Careers & People
7/20/2016
11:45 AM
Sarah Vonnegut
Sarah Vonnegut
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Mr. Robot Hacks That Could Happen in Real Life

As season two of the popular TV series gets underway, we reality-check anti-hero Elliot's hacking prowess against real-life security and attack scenarios.

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues -- hackers finding XSS and blind SQLi vulnerabilities -- surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff -- and the InfoSec community has sounded its approval.

And while many of the hack methods are condensed to allow the plot to continue, many of the attacks could actually be done -- if only by the most expert security professionals, as main character Elliot is made out to be.

By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=46841982

By USA Network (USA Network) [Public domain], via Wikimedia Commons
By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=46841982 By USA Network (USA Network) [Public domain], via Wikimedia Commons

With the start of the second season, we thought it would be cool to take a look back at the first season’s hacks and how realistic they were..

1. The Cafe Wi-Fi Hack
The first time we meet Elliot, we see how his moral compass shows through in his approach to security -- and hacking. Much like Dexter, who only murdered society’s low-lifes, Elliot’s hacker motivation is to go after thieves, liars, and, in this case, pedophiles.

He’s de-anonymized traffic through the TOR network using the cafe’s surprisingly fast Wi-Fi network, where he discovered the cafe owner’s kiddie porn site and stash of pictures on the Dark Web. “The one in control of your exit nodes is the one in control of your traffic...which is me,” Elliot tells the dumbstruck coffee shop owner. As he gets up from the table, police stream in to catch the pedophile, after receiving an "anonymous tip."

Reality: While the hacking itself is pretty realistic, the way the cops instantly popped into the picture is far less realistic; just sending in a tip is unlikely to prompt a police throw-down within minutes. The lingo used during this scene is spot on, though, establishing both the show and Elliott as real security experts.

2. The DDoS Attack
Later in the first episode we’re witness to a major Distributed Denial of Service attack. The DDoS attack -- aimed at AllSafe, Elliot’s employer -- was designed as a cover for the bigger hack. F-Society, the ficticious hacking collective, had installed a rootkit in the system that would be used to steal data from AllSafe’s client, E-Corp. Elliot, later realizing that the hackers are targeting him and asking for his help, stops the attack from infecting other E-Corp servers but keeps the rootkit open on his own computer, allowing F-Society to maintain their presence in AllSafe’s systems.

Reality: This attack is well-done in terms of its realism, and Elliot even refers to a real DDoS mitigation organization, Prolexic, to further cement the attacks real-life rooting. DDoS attacks by themselves can do damage, but a DDoS attack that hides other attacks is a major threat to organizations can cause major issues when it diverts all the attention to the DDoS attack.

3. The HVAC Hack
Yet another example of the show mirroring reality is how F-Society used an air-conditioning system to get into the “most impenetrable” datacenter in the fifth episode by overheating the building in order to ruin the back up systems. HVAC is how experts speculate that Target was originally infected with the POS malware that caused the biggest hack of 2013.

Reality: This hack is possibly the least believable, if only for the fact that somebody would probably notice a rise in the temperature, prompting at least a look into the HVAC system. Additionally, at a place as secure as the fictional Steel Mountain Data Center, it’s likely that all systems are actively monitored and that even their HVAC system would be able to detect changes.

The Raspberry Pi part of the hack is most believable, because as the show’s technical advisor told Forbes, the device would connect, via Ethernet and the devices cellular network, to the building’s HVAC system in order to gain access. Just how real? This tutorial will teach you how to use a Raspberry Pi to control systems remotely.

4. The USB + Bluetooth Hacks
In the sixth episode, Elliot is blackmailed by a drug dealer he put in prison through an anonymous tip, in order to save his neighbor and love interest. Elliot tries to infiltrate the police department and change the prison records by spreading USBs around the department's parking lot. His goal: to get a police officer to plug in the malicious USB and grant Elliot access to the department’s data. However, the malware on the USB wasn’t hidden well enough to evade the police department’s malware detection program.

Elliot moves on to Plan B, narrowing the attack range to just one police officer’s car, as opposed to the station’s network. By spoofing the cop car’s bluetooth connection to Elliot’s mobile keyboard, he’s able to take over the computer in the cop car and upload malware to the prison’s database to complete his goal.

Reality: Hackers trying to get into hard-to-hack organizations have long used the method of dropping USBs into parking lots of a business they’re trying to hack. It’s also a long-known security industry practice to avoid sticking USBs you don’t own into your computer, specifically because of situations like the one in Mr. Robot. Bluetooth hacking is another plot point taken from real life, and there are real tools that can scan bluetooth points and extract information -- some without even needing to be paired to the device.

5. Social Engineering
Throughout the first season, social engineering played a starring role. One of the most memorable scenes is the one where Elliot gets a tour of the Steel Mountain facility after giving reception a fake name and building a Wikipedia page around that name. Bill, the man tasked with giving tours, first brushes Elliot off because he has no appointment, but after looking up the fake Wikipedia page, agrees to give him a tour. Elliot later verbally shreds Bill to pieces, using Bill’s weaknesses to exploit him. After Bill is replaced with a supervisor, the team fakes a dramatic and mysterious text message that makes the supervisor run out.

Reality: Social engineering is a huge part of the Hacker’s Toolbox, and can help get information or access for a bigger attack. Even the tools F-Society uses to social engineer Steel Mountain’s employees are real hacking tools. The Social Engineering Toolkit is used to spoof the SMS sent to the supervisor, and Kali Linux is used to break into the facility, a program pen testers use regularly to test security standards.

What was your favorite hack from Season One and what do you think of Season Two so far?

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Sarah is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. Her passion for writing and security have found a home at Checkmarx, where her team sheds light on lesser-known AppSec issues and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ManuelW789
50%
50%
ManuelW789,
User Rank: Apprentice
7/23/2017 | 2:33:07 PM
Re: Hackers and Hollywood
agreed, but this is not "100% accurate" as you said, i feel like they sacraficed a lot of details for the sake of storytelling, some of the stuff are straightforward wrong, as you can see here: https://www.offensive-security.com/faq/

but the overall qulity is undeniable
Kristheduck
100%
0%
Kristheduck,
User Rank: Apprentice
3/23/2017 | 1:44:21 PM
Re: Hackers and Hollywood
Mr. Robot was a breakthrough in my opinion, it was the first show I've seen that actually bothered to do a bit technic training before they filmed the show, must shows are reduced to nonsense techno-babble because of the reason "if it sounds real – it is real" I know for a fact (from my sources at https://www.offensive-security.com/ the creators of kali linux) that the hacking in the show is 100% accurate
aashbel
100%
0%
aashbel,
User Rank: Author
3/13/2017 | 11:21:23 AM
Love it.
Great article.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/27/2016 | 11:55:12 AM
Mental Illness as a Social Hack
I have to vote for the mental state of Elliot as a very realistic element of the hacker world.  While not a condition of all hackers and crackers, I've found many of my co-workers over the years who were brilliant in InfoSec and talented hackers had some variation of mental illness or intellectual "differences".  As a victim of mental illness myself, I fully appreciate Elliot's talent as a social engineer both aided and threatened by his tentative grip on reality.  I feel for him as he slips in and out of control and I appreciate the dichotomy of balancing the need to do something huge that supports a deeply held ideal, but still wanting to hide in the shadows and not be noticed at all.  Over time, I think it is very believable that one can slip into multiple personalities just to manage the conflicting needs, wants and desires. 

I can see past the artistic license taken, too.  Some are trying to apply literal comparisons to the real-life world of hacking, but just like The Girl With the Dragon Tattoo, we have to appreciate the element of art that is being infused into the story.  Let's reserve literal comparisons that draw criticism for bio-pics on personas like Snowden and Assange where it's important to know what is misinformation and what is reality.  Mr. Robot is artisitic entertainment, with a little much-needed social commentary sprinkled on top.   
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/27/2016 | 9:57:13 AM
Hackers and Hollywood
Awesome review of the first season of an awesome show.  I cannot wait to see what will inspire season 2 from the largest databreaches of healthcare companies, government agencies to , very recently, political organizations.  But this raise the important question of the role of Hollywood in raising awereness for a new "profession": hacker.  Since the 70s hackers have been prosecuted but also admired by the public. The fame of some can outrage the pure white hat security professional, but Hollywood and the film industry has made a point recently to portray hackers as modern "Robin Hood".  Let's just hope that this show keeps its course of portraying past real hacks versus designing new hacks and inspiring criminal hackers in learning.  Many other criminal shows have been unfortunately down that path before.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: " I think Google Doodle is getting a little out of control"
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.