[Spoiler Alert] This article discusses plot points and full technical details from Mr. Robot episode 7 (eps3.6_fredrick+tanya.chk). Stop here if you haven’t watched the episode.
This episode should be called, The Culling of Fsociety… Wow. I’m sad to see two incredibly interesting characters go in the latest episode of Mr. Robot.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
If you’re new to the Mr. Robot Rewind series, these articles dissect the hacks we see in most episodes to determine what’s accurate, and what’s not. Surprisingly, this series takes technology so seriously that it gets just about everything right (with a few exceptions to drive the narrative).
Episode 7, however, didn’t really contain any hacks; just an allusion to one that could have happened. Nonetheless, we can still appreciate the few technical details included, at least once we’re finished weeping about our lost friends. Let’s take a look.
Brute Forcing Bike Locks in the Back Seat
Before analyzing the one true hack-related scene of the episode, let’s talk about cracking bike locks. As I’ve mentioned in past articles, Mr. Robot’s lock-picking, combo-cracking scenes fit right in with the hacking community. While digital cryptography and physically cracking bike locks are two different beasts, learning the math and psychology behind combinations can help hackers with their attempts to brute force user credentials and passwords.
In this episode, Leon (the Dark Army assassin) has Trenton and Mobley tied up in the back seat of his car, shackled with what appear to be bike locks. The lock we see has a pretty standard four-digit combination, which Trenton quickly cracks in an attempt to escape. Is this realistic?
First, let’s look at the math for this type of combination lock. These locks use digits (not letters) — either 0-9 or 1-9. We’ll assume the slightly stronger 0-9, which means each of the four digits can be one of 10 possibilities. To identify the total number of combination possibilities, you simply figure out 10 to the fourth power, which is 10,000. In other words, there are only 10,000 combination possibilities (or less with a 1-9 model) with any four-digit lock.
If this combination were part of some computer program (without login throttling), it would be trivial for a hacker like Trenton to use computing power to crack it in less than a second. However, physical locks require physical manipulation, which takes time. The reason four-digit locks are usually good enough is because a human would have to stand around for quite a while to try every combination. Let’s be generous and assume it only takes Trenton three seconds to try each of the 10,000 four-digit combinations. It would still take her eight hours to go through every option, and she probably only had around an hour in the back of that car.
However, there are other ways hackers can speed things up. They know about common pins (or common passwords). Unfortunately, psychology makes humans relatively predictable animals. There have been many studies showing how we use similar passwords and pins, or at least use similar methods when picking our credentials. In fact, one study showed that over 26 percent of all four-digit pins is one of a meager 20 combinations. It’s possible that Trenton knew this, and was able to get to the right combination quickly.
More importantly, however, hackers know how to exploit implementation weaknesses or flaws in a system. Some bike locks similar to the one shown in this scene have had historical design flaws. This HowTo shows that you can look for a slight gap between numbers that only shows up when you hit the right number. Using a trick like that, you could completely “hack” a four-digit bike lock in under a minute.
In short, if she knew the right technique for the lock in question, it is plausible for Trenton to have cracked this sort of lock in under the eight hours it would take to brute force it. Also, hackers like Mobley and Trenton might be familiar with these sorts of lock tricks, simply because of the proximity between the lock picking and hacking sub-culture. All that said, we didn’t actually see her doing the “gap checking” technique from the video, and it would have been much harder to do with the way her hands were positioned.
Crashing Planes with Java Server Hacks?
To be honest, this episode didn’t have any real hacks. However, one scene shows the Dark Army implicating Trenton and Mobley in the Stage 2 hack by making it seem like they have been researching the latest hack promised by a (fake) Fsociety video.
Near the end of the episode, whiterose’s right-hand man brings Trenton and Mobley into their garage, where the Dark Army has staged a few computers and printouts. He then has them explain what they see on these terminals. Let’s explore their responses, and the screens we see.
First, Trenton says, “A threat analysis for the FAA’s next-gen IP-based system,” and we see this screen:
What I see on this screen is evidence of hacker reconnaissance, where they research a target to find out how they might breach its network. This is what Trenton means by threat analysis. The main window is a browser doing a search on the Common Vulnerabilities and Exposures (CVE) database, a U.S government-sponsored site that catalogs all the publically known and reported security flaws in various software. Specifically, someone has searched on vulnerabilities in Oracle’s WebLogic product, a Java application server. You can also see some terminal windows that correlate with WebLogic vulnerabilities, but I’ll get to those in a second. In any case, it appears that someone has figured out that this target uses Oracle WebLogic somewhere, so they are looking for a flaw to exploit within that software.
This sort of recon is true to life. However, I will say there doesn’t appear to be anything on this screen that would give Trenton the idea that the FAA’s systems were the target yet … that evidence is more on Mobley’s screens, but I’ll give the show some artistic leeway here.
Next, Mobley says, “Targeting IPs in Chicago, Atlanta, L.A.,” and here’s his screen:
Now, these screens are the ones that would’ve really tipped them off that the target is planes. We see a number of screens referring to NEMS, an FAA Enterprise Messaging Service, and the FTI WAN, (FAA Telecommunications Infrastructure), which is basically a secure FAA network for their “Next Generation Air Transport System.” This too is great evidence of reconnaissance. Believe it or not, basic Google searches (and more advanced ones) play a big part in hacker research, and sometimes there are some very juicy documents with interesting technical details online. If you do a basic search for “FAA NAS Enterprise Messaging Service,” you’ll find many documents similar to these online right now, including the map with the NEMS deployment status in an online user guide.
Trenton then says, “This is malware that targets air-traffic control systems at major airports,” while we see two screens below (really just close-ups of her first screen):
Let’s break down these shots. First, on the top screen we see the edge of another NEMS document, where you can tell the system uses both Apache ActiveMQ technology and Oracle’s WebLogic. So now we know why the hackers were searching for WebLogic vulnerabilities. The top portion also highlights the results of a great tool called SearchSploit, which comes with Kali Linux (a popular open source penetration testing distribution). Using that tool, you could do a search like “searchsploit WebLogic remote”, and get a very similar output to what you see, which lists every exploit in Kali’s database for the WebLogic server.
On the bottom screen, you see two Python scripts. The first is called weblogic.py. If you do a Google search on that, you’ll quickly find a Github link for a real WebLogic exploit released by the FoxGlove Security team. This exploited a very serious remote root Java de-serialization vulnerability in WebLogic (specifically CVE-2015-4852) and many other products back in 2015 (the year the show takes place). The general Java de-serialization vulnerability was reported early, but many didn’t realize how many products it truly affected until much later. In any case, this exploit could give remote attackers full control of an unpatched WebLogic server.
We also see a second window with a serializekiller.py script. This is also a real-life script you can Google and find on Github. This tool can scan a network looking for servers vulnerable to this flaw. While it’s a great tool to help white hats find and patch susceptible servers, black hats can also use it to find targets. If you want to know more about this critical old flaw, the ReadMe for this script points to just about the best technical write-up out there.
In the end, all this leads Mobley to summarize, “They’re planning another attack, probably like today, except this time, they’re crashing planes.”
Real Exploits, Unlikely Outcome
Based on all that analysis, you can probably tell there is a lot of reality in this scene. The screens on the Dark Army’s staged computers tell the story of real-world hacker reconnaissance techniques. It’s true and verifiable that organizations like the FAA might have documents for public consumption that do hint at the technologies they use (which could help hackers target them). Furthermore, that specific remote WebLogic vulnerability did exist in 2015, and the exploit scripts they use are real too (though I wouldn’t call them malware like Trenton did – that term is typically reserved for the malicious payload, not an exploit script).
However, none of this suggests that this particular hack could take down planes in the real world. First, the FAA’s FTI network is mostly private and secured. Many of the FAA’s NEMS systems might reside on that private network, which a normal hacker would not be able to easily access. That said, though you don’t see it in the actual episode, you can find a complete version of Trenton’s NEMS screen hiding on the “whoismrrobot.com” site. That full screen, which is based on a real FAA document, suggests external clients might have access to the WebLogic server. As an aside, it looks like the show misspelled the word “external,” as “exernal” in the fake version.
More important to whether or not this WebLogic server is publicly accessible, is what capabilities it could give an attacker. At the end of the day, even if this entire hack was successful, I think the hacker would only have some access to air traffic control (ATC). Don’t get me wrong, having access to deliver false information to ATC could be very bad, but at the end of the day, pilots still fly planes. They may have bad information, and if they only trust auto-pilot, there would be issues, but I don’t think a hack like this could guarantee planes falling out of the air.
In the end, however, the efficacy of this hack doesn’t even matter in the show’s universe. The Dark Army never intended to go through with this attack. They simply wanted to stage enough evidence to set Trenton and Mobley up as scapegoats for previous hacks. So, while I don’t think this FAA hack would be effective, all the techniques and exploits used in the show are real, and it would be pretty convincing evidence for the FBI team.
Easter Eggs and odds ‘n’ ends
This episode was light on hacks, but it was also very light on its regular Easter eggs. However, if you haven’t found the “whoismrrobot.com” site yet, know that it’s regularly updated with new clues and games. After this episode, that site added a whole new terminal you can interact with. Among other things, you can actually see better resolution close-ups of some of the FAA-related screens from last week (it’s how I saw details I couldn’t actually see in the show). These screens are just the surface layer to some additional puzzles buried on this site. If you’re a hacker at heart, I recommend you visit it often.
One last aside… Though you probably mourn Trenton and Mobley’s deaths, remember Trenton might still redeem the team in death with her mysterious email. We ended last season hearing Trenton suggest she had an idea that might allow them to turn back the 5/9 hack. And in the car, she told Mobley that if she doesn’t get back to her computer by a certain time, it will automatically email some trusted party. I’m not sure who that trusted party might be (does she still trust Darlene?), but my gut tells me her email may have to do with encryption.
Learning from Mr. Robot: Always Update Server Software
Hopefully, my discussion about brute forcing combination locks got you thinking about password length. If a computer can crack a four-digit code in under a second, how many characters do you need for a strong password? My current answer is 14. However, the more important lesson from this episode is the importance of keeping all software up to date, and how flaws in “open source” software can affect many products.
In this episode, we saw how the Dark Army might have leveraged a very serious WebLogic vulnerability. In fact, this was a flaw found in one package first – Apache Commons – but was later realized to affect many other things. There isn’t much you can do to protect yourself from vulnerabilities you don’t know about, but if a vendor like Oracle releases a patch for a known vulnerability, you should usually apply that update as soon as you can. Otherwise, Dark Army hackers might exploit it (or set others up for exploiting it)!
Please join me again for future installments of Mr. Robot Rewind, and feel free to share your comments, theories and feedback below!