[Spoiler Alert] This article discusses technical plot points and hidden secrets of eps2.8_h1dden-pr0cess.axx. If you haven’t watched it yet, check it out on USA Network, Amazon, or iTunes before coming back to learn about its hackuracy.
OMG! That episode was intense.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
One of the biggest challenges of writing Mr. Robot Rewind, a series about the show’s hacking and tech accuracy, is refraining from covering the gripping and intense plot points. Besides being technically “hackurate,” the show is driven by a suspenseful and compelling story, with rich and layered characters. Things really heated up story-wise this week, so it’s hard to not dish about everything that happened, but we’re here for the hacks, right?
This episode did have one hack to analyze — Elliot tracking down Joanna’s mysterious caller. Let’s take a look.
Social engineering the police
Before analyzing the individual technical details of this heist, it’s probably useful to explain what Elliot is trying to do overall. Really, this whole attack is mostly just a social engineering (SocEng) con job on the police. Elliot is only using technology to make his SocEng attack look more legit, and to help cover his tracks.
Elliot wants to find the phone number and location of the mysterious person that has been calling Joanna’s phone. The caller ID information is blocked, so Elliot really has no information he can use for a direct hack. How can he find the caller’s number with nothing to start with?
The answer is the phone company. Your carrier has records for every call made on their network, and they can even triangulate a phone’s general location based on the cellular towers it used during the call. However, the phone company obviously won’t hand this information over to just anyone. That’s where the police come in.
While the Fourth Amendment of the Constitution protects American citizens from unlawful search and seizures, authorities can search your premises if they have probable cause and a warrant from a judge. This search and seizure law basically applies to your “digital” premises too, which is why police can use it to get phone companies to turn over caller records in cases where a phone is suspected to have been used for criminal purposes.
As you can imagine, securing a warrant can be something of a challenge for police. First, the process of getting one slows down their investigation. Second, judges should require the police provide some evidence of probable cause.
However, there is a loophole to all of this — exigent circumstances.
Basically, if police have probable cause and they believe they have a time constraint where a criminal could get away or harm others if they don’t act immediately, they can skip the warrant (and skip the step of having to present probable cause to a judge). In other words, it’s a shortcut to force phone companies to turn over data even without a warrant.
Elliot understands this loophole, and plans to exploit it get the caller’s phone number and location. If you are wondering if police can really do this, they can. In the scene, you see Elliot researching a “Mobile Law Enforcement Legal Compliance Guide.” While I believe the show’s was a mockup, it refers to real guides such as this one (or this one), which instruct police how to get records from various phone companies. These guides even describe how to use exigent circumstances.
In short, this whole heist is about Elliot pretending to be a cop so that he can socially engineer a phone company to turn over caller records, but as you’ll see, he needs a few tech tricks to make his SocEng scheme seem official.
Not all Pringles cantennas are created equal
The first thing Elliot does is hack up a Pringles can and put a device in it. When Joanna’s thug asks him what he’s doing, he says, “making a high-powered antenna.” In fact, if you’ve followed the Rewind series, I’ve already made reference to this very thing back in our episode 6 Rewind. Elliot is making a Pringles Cantenna, which is a homemade WiFi antenna that’s supposed to extend the range of your wireless signal and allow you to “direct” the signal more specifically.
Elliot does all this in order to connect to someone else’s wireless network. His heist involves a number of online activities and research, which he doesn’t want traced to him. Using a powerful antenna, not only can he connect to someone else’s network, but the target network can be located relatively far from his home.
Overall this Pringles Cantenna reference is accurate. Hackers have made many types of cheap, long-range wireless antennas, including this popular Pringles can example, and have even had wireless “sniping” competitions at conferences like DEF CON, to see who could access a wireless network from the furthest distance. At a high-level, this scene is right on.
However, I wouldn’t be a nerd without being a bit pedantic about details. I thought this was a good opportunity to introduce you to antenna and RF theory. Not all Pringle’s Cantennas are created equal. While I have seen many people on YouTube create ones similarly to the way Elliot does, I don’t believe it would be a very efficient design.
Cantenna’s do two things. First, they create a directional antenna. Most consumer WiFi antennas are omnidirectional, meaning their signal extends out equally in all directions. That’s perfect for situations when you want your wireless to work anywhere in your house, without having to point your antenna. A directional antenna, on the other hand, focuses the RF signal in one direction. This is great if you want to pinpoint the signal you want to connect to.
Second, depending on its design, the physics of an antenna can also extend its range. This is all based on wave theory. WiFi is just a radio frequency (RF) signal, which is a wave. Antennas are designed on the resonance principle and there’s a lot of math required to develop an efficient antenna. Depending on the signal you want to receive (2.4 or 5.8Ghz for WiFi), where you put things in an antenna really affects its efficiency.
To be more specific, we see Elliot cut a hole in the Pringles can, de-case a USB WiFi adapter (to expose its antenna), and put it in the can. However, exactly how far back he placed that WiFi adapter and antenna from the metal back of the can matters. There is a formula you use based on the RF wavelength that tells you an exact measurement for where to put the adapter. Elliot didn’t seem to measure.
More importantly, Elliot’s chosen Pringles design would probably create a directional antenna, but it probably wouldn’t increase range much — at least not as much as possible. To make a more efficient antenna, you have to take advantage of some of those resonance principles. The most popular Pringles Cantennas have done this by including a homemade Yagi collector inside the Pringles can (you even use the plastic lid as part of its design). Figure 2 shows a picture of such a collector.
This collector is made with careful measurements between elements, which take advantage of the resonance principle to create a truly “high-powered” antenna. Without that element, Elliot’s Pringle Cantenna wouldn’t have the maximum range it could have.
In any case, I realize the show doesn’t have time to go into this detail. The use of a DIY Cantenna to extend wireless range is accurate, and the show’s use of the Pringles option is a great shout out to the hacking community. However, if you ever decide to make one of these yourself, realize you want to include this collector in your design. And also know that there is math and measurement involved in making one of these properly.
Spoofing a fax with Hylafax
With his Pringles Cantenna, Elliot can join someone else’s network — presumable far from his home — so anyone that tracks his activity will now find this poor scapegoat’s network.
Elliot first uses this network to research the NYPD’s phone information request procedures and download his favorite tools (Kali). It turns out that police have to submit these exigent circumstance phone record requests via fax. In order to help sell his upcoming SocEng attempt, Elliot has to follow this normal procedure, so he downloads the right paperwork and finds the NYPD’s fax number. By the way, if you’re wondering how realistic it is to find this exigent request paperwork publically available online, it appears to be fairly credible.
Now comes the technical part of the heist: Sending a realistic looking NYPD fax without leaving footprints. I assume this is why Elliot uses someone else’s WiFi.
Observant viewers may have noticed that Elliot uses a software faxing server called HylaFAX to do this. In one screen, you see his exact command line.
Sendfax –f “US Mobile Law Enforcement”-r “Exigent Circumstance form” –X “NYPD” –x “US Mobile” –d 2125550117 –h ttyIAX@localhost scannedexigentform.tif
This is an accurate command to send a fax with the HylaFAX software. Since the software allows you to customize whatever “from” and “company” headers on a fax you want, Elliot can use it to make the fax seem like it’s from the NYPD. So far all of this is a very accurate way to use a computer to send a fraudulent fax.
However, there’s another thing to consider here. Eventually, a fax must go through a plain old telephone system (POTS). While there’s plenty of products, like HylaFAX, that can send faxes from computers, they were initially designed to use modems. Modems have to connect through good ol’ phone lines, which would offer a phone number that police could track. However, we don’t see Elliot use a modem, and that would defeat the anonymity he seems to be trying to get by using someone else’s Internet connection.
The good news is there are tools that allow software like HylaFAX to use voice over IP (VoIP) services to send faxes. Granted, in the past VoIP and faxing didn’t get along, but new standards make it possible to fax from VoIP services. Believe it or not, you can tell Elliot must have considered all of this by his command line. To get Hylafax to work with VoIP, you need a software modem like IAXmodem, which we know Elliot used because of the interface name in his command: “ttyIAX@localhost.”
So far, so good. Elliot’s HylaFAX command is right, and we see he knows how to get the fax to go over the Internet, through someone else’s WiFi. However, there is still one potential problem with this attack. To use VoIP to send a fax, you still need an Internet-based VoIP service. There are many services that offer this, but usually for a cost. You’d have to sign up and pay to use them, leaving a footprint that authorities might use to track you and your spoofed fax down. The scene doesn’t really seem to cover how Elliot gets by this caveat, but I believe there is a solution… Google Voice.
Google Voice is one of the only VoIP services that offers local calls for free. Furthermore, it’s not hard to make an anonymous Google account. My guess is, Elliot could use Google Voice with a faked account so police couldn’t track him down through the VoIP service.
To summarize, the entire idea that you can send a spoofed fax over someone else’s Internet is accurate. However, you’d need a VoIP service to do so, and that service potentially could leave clues that the police could use to find you. That said, while this episode didn’t specify show how Elliot got around this caveat, there are ways he could.
A few other fun technical odds and ends
As always, the show runners bury all kinds of other fun technical nods for those that are looking.
- Check out the WiFi SSID names when Elliot connects to someone else’s network. Many are fun and classic WiFi jokes, and others are pop culture references.
- I “hid” a link in this article to one of the Mr. Robot Easter egg sites. Besides the contents of the site, the link is also the beginning of another puzzle for those willing to poke around.
- I didn’t mention it in the write-up, but you do see Elliot buy a bunch of prepaid burner phones for his SocEng attack. However, did he make a mistake? Though the police won’t have a record of who owns the phone, when they realize the call was fishy, they will still have a record showing the cellular towers near his apartment where the call was made.
- In one shot, you see Joanna’s driver playing a video game. It’s actually Watch Dogs, a hacking-themed game.
- Angela’s alias on Wickr is Claudia Kincaid, which is another literary reference you should look up. As always, the show runners seem to intend meaning with every detail.
Vigilance defends from spoofing and SocEng.
So what can you learn from all this? Well essentially, be on the look out for social engineering.
Some of the best hacks don’t rely on technology. They just involve people tricking you to do things you shouldn’t. Listen to some examples of social engineering calls on the Internet. These can help you recognize the techniques attackers use, and that awareness should help you remain vigilant enough to be skeptical when unfamiliar people call.
Also, realize hackers can spoof certain things on the Internet. They can change email headers, Caller ID numbers and, in this case, fax headers. These technical spoofing methods often help social engineers convince you that something is legitimate, so be sure to validate things before going along with anything an email, phone call, or fax tells you to.
We’re only two shows away from the end of the season, which is both thrilling (to see what happens) and depressing (because we’ll have to wait months for more). As always, I hope you enjoyed learning a little about hacking and security from Mr. Robot. Share your thoughts below, and join me next week for another detailed Rewind.
