(Photo via USA Network).
(Photo via USA Network).

[Spoiler Alert] This article discusses plot points and hidden secrets of eps2.7_init_5.fve. If you haven’t watched it yet, check it out on USA Network, Amazon, or iTunes before coming back to learn about its hackuracy.

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

Have you ever found yourself watching Mr. Robot for its thrilling drama and artistic vision only to wonder if the high-tech hacks actually work? If so, you’ve come to the right place. In this Mr. Robot Rewind series, I analyze the tech and hacking accuracy or “hackuracy” of each episode. With Elliot out of jail and back in action there’s plenty to dissect this episode, so let’s jump right in.

Elliot Returns to Init 5

Our first topic is a geeky reference rather than a hack. At the beginning of the episode, Elliot mentions Init 5. He says;

“Init 5, return to normal… Init 5 is supposed to bring color and sound.”

If you’ve followed the show and this article series, you probably recognize this is a callback to Elliot’s references to Init 1. These refer to runlevels on Unix and Linux computers. Check out our episode 4 Rewind article for full details, but Init 1 is essentially a safe mode, where your computer boots to a command line with no networking or graphical desktop support.

Init 5 (or V) on the other hand is your computer’s normal runlevel. This is where it loads with full networking and graphical desktop support. Great little technical metaphors — and how they add a deeper layer to the storytelling — is why this show resonates so well with geeky audiences.

Angela’s Rubber Ducky Hack has a Hole

In episode 6, you saw a glimpse of a USB hacking device called a Rubber Ducky. As I mentioned in that last Rewind, the Rubber Ducky is a real USB device that mimics a keyboard. You can create keyboard scripts that run as soon as you plug the device in, allowing it to do anything a person at a keyboard could do.

Figure 1: Angela brings back the Rubber Ducky.
Figure 1: Angela brings back the Rubber Ducky.

This episode, Angela wanted to get her hands on some confidential “Washington Township Leak” legal files at Ecorp. So was this hack technically accurate? Well… some of it was.

This scene was a little frustrating for an Infosec professional because it gets so much perfectly right, but has one strange misstep, and one gaping hole that’s never explained. Let’s take it step by step:

1. Social engineering (SocEng) the receptionist – This totally checks out, and is not worth detailing. If you ever visit the DEF CON conference, you should check out the social engineering contest where you can listen in on live SocEng calls.

2. Uncasing the Rubber Ducky – When Angela gets into Joseph’s office, she first removes the case of the Rubber Ducky before plugging it in. Why’d she do that? I sure don’t know. We see that the device has a micro SD slot used to add storage for certain attacks. Later, we see Angela open the device to pull this card and grab the log file for her password attack. However, there’s no need to take off the case during this part of the attack. This is a small detail, but it was enough to distract me from the action.

Figure 2: She doesn't need to open the Ducky here.
Figure 2: She doesn’t need to open the Ducky here.

3. Stealing passwords with a Rubber Ducky – This is actually possible in less than 15 seconds. The Ducky is a really fast, automated programmed keyboard. You can script it to do anything a user could do at his own computer. There are sites that share many Ducky payload scripts, including ones that open a shell, load various password-cracking tools and run them. There are many tools that allow you to grab password data, primarily for offline cracking. However, Mimikatz is one of the more popular tools since it can pull active cleartext passwords from memory, in seconds with no cracking. So with the Ducky Mimikatz payload, it’s quite plausible for an attacker to grab a user’s password just by plugging in this small USB key.

4. The Windows lock screen! – However, there is one BIG caveat here. Rubber Duckies can’t do much unless a user is logged in and already past the Windows lock screen. Since the Ducky is just a programmed keyboard, it has no magical way to get past a lock screen’s login prompt. It could try to enter pre-known credentials, or even have a script to brute force passwords, but that would take ages.

Frustratingly, the show doesn’t really tackle this issue. When Angela enters Joseph’s office, the monitor is black. We know the computer is on since the attack wouldn’t work otherwise. We also know Joseph’s been out of the office for a bit, but we don’t know the state of his computer. Is it locked, or did Joseph leave it logged in?

Figure 3: Is the Windows computer locked or not?!?!
Figure 3: Is the Windows computer locked or not?!?!

I can tell you, in the real world it would’ve been locked. I have not yet encountered a modern organization where the IT staff hasn’t set a Group Policy forcing your Windows computer to time out to the lock screen after a period of inactivity. In fact, many organizations even have this set to a fairly low period, say three to five minutes.

To some, this might sound like a small detail. However, it makes a huge difference to whether or not Angela’s Rubber Ducky attack would have worked. If the screen was locked, the hack would have failed miserably. In my opinion, the whole idea that Joseph’s screen could have been unlocked seems improbable.

By the way, had the screen been locked, there are still additional tricks Angela could have used to complete a similar hack. For instance, there is a tool called Kon-boot that allows people with physical access to a Windows computer to boot it in a way that bypasses the login screen. This would have gotten Angela to the point where the Rubber Ducky could run its scripts. However, this attack requires a reboot, making it take longer and ruling out the Mimikatz attack (rebooting removes the last user’s password from memory). So Angela would have had to rely on other Rubber Ducky password hacks, which tend to require additional cracking time.

5. Grabbing the password from the Mimikatz log – The rest of this scene is right on. After the attack, Angela would have to open the Ducky to get the memory card. Furthermore, the log file she opened (and additional files seen on the card) were all actually perfect replicas of how the Ducky Mimikatz attack really works. In the end, assuming the Rubber Ducky Mimikatz attack was past the lock screen and able to execute, it really would have returned Joseph’s cleartext password (holidayarmadillo) as the show displayed.

Mimikatz output
Figure 4: Mimikatz password attack results.

There is a lot of technical accuracy in this scene, and I really appreciate the show’s use of a real tool and a real password hack (Mimikatz). However, that black screen nags at me. This attack would not work had Joseph’s computer been locked. Since the show left the screen black, they don’t rule this possibility out one way or the other. For instance, perhaps Joe turned off his monitor but didn’t lock the screen. That said, I just don’t buy it. In this day and age, almost every office computer I’ve encountered is locked if a person leaves their desk for more than 5 minutes (otherwise, I would probably change their background screen as a prank, and lesson).

Was That an implied Airplane Hack?

In a pretty striking scene, we see Whiterose “deface” a gravestone that we learn belongs to the previous CEO of Ecorp. We also learn that the CEO died in an “accidental” plane crash. Later, in a veiled threat, Whiterose implies that he had that CEO killed. There are probably a number of ways a powerful nation state actor might arrange an “accidental” plane crash, but in a show about hacking, could a cyber attack be one?

Ok. This is probably a stretch. The show hasn’t really done much to imply Whiterose hacked a plane. Nonetheless, I thought it worth mentioning just so you could consider the possibility of whether or not a hack could crash an airplane. Believe it or not, it is within the realm of possibility. For instance, one researcher found a way to use an Android phone to control a plane. Now there is good news here. This attack was through a plane’s autopilot mechanisms. It’s trivial for a human pilot to simply override autopilot. For now, we still don’t know of any hacks that would literally crash a plane. Let’s hope it stays that way.

Remote Phone Hijacking is NOT Easy.

The huge hack this episode was when Elliot remotely plants spyware on a Dark Army officer’s (Xun’s) phone to “bug” him through the mobile’s microphone. Mr. Robot often grounds their hacks 100 percent in reality, to the extent that you can often download the tools the show uses and even replicate similar attacks yourself. However, this attack combines some real tools, with some theoretical attacks, making it harder to analyze. The TL;DR read version of this scene’s hackuracy is that the attack is theoretically possible, but likely harder than the short scene implies, and with more mitigating circumstances.

Before dissecting the potential details of this mobile hack, I want to remove a variable from the equation. In the scene, Elliot introduces a Pwnie Express Pwn Phone. This is a real thing, and it’s a fun accurate shoutout for Infosec folks. However, it might also make you think that this “hacking phone” somehow is the special sauce that makes it magically easier to hack other phones. That’s not the case at all. Pwn Phone is essentially just Kali Linux — the hacking distribution I’ve mentioned in many other Rewind articles — delivered on an Android device. While it makes for a very cool and portable hacking workstation, it doesn’t do anything that a computer with Kali can’t. BTW, you can actually build a Pwn Phone yourself if you really wanted; no need for this expensive device. Anyway, this device plays no required or special part in the phone hack, other than it’s a cool hacking toy for geeks.

Now, let’s focus on the hacking programs we do see. First, unlike other real scripts or tools Mr. Robot has shown before, the two hacking scripts we see in this scene are made up as far as I can tell. They appear to be based on real research, but they don’t really exist.

First, we see Elliot run a script called CrackSIM. This pretend tool appears to try to grab the Cryptographic Checksum (CC) of a SIM card, presumably for later cracking. The tool asks Elliot to enter an MSISDN number for the SIM, which is just a fancy acronym for the phone number. The tool presumably sends an SMS (text) message to the phone (probably an OTA SMS message which I’ll talk about later) that returns the SIM’s CC in the response. Now Elliot has the CC he needs to start cracking the SIM’s key.

CrackSIM
Figure 5: Running the imaginary CrackSIM script.

To crack the SIM key, and load malware, he uses another script called PwnPHONE (which has no relation to the Pwnie Express device). Once this completes, the script supposedly uploads malware to the SIM.

PwnPhoneComplete
Figure 6: PwnPHONE script completes.

While CrackSIM and PwnPHONE don’t exist, they do seem to be based on research presented by Karsten Nohls on rooting SIM cards. To some extent, SIM cards are like mini-computers within your phone. Some SIMs have over-the-air (OTA) update mechanisms that allow manufacturers to send software updates via text messages. However, you need to know the right key to be able to leverage the OTA update mechanism. Some older SIM cards use DES encryption keys, which are easier to crack than more robust encryption standards. Nohls’ research shows how you can crack SIM DES keys, sometimes in as little as a minute (using rainbow tables). Once you crack that key, you can use an SMS message to send an update to a SIM card that contains new code, and potentially malware.

There are many caveats to this attack, though. First, many SIMs use stronger encryption today. In 2013, only a quarter of SIMs used DES, and that number has probably fallen even more in recent years due to these weaknesses. The SIMs that use AES and 3DES aren’t easily cracked. Second, the code you can load to a SIM card only runs in a limited Java sandbox. While attackers could load malicious apps that had enough privilege to steal significant data from the SIM, it wouldn’t be trivial for this code to escape the Java sandbox, and gain access to the phone and its microphone. In short, even with Nohls’ research, I’m not sure how Elliot would have gone so easily from hacking the SIM to listening to the mic.

In the show’s defense, there are many ways to skin a cat, or in this case, to crack a phone. There have been plenty of real world attacks similar in nature to this one, though they have their own caveats. Just last week, researchers found that alleged nation-state actors were exploiting a complex combination of previously unknown zero-day vulnerabilities in iOS to take over iPhones. Once the phone was hijacked, the attackers loaded spyware which could do exactly what you saw in this Mr. Robot episode. However, in that case, the attacker had to trick a victim into clicking a malicious link for the attack to work.

Researchers have also disclosed vulnerabilities in a particular telco protocol called SS7. Attackers with access to the SS7 network can actually intercept and listen in on any call if they know your mobile’s identification number. However, only a few organizations (like telcos) have access to SS7, and this particular attack still doesn’t allow you to turn on a phone’s microphone outside of a call (only listen to calls over the network).

To summarize, this overall attack is all grounded in real theory. However, you shouldn’t worry about hackers really doing this today—at least not with just your phone number. Until they find new vulnerabilities in the latest SIM cards, or in mobile baseband radios, most mobile attacks like this still require some sort of user interaction to succeed. 

Predictions Coming True

I’ve already covered a lot in this article, so I don’t want to spend much time here, but if you caught my Mr. Robot Season 2 Predictions article from before the season, you might want to go back and see how I’ve done so far — especially after this episode. Esmail has taken his time closing some of the loops, but I think it’s safe to say that at least three of the four predictions have come at least partially true.

Defending against Duckies and USB Badness

Last week, my article shared some physical computer security tips after Fsociety hacked the kidnapped lawyer’s computer. This episode’s Rubber Ducky hack further illustrates why those physical security tips are so important… so let’s build on them.

First, I already mentioned the importance of setting passcodes and lock screens on your mobile device, but this week you should also realize why you need that lock screen and timeout on your computer, too. If you have a lock screen, a Rubber Ducky can’t really do much. Be sure to turn on your screen saver and lock screen, and set a relatively short inactivity time-out.

Second, the Rubber Ducky hack reminded me of the importance of boot security. I mentioned that one way Angela may have gotten past a lock screen was to leverage special boot tools like Kon-boot. In fact, Fsociety used a very similar type of tool last episode. One way you can prevent attackers from leveraging these is by adjusting some of your computer’s BIOS settings. Start by disabling the ability to boot from USB or CD in your BIOS, and then set a BIOS password. Doing this prevents attackers from leveraging boot tricks, but still allows you to use your password and temporarily enable USB boot when you need it.

Anyway, this was another great, and mostly technically accurate episode. Despite some of my geeky quibbles with the hacks this week, the research and detail the show runners put into Mr. Robot is far above any other show I’ve ever seen. I look forward to covering it again next week, and hope you share your thoughts and comments below.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.