vulnerabilities. The GPU password-cracking tool he had used to lift the layers of credentials required to dissect the device had returned an empty result. When he read the medical device's documentation a few months later, he realized the passwords had been right there in print the whole time. Since the passwords were also hardcoded into the system, his failed password-cracking process turned out to be overkill. Later, he and his team discovered bugs in the device that enabled them to falsify patient data on the monitor device. According to McKee, failing to read documentation is a common mistake made by security researchers wanting to delve deeper into the hardware and software they are studying and reverse-engineering. In a presentation titled "Fail Harder: Finding Critical 0-Days Despite Ourselves," McKee and his colleague Philippe Laulheret, senior security researcher at Trellix, shared some mistakes or miscalculations they made in their hacking projects that can serve as useful lessons for security researchers. This article continues to discuss some mistakes made by security researchers in some of their key vulnerability discoveries that can serve as lessons for other researchers.