‘Mr. Robot’ Rewind: Checking for vulnerabilities in Episode 4

[Spoiler Alert] This article may spoil some of the surprises from the latest episode of “Mr. Robot.” If you haven’t watched Season 2, Episode 4: eps2.2_init1.asec, check it out on USA Network or iTunes before coming back to this article to learn its secrets.

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

Welcome back to the “Mr. Robot” Rewind series, where I gush like a teenage fanboy over the l33t h4x0r writing skills of the “Mr. Robot” team. Jokes aside, if you’re curious how much tech and hacking USA’s “Mr. Robot” gets right and wrong, you’ve come to the right place.

That said, when your hacker protagonist has forbidden himself from touching a computer, and his crew is on the run, there’s little hacking to be had. Luckily, even hack-free “Mr. Robot” episodes tend to include plenty of security and tech references. Let’s see how hackurate this episode was.

Darlene recovers from a crash with init 1

Our first geeky tech reference arrived about a minute into this episode, when Darlene interrupted Elliot by saying “init one.” In the scene, this seemed to be a sibling code word used to communicate a serious need for help. Later in the episode, we learned that init-1 was actually the first command Elliot ever taught her, when her computer was crashing.

On Linux and Unix based systems, init is the initialization process. It’s the first process that runs when a computer boots, responsible for every process thereafter. Init loads with various runlevels, which essentially define what state a machine boots into. For instance, runlevels decide whether or not to boot into multiuser mode, whether or not to load network services and whether or not to load a GUI or just the CLI.

Init-1 is single-user mode. Single user mode boots straight into a CLI as the superuser (root or administrative account) without any network services. You primarily use this runlevel to fix problems. If you’re more familiar with Windows, it’s kind of like booting into the command line Safe Mode without networking. In any case, typing the command “sudo init 1” will immediately drop a Linux computer into a mode where it’s cut off from all other machines, but able to fix local problems.

While the show never really explained any of this, Darlene’s use of “init one” immediately rings true as a code word for help. By saying it, she immediately conveyed to Elliot that she wanted to cut off outside distractions and get to the serious business of fixing a big problem.

You got your APN in my affiliate link

Not a few minutes later, we got to our second notable tech reference, and the closest thing to a hack this episode. As Darlene ordered delivery from Postmate — an IRL service that offers on-demand delivery for normal takeout — she bragged about how she’s getting her boyfriend’s Postmate coupons through some elaborate hack:

“I hacked Postmate’s proxy that supports the APN for my boyfriend’s cell carrier. Now it does a URL rewrite and sends every Postmate.com’s request to my affiliate link.”

Let’s decode these complex technical references starting with affiliate links.

A lot of e-commerce sites have affiliate programs where users, customers, or advertisers get some sort of benefit by referring to or using the e-commerce service. The e-commerce site tracks affiliate references through special links or URLs that contain affiliate ID information that the average user may never notice. For example, perhaps your favorite tech or gaming blog does a regular post on daily bargains. They conveniently place a “buy now” link in their post, which directs you straight to Amazon’s order page. You may not realize this link includes an affiliate ID, and your favorite blog earns a commission on anything you buy through that link.

Since affiliate clicks are worth money, criminal hackers are very interested in hijacking them, and have done so for years using multiple techniques. In any case, hackers can and do hijack affiliate programs for fun and profit, so this aspect of the reference is accurate.

Next, let’s talk proxies and URL rewriting. A proxy server is a computer that sits between you and the Internet. It acts as a go-between for all your connections to the outside world. You might legitimately use a proxy server to add some sort of security filtering or just to anonymize your connection. However, bad guys also use proxies to carry out man-in-the-middle attacks. Since the proxy server “sees” all your web requests, it can rewrite them in transit. When Darlene mentions URL rewriting, she means that if she controls a proxy server, she can rewrite affiliate IDs in all URLs, thus falsely gaining credit for her boyfriend’s referrals. This reference checks out.

That last piece of this puzzle is the mention of a cell carrier Access Point Name (APN). An APN is the name of the gateway your mobile device uses to get its data connection to the Internet. It’s the settings your mobile uses to identify itself on your carrier’s network, so that your carrier can route your data traffic properly. Among other things, APN settings can include a proxy server configuration. However, nowadays a lot of carriers lock users out of the APN settings. While some folks have messed with these settings before to try to get free Internet, or bypass carrier restrictions, it’s much harder to do today without jail broken, rooted or unlocked mobile devices. In other words, I don’t think injecting a proxy server into her boyfriends APN settings is as easy as Darlene suggests.

In the end, however, there are many ways to setup proxy servers on mobile devices (such as Global proxy settings). In essence, the basic building blocks of Darlene’s affiliate hack are quite plausible.

Elliot finally reunites with a computer

In this episode, we finally saw Elliot reunite with a computer. After coming to a stalemate with his alter ego, Elliot decided to help Ray with his computer problem (mostly to gain access to a computer so that he could contact his sister online). Ray gave Elliot some “migration” instructions and left him to work. Instead, Elliot connects to an Internet Relay Chat (IRC) channel to chat privately with his sister. Here’s how:

• First, Elliot used Putty, a well-known terminal emulator, to create a secure SSH connection to a Kali server (either his own at home, or perhaps one he’s previously hacked, like at Evil Corp’s colo data center). The IP he connected to hides a surprise for anyone willing to check in out.
• Then he ran the command Bitchx, which Linux users will recognize as a popular Linux IRC client.
• Finally, he connected with his sister.

None of this was hacking, nor is it particularly exciting or sophisticated to most Linux users. However, every detail was presented with extreme accuracy. Frankly, it’s rare for Hollywood to show realistic computer usage, rather than just “sexing it up” with glitzy graphics.

Many other minor technical nuances

This episode also contains many other fun and hackurate tech elements:

1. When describing how hard it was for his sister to ask for help, Elliot mentioned that you have to expose a vulnerability in order to patch it. However, he also pointed out that such exposure also opens you up to exploits. This analogy doesn’t only work well, but is a reference any hacker or information security professional will relate to, yet again grounding Elliot as a true “hacker.”
2. If you pause on the Tor server migration instructions, you’re treated to fairly technical step-by-step instructions to install an Nginx web server, install Tor, and migrate keys and data. These were accurate, but I have one complaint. Ray needed help because his other network IT guy claimed he couldn’t do this migration. The instructions referred to things any Linux network guy should be able to do. That said, the hard part would be setting up secure Bitcoin wallets, which the instructions didn’t cover at all.
3. During the phone conversation between Whiterose and Price, they mentioned an “Ecoin strategy.” This was likely a reference to these two using the economic collapse to gain some advantage in a cryptocurreny, which could replace money due to the 5/9 disaster. Bitcoin and cryptocurreny are very fascinating in real life too, and could potentially have economical ramifications in the future. By the way, if you look closely at previous episodes, you’ll find subtle references to “Ecoin,” which seems to be Evil Corp’s take on cryptocurrency.
4. We also learned that Whiterose has access to internal FBI communications. If you follow the news, you’ve probably seen the U.S. accuse China, and other nation states, of hacking various government agencies and stealing data, so this tech reference is definitely current.
5. In a final screen, we saw Elliot doing some FBI recon and learning that the agency switched from Blackberry mobiles (known to be relatively secure) to Android devices — something they seem to have done in reality. Hopefully, next episode we can look forward to Elliot hacking the FBI.

Easter in July

As always, this episode was packed with fun technical and artistic Easter eggs for those willing to dig deeper:

• If you pause and look at various documents and computer screens, you’ll find many IP addresses and domains that work in real life (192.251.68.249, 192.251.68.251, irc.eversible.co, irc.colo-solutions.net). Some of these take you to a website that shows a Tor logo, while others give you an emulated IRC server. If you solve a small puzzle on the IRC server, you’ll find another line from Elliot and Darlene’s chat conversation that you didn’t see in the episode. Hint: It seems to confirm how Elliot will penetrate the FBI.
• Sam Esmail’s use of music in every episode is crafty. In one scene, you hear a lullaby cover of Green Day’s “Basket Case.” Besides being hauntingly beautiful, this song’s lyrics touch on mental instability, which obviously fits with many of “Mr. Robot’s” characters. But I think its references go a little deeper. If you watch Green Day’s music video, you’ll see other parallels. The video is shot in a mental institute, which correlates to a theory about where Elliot may be. And some patients are wearing an interesting mask. It doesn’t perfectly match the Fsociety icon, but does bear some familiarities.
• This episode references “Operation Berenstain.” Though perhaps not intentional, this may relate to a parallel universe conspiracy.
• Elliot’s mother’s crossword puzzle likely hides some secrets. Visit Reddit if you want to dive deeper on this.
• Elliot and Mr. Robot’s stalemate chess game, symbolizing that neither can win this internal war, seems like a nod to a famous tic-tac-toe game in another popular hacker movie.
• The channel and nicknames used on the IRC server all have deeper meanings.
• You can also watch the Elliot and Darlene’s favorite fictional 1980s horror movie from this episode.

What lessons did we learn this week?

Without any real hacks, a key security moment in this episode was when Elliot explained the benefits and drawbacks that come with exposing vulnerabilities. The takeaway? Patch! While researchers exposing vulnerabilities might show hackers what can be exploited, it also allows software developers to fix the flaws. As long as you religiously apply security updates as soon as they’re available, you shouldn’t have to worry about hackers exploiting known flaws.

With this episode ending on the line, “I’m hacking the FBI,” the upcoming chapters are sure to be hacktion packed. Join us next time for another technical dive into “Mr. Robot,” and as always, leave your questions, observations and theories in the comments section below.