[Spoiler Alert] This article deeply analyzes the technical details of the latest Mr. Robot episode (Eps3.3_m3tadata.par2). If you haven’t watched it, I suggest you come back later.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
If you love Mr. Robot as much as I do, you already know that almost every hack you see is pretty accurate (with a few exceptions). However, the show often flashes these hack details in very quick shots, that only eagle-eyed nerds might catch and obsess over. In this Mr. Robot Rewind article series, I dissect the technical and hack-related details of the show, sharing what the writers got right, and sometimes where they messed up. While this last episode wasn’t hack-rich, like the first two, it did contain plenty of information security details worthy of discussion. So, let’s take a look.Dumpster Diving for Metadata
After a small, but somewhat disturbing scene with Darlene on the subway, this week’s episode takes off where last week’s ended, with Elliot finding the address of the “adversary” who hacked his monitor.
Elliot still doesn’t know who this adversary is (the FBI, via Darlene), but to find out he resorts to an old-school hacker trick—dumpster diving.
While the term “dumpster diving” has a pedestrian definition of just going through the trash to find useful stuff, it also has a more hacker-focused definition as well. Hackers use dumpster diving for reconnaissance, to find out more information about their target. Whether you know it or not, there is a lot of direct and indirect information about you in your trash. Your name on letters, who you correspond with, addresses, the products you use, and so forth. In the past, hackers have even found badly erased hard drives that they could recover.
Elliot shared this concept with us while digging through the mail and trash at the address he found:
“Metadata. The story behind the data. Getting information is one thing, but how it was created, where, by whom, can often be illuminating.”
As mentioned, trash can and did supply Elliot with plenty of metadata to draw conclusions from, and helped him realize that he’d found Darlene’s apartment. However, you should also realize that your digital explorations leave a trail of metadata as well. While the phone company may not record your conversations, they have logs of every phone call you’ve made, who they were to, and how long they lasted. If you go to a site on the Internet normally, you share your IP address, often the type of computer you use, your browser type, and sometimes other information stored in a web cookie. If you upload a picture, the device you took it with may have added a lot of additional information, including GPS coordinates, in that picture. I’ve talked about this concept in a past article, when discussing Fsociety’s Vimeo video uploads.
In short, metadata is important. If you care about privacy, you should realize how much others can indirectly learn about you from your metadata. When you hear of governments stockpiling metadata, but telling you it’s not that big a deal, remember that enough metadata can help smart adversaries figure out who you are.
In any case, this short scene where Elliot goes through the trash to learn about his target is just one of the many realistic examples of how hackers work that make this show so accurate.
Picking Darlene’s Lock
Another small, yet accurate detail was Elliot picking the lock to Darlene’s door.
As I’ve mentioned before, lock picking is a pretty core element to hacker culture. The skills used to solve mechanical puzzles often relate to the skills used to crack digital codes, or at least the interest to do so. Also, hacking may sometimes require physical access to technology, in which case some hackers want to learn to defeat physical safe guards too. Again, a little detail, but one that totally relates to hacker culture.
Confusing Bugs with Audio Jammers
When confronting Darlene, Elliot puts a small device on the counter that created white noise. We’ve seen him use it before this season, but I never commented on it simply because I figured this type of device is recognizable enough that most people known it’s perfectly real. That said, since this was a hack-light episode, I figured I’d point it out.
This device is an audio jammer, and one specifically designed to obscure human speech from listening devices. They do exist in reality, and here is one that looks similar to what Elliot uses. You can also find sites that will turn your computer into an audio jammer, and even mobile apps that can do it. Also, these devices are perfectly legal to use.
In short, this is accurate tradecraft for someone worried about folks listening in. I guess the only question here is why Elliot would waste money buying an expensive version of it, when he could just use his mobile phone. That said, the efficacy of these devices probably has a lot to do with the quality of their speakers. So perhaps a mobile phone speaker wasn’t good enough for his purposes.
Dark Army Pwns E Corp’s Apache Struts Shipping Web App
This brings us to the only real hack this episode (or at least the evidence of a past hack).
After confronting Darlene, Elliot brings her to his apartment and tells her what he has learned about the Stage 2 hack, which he agrees was not called off. During this scene, we see a short shot of his screen.
Before I dive into this screen shot, let me remind you of my season premiere article, where I said Mr. Robot is targeting Apache Tomcat. Furthermore, I mentioned how the recent Equifax hack involved Apache Struts. Well, both packages have proven relevant to this episode’s hacking reveal.
The first thing you notice on this screen is the Apache Tomcat Web Application Manager. Apache Tomcat is basically a web server for hosting Java apps. Based on the URL (which really works), it looks like this server is used to manage web applications related to E Corp’s Ecoin services. You should also remember that Mr. Robot (Elliot’s alternate personality) used Shodan to try and find any E Corp servers using Tomcat.
The second, and likely most important thing I noticed was what looks like a terminal window. Actually, this is a VIM window. If you’re not familiar with it, VIM is a common *nix text editor. It appears Elliot has opened a Tomcat log file associated with the Ecoin service server, to see what visitors have been doing.
In the VIM window, you quickly notice some GET requests to Struts2 resources. Struts is a framework for developing Java applications you might have on a Tomcat server, and was the package I previously mentioned had been targeted in the recent, real-world Equifax hack.
Looking at the GET requests to this server, you quickly notice some interesting ones that seem to use a “redirect:” parameter. With some Google searching, I quickly found this serious Struts remote code execution vulnerability (CVE-2013-2251). Basically, by crafting parameters using the “action:”, “redirect:”, and “redirectaction:” prefixes, remote attackers could exploit this flaw to execute arbitrary expressions. This is what Mr. Robot and the Dark Army must have used to gain remote access to E Corp’s server and networks. In fact, you can easily find publicly accessible Metasploit exploits for this vulnerability.
As it turns out, I could have found which vulnerability Mr. Robot and the Dark Army used much quicker and easier if I had just paid a little more attention to other aspects of that screen shot. If you look closely, there is another window behind the Apache Tomcat window. That URL points specifically to Apache’s write-up for this specific vulnerability, which they call S2-016. Wish I had seen that before doing my research.
As you can tell, this is another example of the show using very accurate hacks and even real-world vulnerabilities. This particular hack seems especially timely, because of the Equifax breach. Do know, it’s technically a different Struts vulnerability than the one the Equifax hackers used, but it’s still very similar. If there’s any issue with this hack, it’s the fact that E Corp’s Tomcat and Struts server is still vulnerable to a serious two-year-old flaw. We know the show takes place in 2015, but this vulnerability was reported in 2013. Unfortunately, that doesn’t make this scene unrealistic. The truth is, there are many big corporations out there that are very late patching their services. So, it’s not that unusual for a big company to suffer from old flaws.
For extra credit, let me share a few other small asides from this screen shot. First, notice Elliot is logged into his desktop as “root,” just like Tyrell did last episode. Come on show runners!?! Elliot would know better than to do that! Also, this show is usually great with little details, such as using a period accurate 2015 version of Linuxmint. However, this screen says it’s Friday the 19th. In 2015, I believe this Friday fell on the 18th. Mistake, or hidden clue? I presume the former.
Subpoenas to Track IP Addresses
The final scene worth noting is when Dom, the attractive FBI agent, caught the Dark Army stooge that posted the last “fake” Fsociety video. In her interrogation scene, she says, “With a court order, we got the Vimeo connection logs for the account you used, which led us to your IP address and then your home address.”
If you wondered if this is an accurate description of a law enforcement technique for finding cyber criminals, it is. They can and have subpoenaed this information from Internet services in the past. Anything you upload does tie to your address, and the government can get court orders to find out which IP addresses were involved. If you don’t hide your IP address, this will tie to your ISP provider, who likely knows where you live. This has happened in many cases before, like when the government subpoenaed Google for YouTube records. How quickly law enforcement can get the subpoena is probably the only thing up for debate in this scene.
As an aside, the only plot-related strangeness to this scene is why the Dark Army let it happen. Most hackers, like Fsociety, know that governments can track down uploading IPs. That’s why in past episodes, Mobley and Fsociety worked hard to scrub the metadata from their videos, and likely upload via VPNs and Tor to mask their true location. Dark Army operatives are presumably smart enough to do the same thing. So why did the Dark Army guy upload his video without the same precautions? It’s almost like he was asking to get caught. Maybe we will learn more later.
Easter Eggs and odds ‘n’ ends
That covers the hacks, and technical details, but let me share some other thoughts and fun secrets from this week’s episode:
- As always, the show had a lot of hidden sites. You can find both an IP address and URL in the Struts screen shot above, that both go to interesting places. One is a Dark Army operative’s computer, and the other is E Corp’s Tomcat Ecoin server. You can also access the login page for E Corp’s shipping site from other screens shown this episode (can you guess the login? Others haven’t).
- If you do go to the Dark Army computer, it includes a couple of pictures, such as a Dark Army mask, which was weirdly pixelated despite its huge resolution. This picture held a secret, Alice in Wonderland-related quote. See the picture below for a spoiler. (Shout out to the /r/ARGSociety for finding this).
Figure 5: Hidden message from a picture found on a show site. - If you follow the ARG game going along with this show, you should always update the whoismrrobot.com site after an episode. Among other things, this site now has E Corp’s new strong password policy document, which is slightly amusing considering Elliot’s hacks. This document also contains other references to past episodes, that may or may not be clues to other things.
- I did skip a scene where we see Darlene torrenting a movie called Shazaam with Sinbad. Besides the fact that Darlene pirating movies fits hacker culture, this movie does not exist in reality. The actual movie was called Kazaam with Shaq. This is another example of the Mandela effect, which the show has referenced before with the Berenstain project. Some believe this may be another reference to parallel universes (a theory I don’t want to be correct).
Figure 6: Darlene pirates non-existent movies. Mandela effect? - I expect the excrement to hit the propeller next episode… it will be a big one. We have Irving pretending with Tyrell that Joanna is alive, Elliot seeing Angela with Tyrell then getting drugged, Angela sparking Price’s curiosity about Elliot, and Darlene potentially disappearing. I think we’ll see at least some of these unresolved plot points explode next week.
Learning from Robot: Clean Your Metadata?
Between Elliot digging in the trash, and Dom catching the Fsociety faker through a video upload, hopefully you are convinced that metadata isn’t just worthless excess, but potentially sensitive information that could tell people more about you than you want them to know. If you learn anything from this episode, just be cognizant of the digital fingerprints you leave online, no matter what you do. For instance, before uploading a picture, perhaps consider whether or not your geo location might be embedded in that picture, and remove it if it is. Finally, as governments or businesses try to convince you that all metadata should be public record, weigh in on that debate. If you want to protect privacy, you should also protect your metadata.
Thanks again for joining me for another Mr. Robot hackuracy review this week. I hope you learned something new, interesting and applicable to your own online privacy and security. As always, I look forward to your comments, theories and feedback below, and don’t forget to join us again for next week’s Mr. Robot Rewind!
