Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:45 AM
Sarah Vonnegut
Sarah Vonnegut
Connect Directly
E-Mail vvv

5 ‘Mr. Robot’ Hacks That Could Happen in Real Life

As season two of the popular TV series gets underway, we reality-check anti-hero Elliot's hacking prowess against real-life security and attack scenarios.

Hollywood hacking films have given the job of hacker a sort of glamour, with their fast-fingered hacks taking over the world, while in picture perfect makeup. And the InfoSec community has hated every single second of them.  But where other movies and shows  (We’re looking at you, CSI:Cyber) take the hacking scenes way too liberally with no root in reality, one show has held up as a beacon of hope for how hacking can be realistically portrayed on the silver screen: Mr. Robot.

Although real-life security issues -- hackers finding XSS and blind SQLi vulnerabilities -- surrounded the premier season last year, the show itself actively works to mimic real-life security and hacking scenarios. From accurate computer code, to the realism of using social engineering in getting the information needed for an attack, to the actual tools and slang the characters use, Mr. Robot has been mostly spot-on with the security stuff -- and the InfoSec community has sounded its approval.

And while many of the hack methods are condensed to allow the plot to continue, many of the attacks could actually be done -- if only by the most expert security professionals, as main character Elliot is made out to be.

By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=46841982

By USA Network (USA Network) [Public domain], via Wikimedia Commons
By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=46841982 By USA Network (USA Network) [Public domain], via Wikimedia Commons

With the start of the second season, we thought it would be cool to take a look back at the first season’s hacks and how realistic they were..

1. The Cafe Wi-Fi Hack
The first time we meet Elliot, we see how his moral compass shows through in his approach to security -- and hacking. Much like Dexter, who only murdered society’s low-lifes, Elliot’s hacker motivation is to go after thieves, liars, and, in this case, pedophiles.

He’s de-anonymized traffic through the TOR network using the cafe’s surprisingly fast Wi-Fi network, where he discovered the cafe owner’s kiddie porn site and stash of pictures on the Dark Web. “The one in control of your exit nodes is the one in control of your traffic...which is me,” Elliot tells the dumbstruck coffee shop owner. As he gets up from the table, police stream in to catch the pedophile, after receiving an "anonymous tip."

Reality: While the hacking itself is pretty realistic, the way the cops instantly popped into the picture is far less realistic; just sending in a tip is unlikely to prompt a police throw-down within minutes. The lingo used during this scene is spot on, though, establishing both the show and Elliott as real security experts.

2. The DDoS Attack
Later in the first episode we’re witness to a major Distributed Denial of Service attack. The DDoS attack -- aimed at AllSafe, Elliot’s employer -- was designed as a cover for the bigger hack. F-Society, the ficticious hacking collective, had installed a rootkit in the system that would be used to steal data from AllSafe’s client, E-Corp. Elliot, later realizing that the hackers are targeting him and asking for his help, stops the attack from infecting other E-Corp servers but keeps the rootkit open on his own computer, allowing F-Society to maintain their presence in AllSafe’s systems.

Reality: This attack is well-done in terms of its realism, and Elliot even refers to a real DDoS mitigation organization, Prolexic, to further cement the attacks real-life rooting. DDoS attacks by themselves can do damage, but a DDoS attack that hides other attacks is a major threat to organizations can cause major issues when it diverts all the attention to the DDoS attack.

3. The HVAC Hack
Yet another example of the show mirroring reality is how F-Society used an air-conditioning system to get into the “most impenetrable” datacenter in the fifth episode by overheating the building in order to ruin the back up systems. HVAC is how experts speculate that Target was originally infected with the POS malware that caused the biggest hack of 2013.

Reality: This hack is possibly the least believable, if only for the fact that somebody would probably notice a rise in the temperature, prompting at least a look into the HVAC system. Additionally, at a place as secure as the fictional Steel Mountain Data Center, it’s likely that all systems are actively monitored and that even their HVAC system would be able to detect changes.

The Raspberry Pi part of the hack is most believable, because as the show’s technical advisor told Forbes, the device would connect, via Ethernet and the devices cellular network, to the building’s HVAC system in order to gain access. Just how real? This tutorial will teach you how to use a Raspberry Pi to control systems remotely.

4. The USB + Bluetooth Hacks
In the sixth episode, Elliot is blackmailed by a drug dealer he put in prison through an anonymous tip, in order to save his neighbor and love interest. Elliot tries to infiltrate the police department and change the prison records by spreading USBs around the department's parking lot. His goal: to get a police officer to plug in the malicious USB and grant Elliot access to the department’s data. However, the malware on the USB wasn’t hidden well enough to evade the police department’s malware detection program.

Elliot moves on to Plan B, narrowing the attack range to just one police officer’s car, as opposed to the station’s network. By spoofing the cop car’s bluetooth connection to Elliot’s mobile keyboard, he’s able to take over the computer in the cop car and upload malware to the prison’s database to complete his goal.

Reality: Hackers trying to get into hard-to-hack organizations have long used the method of dropping USBs into parking lots of a business they’re trying to hack. It’s also a long-known security industry practice to avoid sticking USBs you don’t own into your computer, specifically because of situations like the one in Mr. Robot. Bluetooth hacking is another plot point taken from real life, and there are real tools that can scan bluetooth points and extract information -- some without even needing to be paired to the device.

5. Social Engineering
Throughout the first season, social engineering played a starring role. One of the most memorable scenes is the one where Elliot gets a tour of the Steel Mountain facility after giving reception a fake name and building a Wikipedia page around that name. Bill, the man tasked with giving tours, first brushes Elliot off because he has no appointment, but after looking up the fake Wikipedia page, agrees to give him a tour. Elliot later verbally shreds Bill to pieces, using Bill’s weaknesses to exploit him. After Bill is replaced with a supervisor, the team fakes a dramatic and mysterious text message that makes the supervisor run out.

Reality: Social engineering is a huge part of the Hacker’s Toolbox, and can help get information or access for a bigger attack. Even the tools F-Society uses to social engineer Steel Mountain’s employees are real hacking tools. The Social Engineering Toolkit is used to spoof the SMS sent to the supervisor, and Kali Linux is used to break into the facility, a program pen testers use regularly to test security standards.

What was your favorite hack from Season One and what do you think of Season Two so far?

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Sarah is an application security community specialist at Checkmarx, responsible for writing, editing, and managing the social media community. Her passion for writing and security have found a home at Checkmarx, where her team sheds light on lesser-known AppSec issues and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/23/2017 | 2:33:07 PM
Re: Hackers and Hollywood
agreed, but this is not "100% accurate" as you said, i feel like they sacraficed a lot of details for the sake of storytelling, some of the stuff are straightforward wrong, as you can see here: https://www.offensive-security.com/faq/

but the overall qulity is undeniable
User Rank: Apprentice
3/23/2017 | 1:44:21 PM
Re: Hackers and Hollywood
Mr. Robot was a breakthrough in my opinion, it was the first show I've seen that actually bothered to do a bit technic training before they filmed the show, must shows are reduced to nonsense techno-babble because of the reason "if it sounds real – it is real" I know for a fact (from my sources at https://www.offensive-security.com/ the creators of kali linux) that the hacking in the show is 100% accurate
User Rank: Author
3/13/2017 | 11:21:23 AM
Love it.
Great article.
User Rank: Ninja
12/27/2016 | 11:55:12 AM
Mental Illness as a Social Hack
I have to vote for the mental state of Elliot as a very realistic element of the hacker world.  While not a condition of all hackers and crackers, I've found many of my co-workers over the years who were brilliant in InfoSec and talented hackers had some variation of mental illness or intellectual "differences".  As a victim of mental illness myself, I fully appreciate Elliot's talent as a social engineer both aided and threatened by his tentative grip on reality.  I feel for him as he slips in and out of control and I appreciate the dichotomy of balancing the need to do something huge that supports a deeply held ideal, but still wanting to hide in the shadows and not be noticed at all.  Over time, I think it is very believable that one can slip into multiple personalities just to manage the conflicting needs, wants and desires. 

I can see past the artistic license taken, too.  Some are trying to apply literal comparisons to the real-life world of hacking, but just like The Girl With the Dragon Tattoo, we have to appreciate the element of art that is being infused into the story.  Let's reserve literal comparisons that draw criticism for bio-pics on personas like Snowden and Assange where it's important to know what is misinformation and what is reality.  Mr. Robot is artisitic entertainment, with a little much-needed social commentary sprinkled on top.   
User Rank: Ninja
7/27/2016 | 9:57:13 AM
Hackers and Hollywood
Awesome review of the first season of an awesome show.  I cannot wait to see what will inspire season 2 from the largest databreaches of healthcare companies, government agencies to , very recently, political organizations.  But this raise the important question of the role of Hollywood in raising awereness for a new "profession": hacker.  Since the 70s hackers have been prosecuted but also admired by the public. The fame of some can outrage the pure white hat security professional, but Hollywood and the film industry has made a point recently to portray hackers as modern "Robin Hood".  Let's just hope that this show keeps its course of portraying past real hacks versus designing new hacks and inspiring criminal hackers in learning.  Many other criminal shows have been unfortunately down that path before.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.