Spoiler Alert: If you aren’t totally caught up on Mr. Robot, you may want to read this later. While this post spends more time talking about the show’s technology than the plot, it will touch on plot elements you may want to experience first hand. You’ve been warned!
Is anyone else out there loving Mr. Robot this week? A genuine parallel to the real world of hacking, this show continues to surprise me with its compelling narrative and carefully constructed technical aspects. If you didn’t catch my first post, every Friday I’ll be analyzing each week’s episode of Mr. Robot here, to share what it gets technically right and wrong about hacking and infosec. Let’s dive in and take a closer look at this week’s episode.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot Season 1 each week on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
Wednesday night was a wild ride. There’s so much non-technical, scandalous stuff going on, it’s hard not to just dish about that. For instance, Evil Corp’s Interim CTO and wife would probably get along great with Patrick Batemen. But we’re here for the technical hacking stuff, which was in no short supply throughout Episode 5, so lets get down to business.
The theme of this episode was social engineering, which is another way of saying exploiting human beings. This show’s attention to social engineering is one of the things that make it so authentic, and this episode highlights the almost symbiotic relationship between digital and social attacks. Many digital attacks wouldn’t succeed without successfully preying on human weakness; meanwhile many social attacks wouldn’t succeed without the publicly available digital information used to target them.
Accurate RFID or key card cloning
We first see this symbiotic relationship play out in the very technically accurate key card operation. To get into the Steel Mountain facility, Fsociety first needs to get access to a valid employee’s security key card. We see Mr. Robot (Elliot’s Tyler Durden?) bump into a dude wearing a key card around his neck in a coffee shop. Less technical people may not have realized Mr. Robot had a HID or RFID card cloner in his messenger bag. Security key cards have special wireless chips (RFID or NFC) in them that are activated within close proximity to a reader. By pretending to bump into the victim, Mr. Robot got the hidden cloner close enough to the key card to activate the wireless proximity chip, and digitally skim a copy of the victim’s security key card. Clever and discreet.
This entire scenario is completely accurate. You’ll find many research papers and presentations discussing RFID and NFC cloning. HID and RFID cloners are easily found for purchase online. In fact, the scene is so accurate that the glimpse you see of the cloning software is almost identical to the real thing.
This scene also illustrates the connection between social and digital attacks. While cloning a key card is entirely digital, getting close enough to someone to do so requires a social con – in this case, the faked bump.
Digital Reconnaissance & Social Engineering
Once Fsociety gets Elliot through Steel Mountain’s front gate, the real social engineering begins. Simple social engineering tricks like the borrowing mobile phones work well without any preparation, but conning victims into doing something more significant often requires addition digital reconnaissance. As Elliot says, you need to know your victim’s weaknesses in order to exploit them.
Elliot had to trick “Bill” and his supervisor into doing things they normally wouldn’t do, like taking him on an unscheduled tour, or giving him access to the 2nd level. To do so, Fsociety had to learn enough about their targets to press the right psychological buttons. Real threat actors use social media and their victims’ online presence for reconnaissance all the time to better target their attacks.
If I was being very nit-picky, my only complaint with this scene is that today’s more sophisticated attackers wouldn’t manually search social networks to gather this reconnaissance information. Rather, they’d likely use the freely available tools, like Maltego, which automatically gather publicly available information.
Real Social Engineering Tools
Even the best-laid plans don’t always come off without a hitch. Unfortunate timing and events outside of their control prevent Fsociety from encountering the supervisor they’d planned for. Without going into all the details, one of the Fsociety crew has the idea to send a spoofed SMS message to the new supervisor, hoping to distract her.
During this sequence we see shots of the tools they use to send this spoofed text. Security professionals might notice two things from this screen shot. First, Fsociety is using a real penetration testing distribution called Kali. Second, the tool they use to send the spoofed text also really exists. It’s called the Social Engineering Toolkit (SET). Not only is the episode’s premise of SMS spoofing accurate, but the tool they use really works as advertised. Definitely a technical win, IMHO.
Another great technical win this week was the idea of placing a Raspberry Pi in a hidden place to gain remote access to the facility. This is done through cellular connections or by making a reverse network connection to the outside world. In fact, real-world hackers have been doing this for a long time with other devices like the Sega Dreamcast.
A few minor missteps
To be honest, I think this episode gets it mostly right. In fact, this week’s misses are just my minor quibbles.
- When Darlene is chatting with the Dark Army on IRC she gets kick-banned. Despite getting banned, she tries to join the IRC channel again. I might buy her doing this once, but she actually tries it twice. Any hacker worth her salt would be too logical to try to just login again after being booted. A true hacker would be too smart to try such a pointless task twice.
- I also don’t buy Elliot’s mentality while he was pulling off this week’s social engineering heist. He seemed scared and unsure of himself. Social engineering is all about confidence, and real social engineers know this. We already saw Elliot act like a confident social engineer earlier this season (when he asked to borrow a phone), so I don’t really get why he was suddenly timid here. You walk in a building as though you own it, and people believe you belong there. Anyone acting like Elliot did would not succeed.
- Finally, though installing a Raspberry Pi to gain remote network access to HVAC system is plausible, the fact that there was a random closet with a HVAC control unit in the bathroom seemed a little far-fetched to me.
If you can learn anything from this episode, it’s to beware of the power of social engineering. The more present you are online, the more material ill-motivated actors out there have to use against you. As you interact publicly, consider what you really want strangers to know about you. Consider adjusting your privacy setting on social networks to only share certain things with people you can trust.
Well that’s it for this week. I invite you to check back each Friday to explore the duration of this season. What did you think of this episode? Are there any other technical wins or fails you saw? Let me know in the comments below.
For predictions, further commentary and general musings on the show, join the conversation below in the comments, or on Twitter using #MrRobotRewind. Tweet me @SecAdept.