[Spoiler Alert] This article may spoil some of the surprises from the latest episode of Mr. Robot. If you haven’t watched eps2.3_logic-b0mb.hc, check it out on USA Network, Amazon, or iTunes before coming back to this article to learn its secrets.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.This week, I’m attending the Black Hat and DEF CON security conferences in Las Vegas, where the smartest hackers and researchers from the security community come together to share their latest discoveries. These people can be some of the most perceptive, detail-oriented, and nit-picky people in the world. So when entertainment covers information and cyber security, you can expect the InfoSec community to pick it apart like a school of ravenous piranha. But it turns out that Mr. Robot has been a constant topic of discussion here and presenters have actually used it as an example in their presentations. In short, the jury has reached a verdict. Real hackers think Mr. Robot gets hacking right.
If you’ve been following the Mr. Robot Rewind series, where I dissect the hackuracy of each episode, this comes as no surprise. So why don’t we dive right in and see what the latest episode gets right.
Hacking the FBI’s Androids with 0day
After a number of episodes with no hacks, or any time in front of a screen, it’s good to see Elliot in his natural element again. This episode starts with our antihero scripting away to create a new exploit to hack the FBI. Though a lot seems to happen on Elliot’s screen, his monologue is what really gives you the technical details you need to understand the hack. Let’s unpack this scene.
First, what happens on his screen? This scene dynamically cuts between the many tasks and windows Elliot is working on, but only one of them has anything do with the FBI hack. In a wide shot, you see the four main windows he has up.
The top windows pertain to the darkweb server migration project Elliot is supposed to be doing for Ray. In the top left window, he ran a command to install and update Tor, and in the top right Elliot unpacked the compressed backups of the “Marketplace” site (and its Tor configuration) onto a new server. In the bottom right window, he’s still chatting with Darlene on IRC. By the way, I didn’t spell it out in last week’s Rewind article, but her IRC handle, D0loresH4ze, is a reference to a character in the Lolita (which also explains her heart sunglasses). Anyway, the bottom right window is the only one relevant to the FBI hack. That’s where Elliot is writing a Ruby script.
Now the screens alone don’t tell you much about Elliot’s hack. For that, you need his narrative. I won’t cover it verbatim, but the first clue comes when Elliot mentions he’s using “Android zero days” to “own the FBI standard-issue smartphone.” This tells you two things. First, it confirms what you hopefully suspected after last episode. He’s targeting the FBI’s Android devices. Second, the reference to “zero days” conveys that Elliot has apparently found some unpatched vulnerabilities in Android. He can presumably leverage these vulnerabilities to gain control of the FBI’s Android devices. Though he uses flowery language to discuss the process, Elliot essentially tells us that he’s writing a script to exploit these zero-day Android flaws.
So far this is all very accurate. Any software, including Android, can and will have vulnerabilities. In fact, there have been many cases where researchers have found flaws in Android components. Hackers also need to write scripts of code to exploit these vulnerabilities. Code savvy geeks may notice Elliot is writing his script in Ruby. Even that language choice is realistic since Metasploit, the most popular exploit framework, uses Ruby.
By the way, I did notice one small “behind-the- scenes” detail. This scene implies Elliot’s writing a custom exploit for a new vulnerability, but it turns out the show just has him typing an existing Metasploit exploit from real life.
While studying the screenshots to find clues about Elliot’s Android vulnerability, I noticed a reference to “KNOX Browser RCE”. Knox is a proprietary security platform built into Samsung Android devices, and RCE stands for Remote Code Execution, which allows a remote attacker to run code on your system. With a little Google research, I learned that researchers found a real Knox RCE vulnerability in 2014. More interestingly, a penetration testing company wrote a Metasploit exploit for that flaw. Comparing Elliot’s script to this real world exploit, it is clearly the show’s source material. In any case, this is further proof of how accurately the show portrays hacking by actually using real world exploits.
Hijacking FBI Phones with a Rogue Femtocell
So now you know Elliot’s writing a zero-day Android exploit. But how will he force his exploit to run on the FBI’s Android devices? That’s where a femtocell comes in.
In his monologue, Elliot mentions a “femtocell delivery system.” If you haven’t heard of a femtocell, it’s a networking device designed to extend cellular coverage to “dead zones” by using the Internet. A femtocell device looks similar to a Wi-Fi access point. One of its interfaces plugs into a wired Internet connection, which is used to access your carrier’s network. Meanwhile, the device also contains a cellular radio, giving it the capabilities of a mini cell tower. Cellular devices will automatically connect to a nearby femtocell if it has the strongest signal. Keep in mind, these cellular connections happen behind the scenes, without any user interaction. There is nothing you can do to prevent your cellular device from connecting to whichever cellular tower’s signal is strongest.
Researchers have already hacked femtocell devices. In 2010, a pair of researchers showed how to root—or gain administrative access to—these embedded Linux systems. In 2013, another pair of researchers showed how to leverage root access to intercept cellular calls, text messages, and data connections. In short, they proved that attackers could create rogue femtocell devices that can intercept and ‘man-in- the-middle’ all nearby cellular traffic.
By placing a femtocell device into E-corp’s building near where the FBI is conducting their investigation, all of the agent’s smartphones will automatically connect to it as a cellular tower. This gives Elliot the opportunity to intercept and modify all their smartphone traffic. Not only can he listen to their calls and texts, but he can monitor and modify their data connections, too. We don’t know what type of Android exploit he’s using (is it web-based exploit, or does it target the devices baseband software?), but if Elliot controls a device’s gateway to the Internet, it’s likely that he can inject his exploit into any phone that connects to the femtocell.
As you can tell, the show’s description of this type of attack is fairly plausible and accurate. That said, I feel like there was one small inaccuracy later in the episode. Darlene tries to recruit Angela to deliver the rogue femtocell to E-corp’s offices. She basically tells Angela that she just has to drop a small device at the Fed’s office and walk away. It’s true these devices are relatively small, but they are still noticeable. So you couldn’t just drop them anywhere without them getting noticed. Furthermore, you still need to plug them into an ethernet port with an Internet connection Darlene’s description of the drop is over simplified. Perhaps this is a mistake, or perhaps Darlene is purposely underplaying the task, so Angela will accept it. It’ll be interesting to see how accurately the actual femtocell drop is portrayed in a future episode.
A Nation-state prediction comes true!
If you’ve following the Rewind series, you may have read the Season 2 predictions article. There, I suggest that Whiterose and the Dark Army are likely somehow involved with the Chinese government. This prediction comes from real world events, where certain breaches by regional hacker groups seemed to have strong ties with governments. The recent DNC hack is a good example. While a hacktivist that goes by the handle “Guccifer” has claimed credit for the attack, most experts allege that the Russian government was responsible.
In any case, in this episode we learn that Whiterose, the transgender leader of the Dark Army, is actually China’s Minister of State Security. So clearly this prediction is true, and least one member of the Chinese government has ulterior motives around the 5/9 hack.
Ray Runs a Silk Road Clone
In previous episodes, we learned that Ray ran some sort of mysterious darkweb site that has some need for Bitcion wallets. He needed Elliot to help him get the site back online, but he also didn’t want Elliot poking around the site itself. Of course telling Elliot to not poke around in your private digital life is like telling a customs agent not to open your car’s trunk…good luck with that!
During this episode, despite Ray’s warning, Elliot peeks into the site he’s migrating and discovers that it is a darkweb black market dealing in drugs, weapons, assassins, and human trafficking.
Ray’s site looks suspiciously familiar to another infamous darkweb site called the Silk Road; a darkweb black market site that was know to sell drugs and many other illegal things. Though the FBI shut down Silk Road years ago, many copycats have popped up in its place. In short, Ray’s Midland City Marketplace is grounded in reality.
By the way, you may have noticed Elliot and RT logged into Ray’s site as Dread Pirate Roberts. This was the infamous alias of Ross Ulbricht, the man responsible for the Silk Road.
Nonstop Easter Eggs keep coming
As usually, this episode is full hidden surprises.
- The IP address 18.104.22.168 shows up in some screenshots. Visit it and you’ll find the Midland City maintenance page. As usual, you should check source code for clues to more puzzles. I’ve leave it up to you whether you want to spoil the fun here.
- The IRC Easter egg from last episode makes a return. If you solve a small new puzzle, you’ll see a new chat conversation about the FBI hack.
- I mentioned the Berenstain conspiracy in the last Rewind article, which references the idea of parallel universes. This episode, Whiterose specifically talks about multiple universes with Dom.
- A Redditor found a cool secret that I completely missed. This episode begins with a weird audio static squelch. If you look at that audio clip in a spectrometer, you’ll find a hidden image.
- Last season, every episode’s title ended with a video file extension. This season, every episode title ends with an encryption related file extension. This seems to suggest that encryption will play a big part of this season, which bodes well for another of my predictions.
By the way, I’ve mentioned how much hidden Easter eggs appeal to a hacker’s mentality. We love finding things other people miss. Since I’m at DEF CON, I thought I’d share this year’s DEF CON badge, which is a perfect example of this fact. Hidden on the badge is a challenge requiring people to find and solve many technical and cryptographically puzzles. Attendees spend hours trying to be the first to uncover all the badge’s secrets. Mr. Robot’s consistent use of Easter eggs and ARG games shows how well it understands this culture.
Tips from this episode
That’s it for another Rewind. Thank goodness the hacks are back! Be sure to join us next week, and leave your thoughts, theories, feedback and Easter eggs in the comments below.