Spoiler alert: In order to analyze the technical detail of each show, I have to discuss the episodes in detail. To avoid spoilers, please stop reading if you haven’t already watched “Mr. Robot” Eps3.0_Power-Saver-Mode.H.
Welcome back to Mr. Robot Rewind, an article series where I describe the hacks from the “Mr. Robot” TV series and analyze their technical accuracy, or “hackuracy.”
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
After a long hiatus, the show is back and the first episode started with a plot sprint. Unlike season two, which explored characters (not always plot) at a slow, sometimes plodding pace, season three covered many plot points in its first episode. More importantly for this article, the premiere episode also contained quite a few hacks to analyze.
So let’s jump in. I’ll start by dissecting three “hacks” from this episode, I’ll point out a few Easter eggs you may have missed, and we’ll wrap things up by talking about some wider show theories, in relation to the predictions I made in my last article.
Hacking a CTF in two minutes
Once Elliot wakes from his post gunshot coma (six days later), he immediately picks up where he left off … trying to stop the Stage 2 hack, which could destroy an E Corp building and the paper financial records it contains. After all, the “good” Elliot we know did not sign up for mass murder.
However, Elliot doesn’t have access to the Dark Army’s servers or E Corp’s backdoored network anymore. He needs internet access to hack his way back in, but where do you get that in a blacked-out city with no electricity? After finding Darlene at his apartment, he learns of an underground hacking club that apparently still has access to electricity, and a fast fiber network connection, so he visits the club with Darlene.
Before continuing to the actual hacks, there are a few technical discrepancies with the premise of this club having internet access. Remember, the entire city has had a power outage for many days. Most shots of the city show everything dark, including the skyscrapers. Yes, you could use generators to produce some electricity in specific places, but for internet connections to work, it’s not just about powering your own computers and routers. Every routing hop between you and what you want to connect to on the internet would need power too. So, this presumes your ISP also has generators to keep things up. This also presumes the E Corp’s servers, which Elliot is trying to get to, also have power. The episode has already shown some E Corp buildings (specifically the one housing the paper records) completely blacked out. It seems kind of strange that one little hacker hangout in New York not only has the power it needs to get its computers up, but that every network hop in between is also up and running during this wide-spread power outage.
Since it’s technically possible for lots of folks to have backup generators, I’ll give this a pass. Nonetheless, if one ISP has the backup generators to offer internet, why wouldn’t many of them? In any case, this isn’t a big deal in the scheme of things, so back to the hacks.
It turns out that the hackers at this underground hangout are participating in a DEF CON CTF contest. Let’s unpack what this really means.
First of all, DEF CON is a well-known hacking convention. Tens of thousands of hackers around the world attend this conference to learn about the latest hacks and research, to interact with their peers, and to participate in fun hacking contests and events.
Does the show get DEF CON right?
At first blush, not quite … but there is more to the story. When most people think of DEF CON, they think of the main conference, which takes place in Las Vegas, not New York. This conference receives droves of attendees, not just 50 hackers in a club. This club scene is nothing like the real DEF CON.
However, DEF CON has become so popular that it has spawned sub groups, like DEF CON 201 in New York. It wouldn’t be that unusual for a local group of hackers to occasionally meet using the DEF CON name. In real life, these hacker meetups don’t really look as cinematic as the show portrays, with neon lights, loud EDM music and cheering crowds. Nonetheless, local hacker groups do meet for fun and hacker games.
During this meetup, hackers are participating in something called Capture the Flag (CTF). These are contests or challenges that pit hackers against each other in computer security challenges. For instance, one contest might force opposing teams to protect their servers, while attacking their enemies. The servers would contain some piece of data or “flag” the other team would have to claim first to win. Other contests might challenge reverse engineers to be the first to find a flaw in some network service and exploit it.
In any case, CTF challenges are very real, and a very popular activity at many different hacking and computer security conferences and events. While the crowds may not be as dense, nor cheer as loudly, the CTF scene in this episode was pretty true to life.
Back to the scene. In this act, Elliot performs two hacks. First, he needs access to one of the CTF computers for an internet connection. However, no one will just let him use a computer while the CTF is running, so he needs to quickly win the CTF contest. Second, when the crowd is distracted, he can use that computer to pull off the real hack, which is to regain access to the backdoor on an E Corp server.
Elliot learns that this CTF challenge is essentially for hackers to find a flaw in a networked minesweeper game. With the right exploit, they can take over the server running this game, thus capturing the “flag” on the server. Unfortunately, the show doesn’t include any readable screenshots correlating to this game or the hack. You only hear Elliot’s explaining to a contestant, what he should do. Basically, Elliot tells the contestant that the game’s weakness involves its save and load mechanism. This is where an attacker can inject malicious code into the game. However, to protect the save mechanism, the game uses a remote, server-side “key” to encode the save data. The attacker must first reverse this key in order to figure out how to craft properly encoded save data. Apparently, winning the minesweeper game gives Elliot the board layout info he needs to reverse the game’s simple save encoding mechanism, which Elliot does, thus winning the CTF in two minutes.
Is this hack realistic? Unfortunately, the show didn’t display any screens that might have helped us analyze its technical accuracy on our own. However, one of the show’s consultants did share that this challenge is based on real minesweeper CTF event from the past. In fact, someone who completed the real challenge wrote this write-up, which basically describes Elliot’s solution. In short, the CTF hack — though not actually shown in episode — is entirely realistic. The only question might be could anyone really have figured the whole thing out in two minutes, after only seeing a code excerpt for 30 seconds? That might be a stretch, but the hack itself is legit.
Reclaiming a lost backdoor
Once Elliot won the CTF challenge, he used the Internet-connected computer for a few minutes while the crowd was distracted by the victory.
If you remember last season, the Dark Army leveraged the Femtocell hack to gain internal access to E Corp’s network, which they used to place a backdoor on E Corp’s UPS systems for the Stage 2 attack.
Most backdoor malware uses something called a command and control channel — also called a C&C or C2 for short. This network communication channel beacons out to an attacker’s network address, giving them the remote network access they need to control their backdoors from outside the victim’s network.
According to Elliot’s voiceover, the UPS backdoor’s C2 is currently set to beacon to a Dark Army computer, which he no longer has access to. Elliot wants the C2 to come to his computer (the CTF computer he’s on). He mentions that the UPS backdoor was set to use a hard-coded (unchangeable) domain name for its C2 channel.
As you probably know, domain names are easy to remember names that point to network IP addresses — the numbers computers use to find each other on a network. If a backdoor C2 pointed to a hard-coded IP address, it would not be easy to get that backdoor to communicate with a new computer, since public IP addresses (IP) are only assigned by your ISP. However, if a C2 uses a domain name, you have a chance to get that name to refer to a new IP address.
The Domain Name System (DNS) is the protocol we use to look up and assign domain names to IP addresses. Organizations called “Registrars” manage the business of selling domain names, and letting their customers change the IP that domains point to. In this case, the Dark Army owns the domain name the C2 points to, and thus controls what IP maps to that domain. In order to get the backdoor’s C2 to communicate with his computer, Elliot needs to hack a DNS registrar and change the domain information for the Dark Army domain.
Unfortunately, you don’t see or hear how Elliot hacks the domain registrar in this episode. If you watch closely, you do see a screen showing a Chinese DNS registrar, but no detail about how Elliot hacks it. Is it possible, or realistic? Sure. There have been real attacks in the past where cyber criminals first pwned DNS registrars to gain control of critical domains, such as this recent Brazilian bank heist.
That said, DNS registrars are major targets for hackers, which results in most of them having better security than the average business. The idea that Elliot—no matter how great a hacker he is—can so quickly hijack a DNS registrar with little preparation or reconnaissance is a little too “Hollywood,” especially since the show doesn’t demonstrate or explain how this pretty significant hack happened. In the end, this type of hack is possible, so it doesn’t count against the show’s reality. However, it’s a little disappointing that they leave the technical details out.
In any case, we know Elliot’s mysterious DNS registrar hack works, since he gains control of the backdoor’s C2 again. The rest of this scene plays out realistically. In one screenshot, you see a tool called rwwwshell. This is a real, albeit old, web-based reverse shell script, which is the type of tool an attacker might use to create C2 communication channel. Once Elliot gains access to the backdoor through this shell, you see him use the shred command. This is the same “secure” delete command we’ve seen him use in previous episodes, and this command would basically wipe out all the backdoor tools on E Corp’s server, thus removing the backdoor.
Irving hacks an FBI SUV?
In this episode, we meet a new character who I suspect will become one of my favorites; Irving played by Bobby Cannavale. Irving is a used car salesman by day, but Dark Army’s criminal fixer by night. After removing the backdoor, Elliot and Darlene are escorted out of the hacker meetup by a few Dark Army thugs. As they leave, Irving pulls up in a cab and warns them that the FBI is following Darlene, so they jump in to shake the tail.
What follows is a theoretically realistic social engineering car hack.
In the cab, Irving asks Elliot to get the FBI car’s license plate number. He then gets Darlene to look up that license plate on a laptop he provides. The laptop is connected to a site called NYSP NCIC, which seems to be a New York State Patrol site used to look up additional information about vehicles based on a license plate number. While I’m sure this isn’t the actual name of the New York police’s site, it’s quite normal for police to have internal web services and databases that allow them to look up vehicle owner information based on license plates.
This look up provides Irving with the FBI vehicle’s VIN number. Irving then calls OnStar, pretending to be a detective with a presumably valid badge number. In the real world, OnStar does have significant access to some of the computers in your car, giving them the ability to control many things, including unlocking your doors, starting the vehicle, or setting off your alarm. More importantly, it’s also true that OnStar can disable a car’s engine, which is what Irving does to the FBI’s SUV, stopping it mid-chase.
In short, this little social engineering car hack is totally plausible. The only question I might have is how Irving had access to the NYSP’s web site, which would surely be protected by a VPN and require legitimate credentials. Maybe Irving was a cop in the past?
Finding E Corp holes with Shodan
For the last hack this episode, Mr. Robot is in control. Elliot returns to Angela’s house and falls asleep. However, his alter, Mr. Robot, wakes up instead, and is upset that real Elliot removed the Stage 2 backdoor. Angela and Mr. Robot visit Tyrell, where we see Mr. Robot start to figure out how to regain access to E Corp’s network.
In this scene, we see Mr. Robot visit a site called Shodan.io. This is a very legitimate site that is popular among security experts and hackers alike. Using scanning tools similar to nmap, Shodan’s servers crawl and scan most of the IPv4 address space, basically trying to find and fingerprint every device connected to the Internet. Shodan’s crawlers find what network services each Internet devices listens for, and also grabs all the header data that can fingerprint the software or hardware these Internet-connected devices use. Shodan conveniently stores all this information in a database, allowing users to search for software names, and find any devices on the Internet that might use that software. Hackers using a new exploit against a particular piece of software use Shodan as a tool to find victims on the Internet.
In a short clip, you see Mr. Robot type the following search into Shodan:
org:”Evil Corp” product:”Apache Tomcat”
The “org” part of the search limits result to only devices owned by E Corp and the “product” tag limits the search to find a very specific network service, in this case, a web Java product called Apache Tomcat. In summary, this is an accurate portrayal of how hackers use Shodan. For instance, if you replaced the organization name with Google on the real Shodan site, you will quickly find all the public Google servers that use Apache Tomcat. ‘
So why is Mr. Robot doing this? It’s all about reconnaissance. As he targets a victim, he needs to learn what network services the victim exposes. Mr. Robot must already know a weakness in Apache Tomcat. Perhaps he has a zero day exploit for that software. I presume he’s looking to see if E Corp has Tomcat servers so he can leverage this exploit against them later.
By the way, if this Apache stuff sounds vaguely familiar, recently Equifax suffered a huge data breach where they lost the private records of 145 million of their U.S. customers. Rumor has it the breach was due to an unpatched version of Apache Struts, which had recently fixed a major vulnerability. While Tomcat and Struts are different Apache packages, they’ve both had critical vulnerabilities in the past. You should expect to see Mr. Robot/Elliot hacking a Tomcat server in future episodes.
Hidden technical Easter eggs
As always, this episode had many other technical Easter eggs buried in its visuals. Let me share a few.
- When Darlene is visiting the NYSP site to look up the license plate for Irving, the site’s URL is visible. As always, you should try visiting these URLs, since the show runners put a lot of effort in actually putting these sites up to extend the “Mr. Robot” experience into real life. In fact, these fake sites often let you do the things you see in the episode (try entering the license plate Darlene does). Furthermore, smart hackers like Elliot, who look at source code, can sometimes find other hidden surprises.
- During one of Elliot’s intense soliloquies about society, he stands in front of a wall of missing person pictures. Did you notice the QR code next to Romero’s picture? Did you follow it? Maybe you should.
- I mentioned the realistic Shodan.io search above. Shodan is a real tool, but E Corp obviously isn’t real. Nonetheless, if you try “Mr. Robot’s” specific Shodan search, you will get results that point you towards some interesting servers. This is more stuff the show runners have set up for their online game.
Predictions gone very wrong, or, very right?
Before I end this rewind, I can’t help but comment on some of the predictions I made for this season, largely because the first episode has touched on many of them in one way or the other.
One of my predictions was that the Washington Township Plant (WTP) would involve something nuclear, and right away we see a scene where Defense Minister Zhang (whiterose) is walking in a nuclear plant. While I admit, there is likely more to this nuclear plant than meets the eye, nuclear energy is definitely involved in this story.
I also said that Stage 2 would not work as expected, and the E Corp building would not get blown up by UPS devices. In this episode, Elliot shreds the Stage 2 backdoor, so that prediction is right on too.
However, the one prediction I’m a bit worried about is that “Mr. Robot” will stay grounded in reality. In that prediction, I said that despite some hint towards theories like parallel universes, the mysteries around Elliot and whiterose would not involve sci-fi.
I am now questioning this theory, as the episode contained many overt and subtle references to parallel universes or multiverse theory. For instance, in the nuclear plant, you hear a scientist specifically referencing multiple universes. More importantly, in the opening credit shot, we see whiterose standing next to an unusual contraption in the Washington Township nuclear plant. They don’t explain it, but to my eye it looks like a large particle accelerator, similar to the Large Hadron Collider (LHC) in Europe. While particle accelerators don’t directly correlate to parallel universes, there are some (fictional) theories about parallel universes being created by these colliders. Finally, Angela hints to Elliot that they can somehow turn back time to a point where their parents don’t die. This probably doesn’t mean time travel, rather, it could hint at an alternate universe where their parents never died in the first place.
I, for one, still hope that these are just very well-crafted red herrings. While multiverse theories and hypotheses are real — in fact, some of the ideas come from Stephen Hawking’s black hole research — they’re still very unproven, and still qualify as science fiction in my opinion. While I do like sci-fi shows, to me, the beauty of “Mr. Robot” is how grounded it is in reality. I guess only time will tell if my “based in reality” prediction is way off, or right on.
Learning from the Shodan search engine
While this episode had many “hack” related scenes, many were not direct attacks on an organization’s infrastructure. For instance, “Mr. Robot’s” Shodan search was not a direct hack that you can stop, rather it was recon into the weaknesses of an organization. However, you can still learn from it.
The fact that Shodan exists should remind you that every network service you put on the internet is exposed to the world. Attackers can quickly find it, furthermore, tools like Shodan will tell them the specific version of network software you use. If you don’t patch your public network services, attackers will be able to see, and know to exploit its vulnerabilities against you. Make sure to always patch public servers quickly, so even if attackers find them on Shodan, they won’t be able to hack them.
With the first episode full of hacks and plot movement, this season of “Mr. Robot” already looks like it will be a wild ride. I can’t wait to see what the show throws at us next, and hope you join me next week to analyze the hacks of episode two. As always, I look forward to your comments, theories and feedback below.