[Spoiler Alert] You should watch Mr. Robot episode 6 (Eps3.5_kill-process.inc) before reading this article. Otherwise, it will spoil many of the show’s major hacks and technical details.
Welcome to the Mr. Robot Rewind series, where I dissect the hacks and technical details within the show, sharing what’s accurate and what’s not.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
This week’s episode was huge for fans of the series, as we finally saw the conclusion to the Stage 2 UPS hack, which was designed to destroy the building that housed all E Corp’s financial paper records… or so we thought.
This article will be shorter than most, as this latest chapter was much more focused on frenetic plot elements than new hacks. That said, the episode also illustrated Elliot’s attempts to complete one major technical challenge, over and over again. Let’s dig in.
Skimming Card Keys from Distracted Security Guards
Quick Recap. The Dark Army, along with Tyrell, Angela, and Mr. Robot, have colluded to (seemingly) deliver all E Corp’s paper records to one building in New York. They planned to hijack the firmware of UPS battery backup systems, which might cause an explosive chemical reaction that would destroy the building and all the paper records stored within. As soon as Elliot learned of the plan and its potential human casualties, he actively worked against it. He digitally signed the E Corp’s UPS firmware to try and make it impossible for the Dark Army to overwrite it. However, last week, Angela and the Dark Army stole E Corp’s keys, which could allow them to upload the malicious firmware and complete the mission.
This week’s episode primarily centers on Elliot trying to regain control of the UPS systems, now that he’s fired from E Corp. He no longer has access to E Corp’s main headquarters, but is working to get into their New York storage facility, where they house the paper records, and the UPS systems.
Last week, Elliot called in a fake bomb threat in an attempt to evacuate the building to prevent casualties. He arrives to find that the firemen are letting people in after they were unable to find any kind of traditional explosives on the premises. Without any other course of action, he gets into the line, hoping he can figure out a way past the ID turnstiles. Luckily, he notices a distracted guard with a keycard lanyard hanging from his waist.
While not quite social engineering, many hackers keep up with skills that allow them to beat physical security. As I’ve mentioned before, lock picking is a pretty common activity at hacker conferences. Though less common, some social engineers also find sleight of hand and pickpocketing useful as well. While you shouldn’t expect every hacker to be a master pickpocket, it’s believable that Elliot would risk this keycard theft with no other options in sight. Furthermore, Elliot smartly chose his victim. As we see later in the episode, he’ll have to get into just about every area of this building, and a security guard is most likely to have that level of access.
With a privileged keycard in hand, Elliot passed his first hurdle and makes his way into the building to find a computer.
Battling Oneself for Control of UPS Firmware
After ducking a few guards, Elliot finds a quiet room where he can pull out his laptop and work. With access to the E Corp building, he can plug his laptop into the internal network and bypass most of the company’s external security controls, such as firewalls and other network security services. He pops into a terminal window and gets to work. Here’s what he types:
All of the commands we see here are accurate, and make sense. Let’s go through them quickly:
- gag –verify update.bin.asc update.bin – This is the command to run GNU Privacy Guard (GPG) to verify the digital signatures of a file. Elliot wants to check to see if the files for the UPS firmware are signed correctly with E Corp’s key. They are, but unfortunately this is the Dark Army’s malicious firmware, signed with the newly stolen keys.
- shred –uzn3 update* – We’ve seen Elliot use shred before. It’s a secure delete command and in this case, he uses it to overwrite all the firmware files that start with the “update” name three times with zeros. This is an accurate way to destroy the Dark Army’s malicious firmware files so they can’t easily use them again.
- wget -q https://126.96.36.199/files/ups_640_patch.zip – This command basically downloads a file from a web server. Specifically, Elliot is grabbing his clean version of signed firmware to put back on the UPS system.
- Next, Elliot runs a zip command to decompress the firmware file he just downloaded. Then he extracts three files; the firmware file, the digital signature for the firmware, and a hash file. Elliot can use this hash file to check that his other files haven’t been modified in any, and are the original ones he expects.
- Elliot runs the gpg command again, but this time to check his hash file, to make sure it retains his own digital signature. As an aside, the name of the key for this signature is actually an Easter egg that refers to a redditor who has solved some of Mr. Robot’s hidden ARG puzzles in the past.
- sha256sum –check hashes.asc – Once he’s sure that the hash file is intact, he runs sha256sum, which compares those hashes to the firmware files. This confirms that no one has modified or changed them. This whole sequence is pretty much just Elliot being paranoid, and checking to make sure Mr. Robot hasn’t somehow trojanized the clean firmware files he plans to restore to the UPS systems.
- scp * email@example.com/upsfw… – Finally, we see Elliot start, but not finish, the secure copy (scp) command. This would copy Elliot’s signed firmware to the remote UPS systems. This command should end with “/upsfwupdate” (based on past episodes), but unfortunately Mr. Robot takes control of Elliot and prevents him from finishing the command.
As you can tell from my description. All these commands are real and the scene shows a very accurate example of how you would delete files, grab news ones, check their validity, and upload them to another computer. It’s a shame Elliot wasn’t able to finish, as he would have been able to fix the malicious UPS firmware problem right then and there.
When Elliot regains control of his own body, he’s in a cab traveling away from the E Corp building. However, he’s not ready to give up. What follows is a montage of Elliot attempting to complete essentially the same process for loading that clean firmware.
In the second scene, Elliot gets back into the building, finds a computer lab and logs into a computer with an account called “rt_admin.” I will say this particular login is a bit strange, and not well explained. In the last episode, Elliot was fired and his account was locked, so he had to con his way into using another employee’s computer to access E Corp’s network. However, in this new scene, it appears Elliot already had access to this rt_admin account. So why didn’t he use that to login, rather than his co-worker’s machine? I can only assume this is a local account to the UPS system building that he had already hacked before. In any case, when Elliot logs on to the computer, he runs a program called PuTTy—a terminal emulator—to access the UPS server. He then runs these commands:
I won’t describe these in as much detail, but basically Elliot uses wget again to grab his clean files, which he then unzips to try to update the firmware. Unfortunately, Mr. Robot stops him – again.
This time, Mr. Robot can’t take Elliot over for as long as before. Elliot goes back to the lab and tries again, this time using Secure Shell (SSH) to log into the UPS system again, and go through the steps to recover the firmware. Mr. Robot takes control of Elliot again, but this time, he put a complete stop to Elliot’s plans. When Elliot regains control after a few seconds, we see Mr. Robot has run these commands:
While I can’t find any specific reference to this “firewall” command, it seems to be the show’s take on an “pintables”-like firewall on the UPS system. Real or not, Mr. Robot’s commands seem to adjust the firewall rules configuration file (fw.fwl) on the UPS system to block any IP in the 188.8.131.52/16 network range. This effectively blocks Elliot from connecting to the UPS server for good.
With that done, Elliot needs to find another way to save the UPS devices from an explosion. To summarize, all of these command line scenes are accurate. Even though I haven’t seen the particular “firewall” used on the UPS server, the commands to add new policies or rules are similar to real ones used by similar firewalls.
Convincing Mr. Robot to Hack a keycard reader
With his remote access revoked, Elliot’s only hope is to physically reach the UPS room and figure out how to turn on the room’s hollow carbon fire suppression system, which he hopes will flush the combustible gas created by the lead-acid UPS batteries. Mr. Robot continues to act like a “kill process,” taking over Elliot’s body and throwing him down stairs, or against pipes along the way. Nonetheless, Elliot does somehow make it to the UPS room…
Only it’s locked with a door he cannot pass. His only hope seems to be to convince his alter, Mr. Robot to get back on his side, which he does with a Notepad.exe conversation.
For whatever reason, that conversation is indeed enough to get Mr. Robot back on his side, and we quickly see the last hardware hack of the episode.
Is this accurate? Well, this is where my information security experience fails me. With only this screenshot alone, I can’t confirm that this keypad hack is perfectly valid. However, similar hacks have happened before, so it’s probably realistic enough. Hard to say for sure without more specifics about the type of key reader and lock.
Once in the room, Elliot sets off the fire suppression system, and supposedly saves the day. Too bad the Dark Army, Tyrell, and perhaps even Mr. Robot were already way ahead of him. It was a shock to learn they destroyed the 71 other paper storage buildings instead!
Easter eggs and odds ‘n’ ends
If you haven’t noticed yet, Mr. Robot episodes are always full of buried Easter eggs, and lots of great little details and references. Let me quickly, highlight a few:
- If you haven’t tried to enter an IP address or URL from the show, you really should since they often lead to fun sites where you can learn more about this universe, or play along a with the show’s ARG puzzle game. You can see some of the IPs in my screenshots above.
- One of the links brings you to a Red Wheelbarrow website that advertises their BBQ restaurant (which serves breakfast too) with a video. The smart folks at /r/ARGSociety have already found a bunch of hidden images buried in stills of this video, and solved a very complex puzzle that goes with those images.
- There are also websites where you can try your hand at replacing the UPS firmware too, and download other files with hidden clues (always try base64).
- For 80s and 90s movie fans, check out the VHS tapes in Angela’s apartment. You might see some favorites, including a movie starring Christian Slater.
- Did you notice the famous golf club where Zhang and Price had their subtext-filled conversation? I wonder if we all know the guy with “hanging brains?”
Learning from Robot: Firewalls Work Great
This episode was more about driving the story than hacks, but you can still learn one thing from it – While firewalls are one of the oldest and most basic security controls, the technology still works today. Nowadays, you do need intrusion prevention services, advanced malware protection, web reputation filters, and other security controls on top of a basic firewall. Nonetheless, they still work great at blocking unwanted entry, as we saw when Mr. Robot stopped Elliot from accessing the UPS servers. Use a firewall, and make sure its policies are up to date.
Join me again next week for our next Mr. Robot Rewind, and feel free to share your comments, theories and feedback below!