(USA Network Photo)

 [Spoiler Alert] Yarr, me matey. There be spoilers ahead! Consider yourself warned. Seriously though, this article describes the latest Mr. Robot episode (Eps3.1_undo.gz) in deep technical detail. If you haven’t seen it yet, you might want to revisit this article later.

Wow! Another episode full of hacks and plot surprises. If “Mr. Robot” keeps up this pace for a full season, I may lose all my hair. So much happened with the storyline in this episode that it’s hard to focus on hacks alone… yet that’s what the Mr. Robot Rewind series is here for.

If you’ve ever found yourself wondering, is this hack too good to be true? Or, could this happen in real life? Well then, you’ve come to the right place. In this article series, I analyze the hackuracy of every “Mr. Robot” episode.

This week’s episode was full of subtle hacks that happened so quick some might have missed them. So, let’s jump right in, and dissect the details.

Harvesting passwords to expose corrupt managers

This week’s episode starts off with a purposely repetitious montage of Elliot’s daily life at his new E Corp job. The sequence is a masterfully-crafted, though cynical take on corporate life in America, with routine rote tasks, dull cubicles, and corrupt (and inept) middle management.

During this time, Elliot’s goal is to ensure the Stage 2 attack will never succeed. Though he’s removed the UPS backdoor and Dark Army’s remote access into E Corp’s network, he still wants to make sure they can’t carry out their plans if they find their way back in.

He starts by slowly trying to convince his managers of the business value of not consolidating all their records in one place. Besides presenting a single point of failure, shipping all the records to one place would cost more than just scanning them locally. While he’s crafting his presentation, and slogging through corporate bureaucracy, we also learn that he’s hacked E corps shipping system, to ensure that none of the paper records end up at the New York office, despite the system records showing them arriving (we don’t see this hack, so nothing to analyze).

However, his management presentations don’t go as well as his shipping hacks, so that’s when he reverts to hacking them to unveil their secrets.

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

During the quick montage, you see two hacks — one technical and one simple. However, with only seconds of screen time, these subtle hacks were easy to miss. In both cases, Elliot figures out his boss’ corporate passwords so that he can access their emails and other records.

He first hacks direct manager, William Braddock’s, password. Braddock strangely reminds me of Dilbert’s “pointy haired boss.” In any case, Elliot doesn’t explain this hack at all, but by freeze framing his screen you can figure it out. Elliot is using a module from a tool we’ve seen him use before, the Social Engineers Toolkit (SET). This tool has many modules, but one is called Credential Harvester. Without going into all the details, this tool helps attackers create phishing sites. The tool will automatically copy a website, and host a fake version of it. If you get a victim to visit the fake site, and enter their credentials, you capture them in the clear. There’s a good write-up on how this works here.

Based on the screenshots in the show, it appears Elliot targeted this tool to E Corp’s Outlook Web Access (OWA) email server. I would presume he sent some email to Braddock that linked to the fake E Corp server, which Braddock fell for. One shot shows Elliot running the “tail” command on the credential harvester log file, which reveals Braddock’s username and password captured from the fake OWA site.

Figure 1: Elliot captures boss’s password with Credential Harvester.

This hack is entirely realistic. And, using the stolen credential, Elliot gets into Braddock’s email, and learns his manager is purposely installing rootkits on E Corp’s smart devices, such as their Ephones, TVs and even microwaves (which I believe is an inside joke based on Kellyanne Conway’s silly microwave spying comments). Braddock is then selling the private customer information he steals from these devices. Elliot leaks this info to the FBI to get his boss arrested.

Figure 2: Elliot learns his boss backdoors E Corp smart appliances

Braddock gets replaced with Peter McCleery, who’s just as unreceptive to Elliot’s paper record presentation. Elliot’s next password hack is much more simplistic. He merely “shoulder surfs” his boss’s password, which just means he literally watches McCleery type it.

Figure 3: Elliot shoulder surfing Mccleery’s password

While shoulder surfing is definitely a classic hacker tactic, I do find this “hack” slightly less realistic for today’s standards. First, Elliot must have pretty darn good eyesight to read a phone from that far across the room. More importantly, however, how many passwords have you entered lately where you actually saw the letters you typed? Not many, right? Most programs will replace letters with asterisks or something similar. I find it pretty unlikely Elliot would happen to see his boss use the one app that doesn’t obscure passwords today.

This scene seemed a bit like Hollywood convenience to me. Nonetheless, it’s not entirely implausible. I’ll give it a grade of, “unlikely and lucky, but not unrealistic.”

In any case, once Elliot has Peter’s password, he again checks his personal email and learns that Peter is modifying car firmware to hide bad emissions (a nod to the real-life story where VW did just that). Elliot turns the guy over to the FBI too, and the cycle continues. Those were the only two quick hacks we see during this period, but apparently Elliot cleans house, outing a ton of corrupt managers and E Corp.

Protecting E Corp’s UPS with signed firmware

Besides redistributing the paper records, Elliot wants to keep Dark Army from hijacking E Corp’s UPS backup power with malicious firmware that might cause an explosion. In a quick scene, Elliot describes how he modifies and updates the firmware to only accept updates with a valid E Corp digital signature.

The idea of protecting firmware with digital signatures is real, and is something smart hardware manufacturers do to protect their products. This prevents hackers from easily replacing a device’s firmware with a trojaned version, by first making sure the new firmware has a legitimate, cryptographically verified, digital fingerprint. For example, an iPhone uses digital signatures to prevent you from easily loading some unsanctioned OS.

This means Elliot’s idea is quite accurate, however, I’m not sure if what the show portrayed would be easy or even possible. In the real world, the mechanisms used to check for proper digital signatures are usually built in by the hardware manufacturer. In fact, these mechanisms require that the devices ship with sets of private and public digital keys, which are used to verify the firmware is signed properly from the hardware vendor. In the show, it’s implied that this UPS system’s original firmware did not check for digital signatures. In fact, the hardware may not have any vendor-delivered capability to do so. Furthermore, the episode subtly implies that Elliot “hacked” this capability into the UPS system himself. If you look closely at shots of Elliot working on the UPS system, you see one where he uses a tool called IDA Pro, and has opened the firmware file.

Figure 4: Elliot reverses UPS firmware with IDA Pro.

IDA Pro is a disassembler tool that developers, security researchers and hackers use to reverse engineer compiled code. You can also use it to modify compiled code. To me, this screen actually infers that Elliot manually modified the UPS firmware to use a digital signature verification mechanism that wasn’t present in the original vendor’s features. That seems like a very tall order to me.

There is a lot of precedent for hackers patching vendor software. In the past, researchers have found critical vulnerabilities in Microsoft software, felt the organization was taking too long to fix them and released “third party” patches for those products (likely created using tools like IDA Pro). It’s very possible for smart reversers to hack additional functionality or fixes into other people’s products, even if they don’t have the source code. However, creating a digital signature validation mechanism would be a ton of work, and in most cases would involve more than just the firmware itself, but some of the hardware design.

Long story short, if the UPS firmware already had the capability to check firmware for digital signatures built in (which seems unlikely), Elliot’s config change to use that capability to protect these devices is totally plausible. However, it does seem a little less realistic if the show was implying that Elliot modified a full signature validation mechanism into the firmware using IDA. 

Backdooring Elliot’s PC for the FBI

One of the more surprising scenes this episode was when Darlene betrays Elliot, and backdoors his computer for the FBI. When Elliot asks Darlene to stay over, we see her doing something at the back of Elliot’s computer monitor while he sleeps. Mr. Robot (Elliot’s alter) catches her, and roughly interrogates her about what she did. Most of you probably realized that she likely added some sort of backdoor to the machine, which we learn is the case when she returns to Dom. But what exactly did she do on a technical level, and would it work in real life?

This is one of the subtler hacks the show has attempted, giving only relatively vague, and hidden hints about what exactly happened. Let me break it down in the next few sections.

Mr. Robot caught Darlene red-handed, and certainly suspects that she did something to Elliot’s computer. This doesn’t necessarily mean Elliot knows what his alter does though. In any case, later in the episode, you see Elliot start to use his computer, but hesitate. He suspects something is wrong. Based on his display, Elliot’s primary operating system (OS) is a Linux distro called LinuxMint—a pretty popular and clean desktop operating system (the show-runners even took the time to use a period-accurate version of the distro for the show’s timeline, 2015).

After pausing for a moment, Elliot does a bunch of things in quick succession. Specifically, Elliot powered down his machine, he plugged in a USB key, and then he powered back up. This time his machine booted into Kali Linux, which is a well-known and real hacker distro that Elliot has used before. Why did Elliot power down his normal OS and reboot into another one? To search for rootkits.

A rootkit is a type of tool or malware that helps malicious programs hide on your computer, so even the OS is tricked into missing something that’s actually there. I like to think of them as the software equivalent of a “Jedi mind trick.” In short, rootkits can allow malicious software to hide files, processes, and even active network connections from the OS itself, which means that security software using OS functions to find stuff will totally miss it.

This is why Elliot is booting into an alternate OS. If you suspect your normal OS has been infected with a rootkit, you really can’t trust that OS, or any security scans run from that OS. How will you know for sure a rootkit isn’t affecting the scan results? To combat this, security professionals know to boot their computer and run security scans with an alternate OS that isn’t infected by the rootkit.

After rebooting his computer in Kali, we see Elliot run these commands:

Figure 5: Mounting hard drive and running Rootkit hunter.

To summarize, Elliot has booted a “live” version of Kali, or a “temporary” OS running off a USB stick. After booting this live Kali stick, Elliot mounts the file systems associate with his normal LinuxMint OS. This allows him to access and scan those file systems even though he didn’t boot from that hard drive. Then he runs a tool called rkhunter. This is a real-life open source tool called Rootkit Hunter, which scans Linux systems for rookits.

In short, this entire process a realistic portrayal of one way a security expert or forensic analyst might try to find a rootkit on a system they suspect is infected.

However, after doing all this, rkhunter doesn’t find anything. Elliot’s LinuxMint OS doesn’t seem to be infected. Believe it or not, this is a subtle hint suggesting what Darlene did, but we can’t connect all the dots just yet.

Figure 6: rkhunter fails to find a rootkit on Elliot’s computer.

Monitor Darkly: Hacking monitor firmware for fun and profit

Immediately, after seeing Elliot’s rootkit tool fail, we see Elliot’s screen, but this time from a different perspective and a different computer. Turns out, Dom, Darlene, and the FBI are watching everything Elliot does on his computer. This confirms that Darlene did plant some sort of spying tool on his computer, but since Elliot didn’t find an infection or rootkit, what really happened?

Here’s what we know. Darlene was messing behind Elliot’s monitor, and whatever she did does not seem to have left any footprints on the actual computer’s OS. This suggests either a hardware or a firmware hack.

Let’s start with hardware hacks. There are a number of nifty devices hackers can leave on your computer to spy on you. For instance, there are small Ethernet taps that a hacker can leave between your computer’s network port and Ethernet cable that will record and transmit your network activity. There are similar devices you can put between a keyboard cable and the computer to record keystrokes. There are even specialized USB devices that automatically launch different attacks to hijack a computer. In short, there are many hardware devices that might give attackers some level of remote access to your computer’s activity or data, without leaving a physical trace in your OS or file system.

However, I am not aware of any device that can plug into a monitor’s output, and transmit that output wirelessly back to the attacker. But theoretically, such a device is possible. You can wirelesses transmit HD footage captured from an HDMI port, but devices that do so are rather large. So, I initially wasn’t sure what type of device that Darlene could have plugged into a monitor that would have given Dom remote access to what Elliot’s viewed on his screen.

That said, there have been previous attacks that could wirelessly capture display output. For instance, a classic example is a government project called TEMPEST. By monitoring the electromagnetic emissions from a CRT monitor, remote analysts could recreate low quality, but readable copies of the display. However, this attack only worked in close proximity, and it doesn’t work with newer OLED technology. More recently, the Snowden leaks revealed that governments have updated tools to remotely monitor displays, like RageMaster. Theoretically, the FBI might have some tools the general public doesn’t know about to do this sort of spying, but I felt Mr. Robot’s security consultants would use something more publicly accessible.

That brings us to firmware hacks. As you know from the original Stage 2 plans, hackers can modify and backdoor the firmware running on different hardware devices (like the UPS hack). Malicious code running on the firmware of some hardware device isn’t running in your OS, so normal security software can’t detect it. Thus, infecting firmware is a great way for attacks to evade normal OS security controls. It’s possible that Darlene somehow hacked the monitor’s firmware, but she’d still need to add some device with a wireless connection, in order to “send” the display back to the FBI’s computers. It turns out that’s exactly what Darlene did, but the way I confirmed this may surprise you. More on that soon.

There are some clues on Dom’s screen that help unveil how this monitor hack worked.

Figure 7: Dom’s view of Elliot’s hacked computer

This screenshot reveals a lot. First, Dom is seeing individual screenshots of Elliot’s desktop every few seconds, not a live video feed. You can tell this first by the fact that her view of his screen is actual a PNG image, but also because you can see a folder of PNG images that seem to have been saved every few seconds.

More importantly, you can see the Command & Control (C2) script she is using to receive these images from Elliot’s computer. The terminal window shows a python script called cnc_receiver.py, which is obviously a C2 channel listening for a network connection, and then receiving the PNG images. Finally, the last hint in this screenshot wasn’t obvious until I uncovered something later. The folder all the images are stored in is called “monitor darkly.”

Elliot’s Revenge: Hacking back the FBI hackers 

So, it’s clear Dom and Darlene have successfully backdoored Elliot’s monitor, and whatever they did has some sort of wireless Internet access (likely cellular), sending PNG images of his display output back to the FBI computer.

In the final scene, Dom returns to the apartment where they are staking out Elliot. Her FBI partner informs her that Elliot sent an encrypted email with a link to someone when she was away. He is hoping they got lucky, and this email is some secret, incriminating message to Tyrell. As Dom looks over the screenshots of the email, she gets nervous and asks her partner if he followed the link. He did, and even downloaded and opened the file it pointed to. That’s when we see Elliot finding this apartment (or at least the one downstairs).

Figure 8.: Elliot’s FBI phishing email.

As you might have guessed, this scene suggests that Elliot somehow realized he was monitored, and “phished” the people watching him. The link in the fake email Elliot staged could have pointed to malicious code, which could have helped him get the IP and location of the FBI computer that clicked on it in any number of ways. Looks like Elliot “hacked back” his hackers.

However, the true beauty to this little sequence is the show runners also hid an Easter egg in this email that helps truly reveal how Darlene hacked Elliot’s monitor. But, you’d have to participate in Mr. Robot’s hidden puzzles and games to catch this clue.

Notice the link in the email: sandbox.vflsruxm.net/plans.rar 

Like many URLs and IP addresses you see on this show, that link really works. If you visit it, you will find what looks to be a compressed RAR file, but actually isn’t. If you look at it in a browser, this is what you get:

Figure 9: Base64 encoded file.

If you work in security or development, you may be used to recognizing encoded data, and can tell that this is Base64 encoded data. If you run this file through a base64 decoder (like this: curl -s https://sandbox.vflsruxm.net/plans.rar | base64 -D > plans.rar), you’ll end up with a working RAR file. If you decompress that, you get a PNG image of a QR code.

Figure 10: Hidden QR code in Elliot’s email.

If you follow that QR code, you get to this GitHub project for a real monitor firmware hack that the authors called Monitor Darkly (shoutout to smart /r/MrRobot Redditors for finding this quickly).

This is the final hint that shows how Darlene hijacked Elliot’s monitor firmware, but not the actual computer. In short, Monitor Darkly is a firmware hack of the OSD built into a specific Dell monitor. Using a USB port on the monitor (or HDMI too), an attacker can hijack the monitor’s firmware, and then fully control reading and writing every pixel on the monitor, independent of what the actual computer sends to the monitor. This means an attacker can force pictures onto your monitor regardless of what the computer is telling it to display. That could allow them to trick you in a number of ways. More importantly, it allows attackers to read every pixel on the monitor, which is likely what this hack does to create screenshots for Dom. If you want to learn more about this hack, check out the DEF CON talk on Monitor Darkly.

The only missing piece of this equations is how the monitor sends that information back to Dom. Most monitors don’t have network or wireless capabilities, so how does this hijacked monitor connect to Dom’s computer? Well, nothing in this episode answers that question, but luckily an interview with one of the producers, Kor Adana, gives us the last hint. In an interview, Adana mentioned the USB Armory. This is a full computer on a tiny USB stick. This USB stick would serve two purposes. First, it could be the USB delivery mechanism for the firmware exploit used to hijack the monitor. Second, with the right accessories (a cellular USB dongle), this tiny computer could also wirelessly connect to the Internet, sending the screen images back to Dom.

Figure 11: A USB Armory with a wireless dongle.

As you can tell, this is a pretty realistic hack. It literally uses a real monitor firmware exploit that researchers disclosed a year ago. I will say that the actual GitHub code for this exploit doesn’t contain any command and control code that send screens back over the network. That is not something the original researchers did. However, the hack would allow you to create screenshots, and combined with a small USB computer and cellular dongle, this is a totally plausible application for Monitor Darkly’s capabilities. As usual, Mr. Robot gets a +1 for realism.

Hidden Easter eggs and other odds and ends

If you watch Mr. Robot idly, you’re only scraping the surface of all its hidden secrets. Here are some interesting points revealed in this episode:

  • First, another of my pre-season predictions came true. As I suspected, Darlene is working with Dom this season.
  • As always, there are many real URLs and IPs in almost every episode of Mr. Robot. If you pay close attention, you may be able to use an E Corp login page, connect to the fictional UPS system, follow QR codes and more!
  • Elliot worked hard on the paper record presentation he tried to give to his bosses. With enough diligence solving the Easter eggs in this episode, you can download a copy of that presentation.
  • Don’t forget the always available www.whoismrrobot.com. It tends to get interesting new updates after every show. 

Long passwords and multifactor authentication

With so many interesting hacks, there is a lot you can learn from this episode, but I want to really concentrate on the theme of password security as a practical takeaway.

Authentication and passwords are the cornerstone of security. You can have all the fancy security controls you want, but if an attacker gets one of your trusted user’s credentials, all your security is out the door since that hacker will be allowed legitimate access. In this episode, you saw how easy it was for Elliot to steal passwords.

The answer to stolen, lost, or reused passwords is multifactor authentication—using at least two factors for authentication; a password and something else, such a fingerprint, certificate, a one-time-password, or even a mobile push approval. When you use multifactor authentication, even if an attacker learns your password, they’ll be challenged to figure out your second token.

Figure 12: Elliot’s long and secure password.

While we’re talking passwords and authentication, when you use passwords, they should be strong. In this episode, you see both Dom and Elliot log into computers multiple times with lengthy passwords. Follow their example by always using long and complex passwords for better security.

Thanks for joining me for another eventful Mr. Robot hackuracy analysis. If the first two episodes of the overall pace for season three, we’re in for a wild ride. As always, I look forward to your comments, theories and feedback below, and don’t forget to join us again for Mr. Robot Rewind next week.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.