‘Mr. Robot’ Rewind: Rewinding the '5/9' hack in a stunning season finale

Elliot (Rami Malek) in the ‘Mr. Robot’ season finale. (Photo via USA Networks)

[Spoiler Alert] In order to deeply analyze the hacks in Mr. Robot Episode 10 (shutdown-r), this article covers various important plot points. If you haven’t watched through the season three finale episode, come back and read this later.

Even if it hadn’t included any technical hacks, this last episode sure did hack my mind.

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

With all its twists, reveals, and deaths, there was a lot going on in the season three finale of Mr. Robot. I’m sure many fans (me included) will be discussing things like Angela’s father, Dom’s turning, and Elliot and Mr. Robot’s new relationship for quite a while.

However, that’s not what the Mr. Robot Rewind series is here for. Instead, this article dissects the technical hacks in the show, helps explain what you might have missed, and judges them on real-world accuracy.

Hack-wise, the final episode of the season started slow. However, Elliot did get a significant bit of computer time near the end. Let’s jump in and explore the hacks and hacker-related scenes from the episode.

Lock Picking and Code Cracking Cameos

The first hints to hacker culture make us recall things we’ve seen Elliot and the Fsociety crew do before—picking locks and cracking codes.

After Mr. Robot (MR) and Elliot start talking again, MR tells Elliot about Santiago, and he goes to search his apartment for leads on Darlene. During the scene, we see Elliot pick a desk lock.

Figure 1: Elliot still finding use for his lock-picking skills.

There’s no huge meaning or reveal here. However, I’ve mentioned many times during the Rewind series that lock-picking culture is closely tied to hacker culture, especially at conferences like DEF CON. While picking locks is not hacking, Elliot knowing how to do it actually grounds him in the real-world hacking scene, simply because it’s a skill real hackers talk about and practice.

We also see MR-Elliot find a new hidden code on a Red Wheelbarrow BBQ flier.

Figure 2: Hidden code on a RWB BBQ flier.

Irving interrupts MR-Elliot before they solve this code, so it really doesn’t add any context to the episode; it’s just a fun Easter egg. However, the screenshot does hide a message. As the first “N” suggests, those numbers translate to letters:

NABGUREUARTBGPNHTUGGBQNLVGFNYYBIREGURENCREFGRRANTRENEERFGRQVAPBZCHGREPEVZRPPNAQNYUNJXRENEERFGRQNSGREONAXGNZCREVATQNZAXVQFGURLERNYYNYVXR

While that looks like gibberish, if you apply the classic ROT-13 cipher (decent ROT-13 decoder) to it, you get:

ANOTHER HNE GOT CAUGHT TODAY ITS ALL OVER THE RAPERS TEENAGER ARRESTED IN COMPUTER CRIME CCANDAL HAWKER ARRESTED AFTER BANK TAMPERING DAMN KIDS THEYRE ALL ALIKE

That phrase has some misspellings (which Mr. Robot ARGers are finding more meaning in), but it’s actually a fun reference to the beginning of “The Hacker Manifesto,” a popular essay written by an arrested 80s hacker, and also published in the Phrack ezine.

Again, this particular code actually ends up having nothing to do with the overall episode narrative, but code cracking is a cool part of the hacker culture, and this one hid a relevant hacker shout-out.

Fixing whiterose’s Congo Shipment

The beginning of the finale had me worried about this Rewind article, since we see no computer usage. It’s not until 50 minutes into the hour and ten-minute episode that Elliot gets on a terminal.

During the final scene in the barn, Elliot is gambling that whiterose is watching and listening to everything through a security IP camera. He offers her a deal, saying he can get her Congo shipment (whatever that may be) to meet its original timeline. This scene also includes an intense conclusion, where whiterose clearly picks Elliot over someone she loves.

Anyway, after whiterose’s choice, Leon pulls out a laptop with Slackware Linux and tells Elliot to pay up. Unfortunately, we don’t see any screenshots that suggest what Elliot did to “hack” this shipment. But, he mentions that, “the Coast Guard allowed a humanitarian shipment into Iran,” suggesting he somehow disguised this shipment as aid. However, if there was a hack here, we didn’t see it. So I can’t really comment on the accuracy of whatever Elliot did.

However, during this scene, we do see a link.

This Bit.ly link points to a downloadable Dropbox file. As they always do, these links actually work in real life. You can download the file you saw Elliot give to Leon and the Dark Army (DA) in this episode. The file unextracts to a text file containing GPS coordinates.

{

“DD”:{

“lat”:-10.617537,

“lng”:22.339499

“DMS”:{

“lat”:”10º37’3.14\” S”,

“lng”:”22º20’22.2\” E”

“geohash”:”kqpgs75hk5″,

“UTM”:”34L 646530.0545339 8825993.18511926″

}

Those coordinates point to a location in the DR Congo. So far, I have no clue what the meaning of those coordinates might hide (if anything), but I still love the way the show producers actually hide these real-world files in their show. As I’ve mentioned before, hackers tend to love these sorts of Easter eggs and puzzles, so just the fact that the show includes them gives it real hacker cred.

Brute Forcing Romero’s Encrypted Keyloggers

After he shares the shipping fix with whiterose, the DA essentially lets Darlene, Elliot, and Dom (who’s now assumed to be a mole for the DA) go. So, Elliot continues with his plan to reverse the 5/9 attack by stealing Romero’s keylogger evidence from the FBI’s Sentinel system (see the last Rewind article for more context).

However, now that Irving has turned Dom, Elliot no longer needs to hack Sentinel. He can exploit Dom’s insider access. In Santiago’s FBI vehicle, we see Dom log in to Sentinel and hand over control to Elliot. He’s in!

Figure 4: Elliot finds Romero’s keylogger evidence in Sentinel.

Elliot does a quick search for Romero’s key intercept, and voila. He finds image files for the four USB keyloggers, which he downloads as a Zip file. He then gets to cracking Romero’s disk encryption password, and succeeds. The average viewer probably understood this through Elliot’s voiceover, but let’s explore some of the subtler technical details.

The first thing we see Elliot type is:

python getlyrics.py –m artist –i artists.txt –o lyrics.txt

Getlyrics.py seems to be exactly what it sounds like; a python script that goes to some online source to download the lyrics associated with an artist’s song or song library. Via Google searches, I was able to find a few real examples of this sort of script, but not one that seems to match the show exactly.

For instance, getlyrics.py really exists. It is indeed a script that allows you to download lyrics based on a search term from an online source called AZLyrics.com. However, it doesn’t seem to be a perfect fit. While this shares the exact name as the script seen in the show, the parameters shown in the episode don’t exist with this script. If you search Google for generic “python lyrics” you will also find PyLyrics. This too is a script to grab lyrics from lyrics.wikia.com, however, its usage seems different than what you see in the show. In any case, I’m not sure if the version we see in the episode really exists, or is just a “fake” one based on these other two. Whether this particular script is totally real or not, the concept is totally realistic, and these sorts of lyric download scripts do exist.

Anyway, back to the command. Since I can’t find the exact copy of the script, I can only extrapolate what some of the parameters were, but let’s break down the command.

The first parameter of py is “-m artist.” While it’s not in the real-world scripts, I’m guessing this parameter puts the script in the mode of searching an artist’s library of songs, rather than an individual song.
The second parameter, “-i artists.txt,” defines an input file. Presumably, Elliot created a text file full of musical artists. Since he’s trying to crack Romero’s passwords, I’m assuming their friendship and familiarity is what allows Elliot to focus on musicians and groups Romero liked. More on why I think that soon.
The last parameter is “-o lyrics.txt.” This creates an output file called txt that would contain all the results of the lyric searches.

In short, this command would create a text file full of the lyrics from songs and artists that Romero likes. Here’s the result of the command, including some of the downloaded artists like Curtis Mayfield.

Figure 5: Results of a lyrics search including Romero’s favorite musicians.

So why does Elliot need this?

Remember, he needs to crack the key Romero used to encrypt the keyloggers. There are many programs out there that help you brute force a password, by essentially trying every character combination. The problem is, after 6 characters, brute forcing can get really slow. Once you have a password over 10-12 characters, today’s computers will not be able to brute force those passwords within an acceptable period of time. Chances are Romero—a smart hacker—used a long and secure password. Furthermore, the FBI would also have used their significant computer resources already to try (unsuccessfully) to brute force the password. So, how will Elliot succeed where the FBI has failed?

One way to speed up brute-forcing is a dictionary list. Rather than randomly incrementing characters, a brute force program will start by using a list of words from a dictionary you define. They can even use combinations of these words. However, Romero is probably also smarter than normal dictionary attacks, and would pick a longer password, or a passphrase, or something totally random.

This is where a custom dictionary might come in. Hackers that know a lot about their victim can cater their password dictionary to that specific victim. In this case, it appears Elliot is presuming that Romero’s password will involve music from his favorite artist. He downloaded these lyrics to use in a custom password dictionary.

That brings us to the next screenshot we see flash for a second:

This shot gives us some hints of what Elliot is up to. First, on the left side of the screen we see the command:

cryptsetup luksdump ~/keyintercept_1.raw

Immediately, this command points to something called Linux Unified Key Setup or LUKS, which is a disc encryption standard for Linux. It appears Romero encrypted his keyloggers with LUKS. The cryptsetup command Elliot runs is pointed to one of the keylogger images he grabbed from the FBI. This command would essentially give him info about the encrypted disc, including what type of encryption it uses (AES).

On the right side of the screen, we see Elliot beginning a “Brutefo..” command. Let’s take a closer look at that.

Figure 7: Elliot’s command to brute force the keylogger passwords.

Again, the show seems to use a real-life program. Bruteforce-luks is a C application designed to brute force the passwords for LUKS encryption images. You can learn more about this program and its usage here. Let’s unpack his command.

The –t parameter defines how many concurrent threads to use while brute-forcing. Elliot picked 8. This essentially tries to speed things up a bit.
The –f parameter defines a word dictionary. Elliot is using the lyric file from his last step, since he has guessed Romero’s password involves music lyrics.
We don’t see the whole command, but the last part of a bruteforce-luks command is the LUKS partition you want to focus on. So I assume the command finished with Elliot pointing it at the ~/keyintercept_1.raw file that represents and an image of one of Romero’s keyloggers (he probably only has to crack one, since they probably all share the same password).

We then see some follow up to this command:

Figure 8: Elliot finds the password and recovers a keylogger.

This window shows us that Elliot’s hunch was correct. The brute force program found a password from the lyric file that worked. The password is, “And if there’s hell below We’re all gonna go,” which is the name of one of the tracks (Don’t Worry) from a Curtis Mayfield album called, “Curtis.”

Next, Elliot runs a command to open and mount the encrypted keylogger image using that password, which works. Then he runs a command (lsblk) to see how and where the image is mounted, and he uses the cd command to move to that directory. When he lists the directory (ls), he finds the now unencrypted keylogger output called keylog.txt. As you can tell from my description, though I couldn’t find an exact match for the lyrics script they used, everything shown in these screenshots is true to life. These commands all work. I will say, Elliot was exceedingly lucky to have the lyrics work out so perfectly. If the lyric site had written the lyrics with slightly different grammar or caps, it wouldn’t have worked. Also, bruteforcing typically takes longer than we saw, even with a dictionary. However, for the show’s purpose, it is still pretty accurate.

To end the scene, we see Elliot type, “less keylog.txt” to see what’s in that file, but it cuts off before you see the results. However, he then tells Darlene that the key logs show that Romero caught somebody else exporting the key data for the 5/9 hack. Who is that somebody?

The Keys to E Corp’s Kingdom Hidden Within an Image

If you finished the episode, you know the answer to that question. Mr. Robot — Elliot’s alter — exported the keys. Though MR might represent the “bad” side of Elliot, who will go a bit further to obtain his results, he’s still part of Elliot, and shares some “good.” In the same way, Elliot shares some or MR’s “bad.” In any case, even MR considered the chance that something could go wrong, or that their plan would have unexpected consequences. More importantly, he knew that good Elliot would have had a recovery plan. During this scene, MR and Elliot come to terms. While I don’t think we’ll see any true integration (that would be a cure for DID), I do think you can look forward to the alters working together in the next few seasons.

Back to our “Hackuracy” article, this scene matters to us because MR reveals that he exported the keys to the remote virtual machine they access at home, and he burned them to a CD. Remember, the blank CD that was shown during the title sequence? That’s the one.

Figure 9: The CD containing the E Corp keys.

After this dialog, Elliot goes home to open this CD. MR also told him that the important key info (seed data and algorithm) is embedded in an image, and Elliot will know the one.

During the next sequence, we see Elliot open DeepSound—a steganography program we’ve seen him use before—and extract a bunch of images. As he goes through them, he finds the Back to the Future photo. For anyone holding out for weird time travel theories, perhaps the “rewind” is metaphoric. This image contains the key to turning back the 5/9 hack.

Figure 10: Back to the Future image (IMG_5528.jpg) holds the key.

While Elliot has already used one steganography app to recover hidden data (getting this picture from music using DeepSound), he now needs to find some hidden data in the picture itself, which is a file called IMG_5528.jpg.

Here’s his next screen:

Figure 11: Elliot finds hidden data in an image.

Let’s cover some of the commands we see in this screen.

First, you see Elliot use a command called lsb.py to analyze two images (I’m not sure why he looked at the other image when he knew IMG_5528.jpg is the right one?). Lsb.py is a real script used to do a certain type of image steganography that leverages something called the least significant bit (LSB). Many researchers have shown [PDF] that this is a good way to hide data in JPG images. The analyze command displays an image with plotted points where the target’s LSBs are. This might help analysts figure out if there is additional data in an image. If you want to learn more about steganography and a bit more about LSB, watch my video in this blog post. BTW, there is a related Easter egg buried in that video for the curious.
After that, Elliot runs the xxd command, which just displays a hex dump of the image (I guess he’s looking for something unusual).
He creates a copy of the image he suspects (just so he doesn’t damage the original), a normal procedure for anyone doing digital forensic analysis).
Next, he runs a program called stepic. This seems to be another real python script. His specific command, “stepic -d -i IMG_5528_copy.png -o outfile,” decodes any data hidden in the copied image, and puts it in a file called outfile. You can learn about stepic parameters here.
He then runs cat to display the contents of outfile, which turns out to be a custom python script. This is likely the “algorithm” that MR mentioned, and it shows clues to the seed data.
In the output on the screen, you can see the actual python script. While I haven’t gone to the trouble of transcribing and running it, it does look like accurate, working code. At the highest level, this python script seems to take three inputs; a password, the data from an offset in some input file, and the result of a “nonrand” function, which seems to be the opposite of a random number generator. Normally, if you want to make a really unique, nondeterministic “thing,” crypto algorithms use randomness with pseudorandom data generators. The fact that Mr. Robot has “non-randomness” in this algorithm shows that he always wanted it to be reversible, as long as you have the right password and input file.
In the final commands, Elliot moves (mv) the python script from the outfile to one called keygen.py, and then runs it and gives it the input file and password. By the way, we see that the Back to the Future image is the right input file. We don’t see Elliot enter the password, but I assume he must know it, or have gotten it from MR.

As you can tell, these steps, and even the Python code, are all pretty dang accurate. However, there was one small mistake in this screen. In the Python code, MR asks for a data file input with the following code.

infile = raw_input(“File: “)

As you might expect, that code will display, “File:” when it expects a user to input a filename. But, when we see Elliot run this code, it displays “Input filename:”. That’s not what we see in the python code. I’m assuming this is a small production issue. Maybe the writers wanted to change the display visualization to be more descriptive. However, the code we see run, is not exactly the code that was moved to keygen.py. Of course, I’m just being a pedantic stickler here. This scene is extremely technically accurate compared to anything else you’ve ever seen on TV.

Anyway, after running the keygen, Elliot ends up with a symmetric RSA private key, which is apparently what was used to encrypt all E Corp’s data. He then sends the key to E Corp’s recovery email alias.

Easter Eggs and Odds ’n’ Ends

By now, you probably know the show hides a lot of neat Easter eggs in every episode, and many are puzzles that are part of a larger ARG. I mentioned some of these hidden things above, but there are more to find. I will share a few in a moment, but in this article I want to show how cool and complex some of these puzzles can be, by focusing on just one of the things the ARGsociety found after this episode, a neat clue on the Red Wheelbarrow BBQ site. Here’s the gist.

In earlier episodes, a link pointed to a fake Red Wheelbarrow BBQ site that you can visit. This site has many puzzle pieces and things you can solve, but it has also had interesting updates after certain episodes.
In seemingly unrelated news, the nightly build of the real Firefox web browser got a new extension mysteriously added to it called Looking Glass. This extension freaked some people out since it changed the way some web pages looked, and they posted about it on Reddit.
Turns out this Looking Glass extension was made for Mr. Robot. It parses any web page for a list of Mr. Robot related words, and then adds some animation effects and extra stuff to those words. At a surface level, it’s just a fun Easter egg.
By the way, if you have Firefox and want this extension, you can manually download it here. Then go to “about:config” in Firefox and search for “Looking.” You will find the extension, and must enable “true” for its Boolean setting.
HOWEVER, the surface changes from this extension are just part of the story, this extension also adds a header called “X_1057” to your browser’s response when visiting three particular sites, including the Red Wheelbarrow one. This header triggers very different responses from certain ARG websites.
Specifically, if you go to one of the kids’ activity pages on that site with and without this extension enabled, you get a very different version of the kids’ activity page. In fact, the geniuses from ARGsociety actually found three different versions of the page.
This led to finding a binary puzzle, which eventually led to a new password. If you don’t mind spoilers, this image (created by an ARGsociety member) shows the three images and how they come together to solve the puzzle.
BTW, the password to this puzzle is also an Easter egg of sorts, since it references pop culture as well.

I wanted to highlight this just to show how deep the ARG rabbit hole goes. To solve this puzzle, not only would you have to have found the web links buried in the show, but you would have to visit a certain page with and without a special browser extension, and then solve some technical and cryptographic puzzles. While I suspect this level of interaction isn’t for all fans, this ARG puzzle is very much in the wheelhouse of hacker culture. It’s amazing the length the show runners have gone to in order to create this ARG.

Besides that big Easter egg, here’s a few more odds ’n’ ends.

You see some email addresses in some screenshots. Try emailing them, you might be surprised.

Figure 13: Interacting with email addresses may return results.

There were other sites you could find from this episode.
Whoismrrobot.com has an update, but do you know the password? If not, join ARGsociety.
Lots of rewind references in the show, including a superman scene.
Does Darlene have an alter!?!

Learning from Mr. Robot: Remember Insider Attacks

Sadly, it’s time to say bonsoir to Mr. Robot and the Rewind series until next season. However, before we conclude, what can we learn from this episode’s accurate technical hacks?

I’ll keep it simple by just focusing on one of the non-technical threats of the show –malicious insiders. In this episode, we see a lot of “moles.” Irving murdered Santiago—the OG mole—but coerced Dom to become a new one. According to most of the latest research, more cyber breaches today are caused by external attackers. However, we also sometimes have to worry about malicious insiders that have the valid credentials they can use to steal our data. There is no easy way to find and stop malicious insiders, since you have already entrusted them with your data. However, one basic tip is to implement data loss protection solutions. These solutions can at least show you when your data moves, and some behavior analytics solutions could also highlight when a trusted user suddenly does something very suspicious.

That completes this season of Mr. Robot Rewind. I hope to see you next year once the show returns. Who knows what crazy hacks and insane schemes we’ll see then. As always, I look forward to you sharing your thoughts and comments below.