[Spoiler Alert] This article may spoil some of the surprises from the latest episode of “Mr. Robot.” If you haven’t watched eps2.4_m4ster-s1ave.aes, check it out on USA Network, Amazon, or iTunes before coming back to this article to learn its secrets.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.There aren’t many shows that can portray hacking and technology accurately, while managing to stay dramatic and interesting. USA’s cyber thriller “Mr. Robot” does such a good job at it that you can actually learn a lot by taking a deeper look the show’s hacks to examine their accuracy. So let’s take a look at Episode 6 and do just that.
Wow! This week was intense. With a period-accurate 80s flashback, Elliot in mortal danger, and Price trying to influence nation states, there’s plenty of drama I’d love to talk about. However, this series is about hackuracy, so it’s a good thing the episode contained an FBI cyber heist full of hacks and tech.
Angela’s hacking training
If you kept up with last week’s Rewind article, you know that Elliot and Darlene have set the stage to use a hacked femtocell to intercept and man-in-the-middle FBI Android phones. However, they need someone who can plant this Trojan cellular device on the FBI floor in the Evil Corp building. After a little consideration, Angela volunteered for the task.
This episode, Mobley and the fsociety crew struggle to quickly turn a tech newb into at least a script kiddie hacker, seemingly with little success. During the scene we see Angela learning to type commands for the hack.
As usual, this command line interaction (CLI) and the tools fsociety uses are very true to life. We see Angela in Kali, a popular hacking distro. The femtocell she’s practicing on seems to be loaded with OpenWRT, a popular and hackable Linux distro for routers and embedded devices. Even the commands she types are syntactically accurate. And while EnableAttack and femtopwn don’t relate to any real tools I know of, they could easily be a customized script. All in all, the CLI interaction itself is very accurate.
However, the one place this scene technically drops the ball is in the whole idea that Angela needs to learn and memorize these complex commands in the first place. Frankly, Mobley could have pre-written a script that ran all the commands they were trying to teach her. All she’d have to do then is run that one command to spark the entire attack. So realistically, the whole exercise of whether or not she’d execute the hack correctly was false drama. That said, I can understand how the show runners might sacrifice a bit of accuracy for some suspense during the heist.
Evil rubber duckies
During the training scene, we also see that Mobley is getting frustrated with Angela’s lack of 1337 skills, and doubts her ability to pull off the hack. To ensure they get some access to the FBI’s computer, he also gives her something he calls a Rubber Ducky, as a backup option.
The Rubber Ducky is a real thing. Many hackers have figured out how to create small USB keys that can act like Human Interface Devices (HID), essentially creating a scriptable virtual keyboard and mouse. When you plug in these small USB devices—which look like any other USB storage key—they can automatically launch a command prompt, hide it, and take control of the computer. The Rubber Ducky is a commercialized version of this released by a well known group called Hak5.
Skimming hotel keycards with Magspoof
During the Heist, while Angela drops the rogue femtocell, Darlene is setting up across from the Evil Corp building so that they can wirelessly exfiltrate the intercepted data. To do this, she needs to break into a hotel room (since she doesn’t want to leave a paper trail by checking in).
Before the episode aired, the show’s tech consultant, Kor Adana, tweeted that they would feature a tool from a well known hacker, Sammy Kamkar. During this scene, Darlene distracts a maid so she can run a small magnetic strip reader over the maid’s master keycard. Then she uses this small device to open the door of a hotel room.
This tool really exists, and it’s called MagSpoof. As Adana referenced, Kamkar designed this tool to basically allow you to skim credit cards and any magnetic strip card, in order to play the data back wirelessly, among other things. Again, Mr. Robot gets “+1 Internets” for accuracy.
One other note from this scene, when Darlene gets in the room you see her set up a weird tripod device on the window sill.
This device is a Wifi Yagi antenna, sometimes referred to as a “cantenna.” It can significantly extend WiFi range directionally. In fact, the cheap, homemade Pringles version of this type of antenna was very popular with DEF CON wireless hackers back in the day. Darlene is credibly using this to get to the wireless backchannel from the rogue femtocell across the way, in the Evil Corp building.
Dropping the rogue femtocell on the network
One of my potential hackuracy complaints has been that Darlene’s initial description of how Angela would have to plant the femtocell seemed too simplified. She appeared to imply that you could just drop this small, purely wireless device and be done with it. A femtocell is not small or unnoticeable and actually requires wired components.
In the end, I’m happy to say that the show portrayed the actual drop very realistically. Not only did Angela have to plug it in, but she even brought in battery backup power.
I do have one note about the special rogue femtocell that fsociety got from the Dark Army. The femtocells I’m aware of have a wired connection for Internet access and one cellular wireless radio to intercept cellular devices. This particular femtocell seems to have both cellular and WiFi. It seems that fsociety is using the WiFi connection to exfiltrate intercepted FBI data. Although I haven’t personally seen a femtocell featuring a WiFi component, it’s quite plausible that they could exist.
Saving the hack with Kali Live
The heist seems like a success once Angela plants the femtocell, but a minute later Darlene loses connection. To recover, she has Angela use a USB storage device to boot a live version of Kali. She then remotely logs in to the femtocell (probably over the Evil Corp office’s wired connection) and Darlene walks her through resetting both the device’s wireless interfaces (cellular and WiFi). Everything you see in this scene is accurate. I’ve talked about Kali a lot already in past articles, but the scene also realistically portrays the “Live” boot feature of this (and many other) Linux distros.
Keep your eye out for Easter eggs
Finding Easter eggs is half the fun, so I won’t go through every hidden detail in this episode.. I’ve previously advised that you search for IP addresses anytime you see a command line, and that advice holds true. I will say that in this episode, you should also look for IP addresses hidden in unexpected locations (this link will spoil this clue).
In any case, there are at least two fun sites you can find from this episode. One continues with the 80s reference by emulating an old school BBS (with even more hidden puzzles) and another allows you to follow along with the command Angela learned this episode, to learn more details about the hack.
So accurate you can learn from it
As I’ve said before, Mr. Robot’s hacks are often so accurate that you can learn from them. There’s plenty we can take away from a security standpoint this episode.
Rogue femtocells are dangerous because cellular phones within range of them will automatically connect. In my last article, I didn’t leave you with much hope for protecting against this attack, but I am aware of a few third party tools that help. For instance, the femtocell hackers themselves have released a tool called Femtocatcher. This tool can actually prevent your phone from connecting to rogues, with the caveat that you lose all network connectivity when you are near a rogue femtocell.
Between live booting USB hacking distros, and the Rubber Ducky, it is pretty clear that you should be using caution when it comes to USB devices you plug into your computer. For more USB security tips, check out a video I recently posted that explains USB HID attacks in more detail.
It was great to see the fsociety team back in total cyber heist mode this week! And more hacking action is sure to follow. Be sure to check in with “Mr. Robot” Rewind next week, and leave your thoughts, theories, feedback and Easter eggs in the comments below.