Six Things I Learned from Mr. Robot

Mr. Robot is an amazingly accurate series about a hacker (Elliot Alderson) and his, uhm, undertakings. The series is consulted by many cybersecurity experts and so every hack that happens is actually properly executed, using real tools and commands that do exactly what an infosec expert would expect. Nothing shown on screen is the usual bullshit TV hacking. And that is awesome and scary in a number of ways.

Obviously, this post is full of spoilers, so SPOILER ALERT, if you haven’t watched it, go and do that and then continue reading. Another disclaimer I have to make is that if you were to use the tools and techniques below, that should only be for ethical hacking, penetration testing and other legal activities.

The series has many hacks happening, from connecting to a neighbor’s WiFi, guessing people’s social media passwords and installing malware via flash drives, to complex social engineering plots, an HSM hack, the use of steganography and other advanced stuff. There’s even a tool pack with everything that’s used in the series. I’m fairly well-versed in the cybersecurity domain so even though I haven’t performed any hacks, most of the things happening on screen were familiar. But I did learn some interesting things from the series, which I’d like to share, as they sparked my interest and made me read a bit more. Many hacking scenes require you to pause and try to read what’s on screen, but that makes it even more fun.

  • proxychains – many tools are in use in the series, and Kali Linux is often used. But I wasn’t familiar with one particular tool that I think is crucial. Proxychains. I know, I’m a n00b to have never heard about it. What it does is basically running every command via a SOCKS or HTTP proxy. By default it uses Tor, but as Elliot knows that the NSA might be watching the Tor exit nodes, he switches to a regular proxy to execute the main attack in Season 1. proxychains curl https://google.com would open Google via the pre-configured proxy. This is very important to avoid being caught, and makes attribution and forensics much harder. To be fair, I didn’t see exactly where Elliot uses proxychains, but several people claim he uses it. Even if it’s not on the show, I learned about it after reading about the hacks, so it counts.
  • shred -z – I know and I’ve used the shred command. However, I didn’t know it has a “-z” argument which “add a final overwrite with zeros to hide shredding”. I guess there are more of these minor tool options here and there, but that’s an important point about covering one’s tracks. If you don’t do the zeroing, eventually, with proper forensics, they might discover that something was there (and was shredded).
  • How encryption ransomware works – ransomware that encrypts all your files and then asks for bitcoin in order to decrypt them is something fairly known. However, I didn’t know exactly how these ransomeware programs work – e.g. what they use for encryption. It appears that Darlene may have modified CryptoLocker in order to encrypt E Corp’s data. I was interested by that because at the end of season 3 Elliot finds a key that can undo the hack that rendered E Corp’s data unusable and he sends an RSA private key (via ProtonMail). Why would they encrypt something with RSA if they explicitly said they used AES? Well, it turns out that Cryptolocker (and others) work by generating one AES key per file, encrypting the file, then encrypting the AES key with the RSA public key and storing the encrypted AES key alongside the file. That’s a sensible approach because the private key never leaves the attacker and can’t be intercepted. But using asymmetric encryption to encrypt large volumes is not a good idea (it’s slow). So whenever asymmetric encryption is used, it’s always used to encrypt a symmetric key that is then used to encrypt/decrypt the actual data. And the fact that they reused existing ransomware rather than creating something from scratch allowed Mr. Robot to keep the RSA private key (that can be used to decrypt everything) rather than throwing it away.
  • UPS devices explode – I guess I’m just not good with hardware. I used to own a UPS, and I know it’s a battery and batteries sometimes malfunction (hello, Samsung), but the fact that the firmware controls important physical parameters that could in theory lead to the UPS exploding was not something I had thought about (shame on me, especially given that for one semester I’ve been taking chemistry classes). The answers in this thread are interesting – basically it’s absolutely expected for a UPS to explode (just not all of them at the same time). In the end, it’s very unlikely that the particular hack would succeed, but exploding UPSs are a reality. And that is an important point – you can’t trust your hardware either.
  • IMSI catchers – while I’m aware that mobile communication standards (SS7) are insecure, I didn’t know exactly how. I’ve worked on telecom projects, but more on the business logic/billing side, so I was unaware of the devices available to be used for MITM attacks. IMSI catchers allow intercepting one’s mobile phone communication based on the fact that mobile phones try to optimize their coverage combined with the lack of cell authentication. The bottom line here is you can’t rely on plain calls or SMS to be secure. So don’t use SMS for 2FA (shown as weak in season 4). Basically, use Signal for communication and TOTP for 2FA (but have in mind that it lacks non-repudiation)
  • HSM “cloning” – this is а complicated scene that shows how Angela copies keys from an HSM. It’s explained in detail here and here. The premise of the hack was that Elliot had upgraded the UPS firmware to only accept updates that are signed by E Corp’s private key. That means that you can’t compromise them unless you own the keys; however the keys are stored on a hardware security module that doesn’t allow them to be copied. I knew what an HSM is and what it does; what I didn’t know is the procedure for performing an HSM backup. It turns out they used an actual SafeNet HSM to backup the original one, which then allowed them to sign whatever they wanted on behalf of E Corp. The private keys never left the HSMs, of course (which is the whole point of HSMs), but by backing it up on one that’s controlled by the adversary, they effectively “leaked” the keys. The HSM backup procedure is complex and requires USB keys to unlock certain stages of the process. Normally these keys should be stored in safes (and not lying around, as depicted), but not strictly following procedures is not uncommon in organizations.

Of course, the point of Mr. Robot is not to be educational and explain all of these things that happen (which sometimes makes me wonder – do non-technical people enjoy it as much). But while some of the things that happen are obvious, for the ones above I was “well, I’ve got to read more about that” or “hey, how did that work exactly?”. So it’s not that I learned these things from Mr. Robot, but I read about them in details because of Mr. Robot. And that’s great – if a show can simultaneously be enjoyable and make you read and learn stuff.

The scary thing about the series is that although it’s fiction, everything is realistic. Almost every hack depicted can happen in real life, and probably has happened. The social engineering parts may be a bit optimistic, but they are entirely plausible. The “wildest” hacks require some suspension of disbelief but even they are theoretically possible at least. The feeling that everything can be hacked and exploited is, unfortunately, realistic. You get that same feeling after watching a few DEF CON or CCC talks. And that’s why cybersecurity is important. Because things that are not hacked yet are not safe, they are just not interesting enough.

1 thought on “Six Things I Learned from Mr. Robot”

  1. Mr. Robot is one of my favorite shows especially due to the tech aspect. I also know a few people it inspired to take up coding but this is definitely the first time I’ve seen it being used for education. Great post! Very interesting to read.

Leave a Reply

Your email address will not be published.