As season two of the popular TV series gets underway, we reality-check anti-hero Elliot’s hacking prowess against real-life security and attack scenarios.

Sarah Vonnegut, Application Security Community Specialist, Checkmarx

July 20, 2016

6 Min Read
By Source (<a href="//en.wikipedia.org/wiki/Wikipedia:NFCC#4" class="mw-redirect" title="Wikipedia:NFCC">WP:NFCC#4</a>), <a href="//en.wikipedia.org/wiki/File:MrRobot_intertitle.png" title="Fair use of copyrighted material in the context of Mr. Robot (TV series)">Fair use</a>, https://en.wikipedia.org/w/index.php?curid=46841982. By USA Network (USA Network) [Public domain], <a href="https://commons.wikimedia.org/wiki/File%3AMr._Robot_Logo.svg">via Wikimedia Commons</a>

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues -- hackers finding XSS and blind SQLi vulnerabilities -- surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff -- and the InfoSec community has sounded its approval.

And while many of the hack methods are condensed to allow the plot to continue, many of the attacks could actually be done -- if only by the most expert security professionals, as main character Elliot is made out to be.

With the start of the second season, we thought it would be cool to take a look back at the first season’s hacks and how realistic they were..

1. The Cafe Wi-Fi Hack
The first time we meet Elliot, we see how his moral compass shows through in his approach to security -- and hacking. Much like Dexter, who only murdered society’s low-lifes, Elliot’s hacker motivation is to go after thieves, liars, and, in this case, pedophiles.

He’s de-anonymized traffic through the TOR network using the cafe’s surprisingly fast Wi-Fi network, where he discovered the cafe owner’s kiddie porn site and stash of pictures on the Dark Web. “The one in control of your exit nodes is the one in control of your traffic...which is me,” Elliot tells the dumbstruck coffee shop owner. As he gets up from the table, police stream in to catch the pedophile, after receiving an "anonymous tip."

Reality: While the hacking itself is pretty realistic, the way the cops instantly popped into the picture is far less realistic; just sending in a tip is unlikely to prompt a police throw-down within minutes. The lingo used during this scene is spot on, though, establishing both the show and Elliott as real security experts.

2. The DDoS Attack
Later in the first episode we’re witness to a major Distributed Denial of Service attack. The DDoS attack -- aimed at AllSafe, Elliot’s employer -- was designed as a cover for the bigger hack. F-Society, the ficticious hacking collective, had installed a rootkit in the system that would be used to steal data from AllSafe’s client, E-Corp. Elliot, later realizing that the hackers are targeting him and asking for his help, stops the attack from infecting other E-Corp servers but keeps the rootkit open on his own computer, allowing F-Society to maintain their presence in AllSafe’s systems.

Reality: This attack is well-done in terms of its realism, and Elliot even refers to a real DDoS mitigation organization, Prolexic, to further cement the attacks real-life rooting. DDoS attacks by themselves can do damage, but a DDoS attack that hides other attacks is a major threat to organizations can cause major issues when it diverts all the attention to the DDoS attack.

3. The HVAC Hack
Yet another example of the show mirroring reality is how F-Society used an air-conditioning system to get into the “most impenetrable” datacenter in the fifth episode by overheating the building in order to ruin the back up systems. HVAC is how experts speculate that Target was originally infected with the POS malware that caused the biggest hack of 2013.

Reality: This hack is possibly the least believable, if only for the fact that somebody would probably notice a rise in the temperature, prompting at least a look into the HVAC system. Additionally, at a place as secure as the fictional Steel Mountain Data Center, it’s likely that all systems are actively monitored and that even their HVAC system would be able to detect changes.

The Raspberry Pi part of the hack is most believable, because as the show’s technical advisor told Forbes, the device would connect, via Ethernet and the devices cellular network, to the building’s HVAC system in order to gain access. Just how real? This tutorial will teach you how to use a Raspberry Pi to control systems remotely.

4. The USB + Bluetooth Hacks
In the sixth episode, Elliot is blackmailed by a drug dealer he put in prison through an anonymous tip, in order to save his neighbor and love interest. Elliot tries to infiltrate the police department and change the prison records by spreading USBs around the department's parking lot. His goal: to get a police officer to plug in the malicious USB and grant Elliot access to the department’s data. However, the malware on the USB wasn’t hidden well enough to evade the police department’s malware detection program.

Elliot moves on to Plan B, narrowing the attack range to just one police officer’s car, as opposed to the station’s network. By spoofing the cop car’s bluetooth connection to Elliot’s mobile keyboard, he’s able to take over the computer in the cop car and upload malware to the prison’s database to complete his goal.

Reality: Hackers trying to get into hard-to-hack organizations have long used the method of dropping USBs into parking lots of a business they’re trying to hack. It’s also a long-known security industry practice to avoid sticking USBs you don’t own into your computer, specifically because of situations like the one in Mr. Robot. Bluetooth hacking is another plot point taken from real life, and there are real tools that can scan bluetooth points and extract information -- some without even needing to be paired to the device.

5. Social Engineering
Throughout the first season, social engineering played a starring role. One of the most memorable scenes is the one where Elliot gets a tour of the Steel Mountain facility after giving reception a fake name and building a Wikipedia page around that name. Bill, the man tasked with giving tours, first brushes Elliot off because he has no appointment, but after looking up the fake Wikipedia page, agrees to give him a tour. Elliot later verbally shreds Bill to pieces, using Bill’s weaknesses to exploit him. After Bill is replaced with a supervisor, the team fakes a dramatic and mysterious text message that makes the supervisor run out.

Reality: Social engineering is a huge part of the Hacker’s Toolbox, and can help get information or access for a bigger attack. Even the tools F-Society uses to social engineer Steel Mountain’s employees are real hacking tools. The Social Engineering Toolkit is used to spoof the SMS sent to the supervisor, and Kali Linux is used to break into the facility, a program pen testers use regularly to test security standards.

What was your favorite hack from Season One and what do you think of Season Two so far?

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

About the Author(s)

Sarah Vonnegut

Application Security Community Specialist, Checkmarx

Sarah is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. Her passion for writing and security have found a home at Checkmarx, where her team sheds light on lesser-known AppSec issues and strives to inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly connected, and therefore insecure, world.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights