[Spoiler Alert] This article discusses plot points and hidden secrets of eps2.5_h4ndshake.sme. If you haven’t watched it yet, check it out on USA Network, Amazon, or iTunes before coming back to learn about its hackuracy.
Hello, I see you.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
If Mr. Robot is your first experience with Hollywood hacking, you’re probably thinking the entertainment industry is pretty tech savvy. For fun, let me remind you how amusing Hollywood hacking usually is – remember this classic hacking scene from the ABC hit show Castle. Go watch it, I’ll wait…Blinky boxes, spinning matrix cubes and “cyber nukes” may look exciting and sound impressively technical to directors, but they make real Infosec experts cringe. This isn’t a one-off either, another example being this single keyboard, dual hack from NCIS. I’ve said it before and I’ll say it again, examining the “hackuracy” of Mr. Robot each week is a pleasure, because the show actually depicts hacking and technology accurately.
There’s just one problem – there was very little true hacking this week. That’s not to say that Episode 7 sucked; it was intense, with plenty of plot and character developments and a few big twists. We learned surprising new things about characters like Leon (Joey Bada$$ lives up to that namesake), and even got a surprise ending (I made a small reference to this possibility in the Rewind article covering Episode 4). Despite all this story action, the episode had very little relevant keyboard and screen time. Let’s analyze what little there was.
Elliot is an Nginx wizard… or is he?
The only screen time Elliot has in this episode is when Ray and his thug sidekick forced him to finish recovering the Tor-based black market site. This scene is less hacking and more basic server admin. We see Elliot SSH to the marketplace server (hosted at a fake Rackspace-like domain). Then he uses a common Linux text editor called Nano to open the Nginx (pronounced Engine X) web server’s config file and make changes. Finally, he makes a symbolic link to the config file and restarts the Nginx server.
Overall, this CLI interaction is legit, especially when compared to things like that Castle scene. However, if I’m being very picky, the scene has a few problems a pedantic nerd would obsess over.
In my opinion, a hacker like Elliot wouldn’t use Nano. There are many text editors that can be used in Linux. Vi (or Vim) and Emacs are historically the most popular, and every coder, power-user and hacker has an opinion on what’s better. The flame wars between editors became so common that you can even find comics about it. Nano is a great choice for casual Linux users because it’s probably one of the most simplistic text editors out there. But for an advanced hacker like Elliot, it lacks power features that the other common editors have.
There’s also an objective technical mistake in this scene. When Elliot edits the Nginx config, he programs the web server to listen on “127.0.0.1:80.”
Network savvy readers probably recognize 127.0.0.1 as the localhost IP address. This is the IP address a computer can use to refer to itself on the network. If you configure Nginx in this way, it will only respond to requests from itself to its website. It will only respond to localhost requests, not to computers on the Internet or even local networks. The show later confirms that not only did Elliot bring the server up, but that he brought it up to everyone in the world (without Tor’s protection). So, this localhost config doesn’t make sense in the context of the story. A small technical flub, yes, but still way more accurate than two hackers, one keyboard.
Hacked surveillance systems take significant lateral movement
This next topic is less about hackuracy and more about hacks of omission. In one scene from this episode, Dom tries to check Evil Corp’s surveillance footage from the 23rd floor after suspecting that Angela was up to no good. Low and behold, all the surveillance footage from that floor had been mysteriously corrupted or deleted.
The implication here is that Fsociety used their illicit access to wipe surveillance. In fact, Darlene confirmed this when she told Angela that she couldn’t remove video evidence of her involvement unless the hack was completed (which she did earlier in this episode by using ifconfig to bring the femtocell’s wireless interfaces back up).
Fsociety having access to this surveillance system and hacking it is plausible. However, it’s not as simple as the show makes it seem. The femtocell, which Darlene can access over Wi-Fi, has a hard-wired connection into Evil Corp’s network. So, this does give Fsociety the internal network access they need to gain access to more Evil Corp systems. In general, most organizations’ networks have a hard and crunchy perimeter (using a firewall), but a soft and chewy center. In other words, many corporations don’t spend much time protecting the internal network. Once you’re on that network, you tend to have free reign to access any internal network system. So, it’s certainly possible that the femtocell hack would give Fsociety the network access they need to this internal surveillance system.
However, gaining control of it wouldn’t be so simple. There really are only two ways you might hack it. First, the system may suffer from some software vulnerability you could exploit to gain control of it. However, you’d have to know which surveillance software the company uses to understand if it has a historical vulnerability. Did Fsociety know what surveillance software Evil Corp used beforehand, or did they do the recon in less than 10 minutes? Also, if you weren’t already aware of this vulnerability, you’d have to fuzz test to find one on your own, which takes time and serious skill. You might also hack the surveillance system simply by stealing the credentials necessary to log in as a legitimate user. However, this too takes time and effort. Fsociety would have to use their internal network access to hack an Evil Corp Windows computer in order to steal credentials. However, it isn’t likely that they’d immediately find a user with the exact privileges they’d need to access the surveillance systems, so they’d have to use whatever credential they gained to see if they could access other computers to find more credentials. They’d repeat these steps until they eventually found a more privileged set of credentials that would give them the access they’re looking for.
In short, the idea that Fsociety could “pivot” access from the femtocell to other systems on Evil Corp’s network is actually plausible. But this lateral movement is not “automagic.” It takes time and effort to hack and gain privileges on other systems, even if an organization doesn’t have any internal networking safeguards. Since the show doesn’t explain how Fsociety gets into the surveillance system, there are no real technical mistakes here. However, it is somewhat of an error by omission, simply because I think it would take more time for Fsociety to hack that surveillance system than the episode portrayed.
Other technical odds and ends
Despite the limited amount of real hacking this week, the show did contain a few other technical odds and ends:
- Dom asks another agent to investigate Angela’s computer after she leaves, but also mentions, “you probably won’t find anything.” That is one of the benefits of a “Live” bootable Linux distro. Last episode, Darlene had Angela boot a “Live” version of Kali from a USB stick. Using a live Linux distro and making sure to power off will help to eliminate any trace of a hack.
- According to a news cast during this episode, it looks like Ecoin (Evil Corp’s cryptocurrency) is getting popular during the 5/9 fallout. More evidence that the overall China/WhiteRose/Price play for this hack revolves around gaining financial advantage via Ecoin.
- You’ve got to love the line, “We just owned the FBI.”
Don’t forget the Easter egg hunt
As always, this episode included a few new Easter eggs for watchful fans. I won’t spoil all the surprises, but for a head start, take a second look at the screenshots in this article to find an IP and URL you can follow. So far I haven’t found any new puzzles in the source, but perhaps you can do better than me.
Gleaning knowledge from a hack-free episode
With no hacks to speak of you’d think it would be hard to find some information security lessons in this episode. However, there are two tidbits that come to mind.
1. Don’t leave your network with a soft and chewy center. We can assume that Evil Corp probably didn’t do much to segment their internal network, given how Fsociety easily accessed their surveillance systems. Today’s advanced firewalls are designed to offer protection beyond the network perimeter and can be used to place network security controls between your trusted internal networks.
2. Stay forever vigilant. The leader of the church group tells Elliot, “I know you’re afraid, but the fear you have is the right one. It means you’ll be forever vigilant.” Frankly, she is misreading Elliot (or at least who he’s “talking” to), and she isn’t talking about computers at all. However, the notion of staying forever vigilant applies directly to Infosec. One of the best protections out there is simply being aware of the potential hacks and cautious about what you do online. These are things anyone and everyone should do to protect themselves
Even without hacks, Mr. Robot offers plenty of tech to discuss. Even so, I sure hope Elliot gets back in action soon. Join us next week, and leave your thoughts, theories, feedback, and Easter eggs in the comments below.
I’d like if we can trust each other again. Let’s shake on it.
