“Hello, again, friend. It all went quiet for a while and the depictions of hacking and cyber on TV seemed to become trite and clichéd again. We stopped seeing him, Mr. Robot, but now he’s back again. Did you see him, too?”
This blog may contain spoilers and was written following ‘eps3.2_legacy.so,’ which seems a good enough point into the new season for an objective but early take as to what it offers from a security perspective. Following the initial fawning accolades and Emmy Awards bestowed upon the first season, the show has seen a degree of nay-saying backlash from certain critics combined with talk of declining broadcast ratings (a debatable metric of success in itself these days, particularly for a programme whose worldwide audience choose to stream it when they wish). But it’s the real world security themes, authentic hacks, and meticulously detailed visual references that make it of interest here on the State of Security. (Not to mention the easter eggs, puzzles and hidden clues often leading to ingenious online extras that the show’s creators go the extra mile to plant. If you want to explore matters in that level of detail, I suggest the excellent GeekWire reviews or the show's subreddit.) For now, though, let’s take a more succinct and high-level look at some the security highlights of the season at this early stage. In the opening ‘Eps3.0_Power-Saver-Mode.H’ episode, main protagonist Elliot is taken to a CTF (Capture the Flag) contest by his equally formidable (as both hacker and central character) sister Darlene. Maybe the first time such an event has been shown on fictional TV, this underground CTF is apparently the last place that has power and internet access during the ongoing city blackout. To gain coveted access to a terminal at the event, we see Elliot assisting some contestants who “if they don’t make it in the top three, they’re not going to Vegas” (DEF CON reference.) This particular contest takes place in a raucous, cheering, rave-like atmosphere complete with visuals and blaring dubstep (or EDM depending on which side of the pond you reside) – all of which has Elliot invoking his own headspace ‘mute’ button to temporarily block out the noise and bravado at one point. He is not the only one. The way the event was portrayed has met with a certain degree of derisory online animadversion from some real world CTF participants. Especially when we see Elliot go on to master and win the contest with almost psychic abilities having only taken part for minutes, whilst then proceeding to carry out his real intention to hack a DNS registrar and then gain access to, as well as successfully shut the backdoor previously planted within ECorp as part of the ominous ‘Stage 2’ operation. This is all whilst being aware that he and Darlene are being stalked by deadly ‘Dark Army’ goons. No pressure and easy when you know how! Such ‘coding superhero’ scenes are rare on the show, however, and have to be put in context with the fact that television, film and visual media generally have a hard time engaging an audience with scenes of people sitting at screens typing commands or running scripts. Whilst Mr. Robot is possibly the only show on TV where a core of its audience actually goes to great lengths to pause, rewind and analyse in detail every command typed or every script run for its validity, the show still has to be granted some artistic license to pull in and retain attention from the less technical. After all, one of the reasons that the WannaCrypt/WannaCry malware became so newsworthy in the mainstream UK media earlier this year was that in addition to the shocking human cost story itself, live scenes of journalists on location outside hospitals talking about cyberattacks made for a far bigger visual impact on the public consciousness than footage of code and screens. Social engineering techniques continue to feature in the series and emphasize how effective and damaging to an organisation or individual they can be – so much so that perhaps clips of Mr. Robot should be used to liven up staff security awareness programs. In the second episode ‘eps3.1undo.gz,’ we see Elliot busy in his new ECorp employee role, effortlessly compromising the email accounts of a succession of inept and corrupt middle managers. Whether it be via the use of the Social Engineers Toolkit (SET), credential harvester to create fake login pages, or the simple guessing of weak password choices through an individual’s music taste. It all works, and it all underscores the need to strengthen authentication wherever and however you can. A lethal combination of social engineering, existing systems access, and scary levels of ‘IoT’ control make for a whole new inventive level of hack in the ‘Eps3.0_Power-Saver-Mode.H’ episode. Here we see an apparent FBI vehicle in pursuit of Elliot, Darlene and an intriguing new dark army character called Irving (whose ‘Grand Opening’ scene is as hilarious as it is disturbed.) After obtaining the VIN (Vehicle Identification Number) via a Police database to which Irving somehow has access, he calls the real world OnStar service to disable the vehicle's engine under the pretense of law enforcement. As the fictional OnStar service flashes the vehicle's lights to verify it is the correct one before stopping it dead in its tracks, even Elliot and Darlene exchange daunted glances. Farfetched perhaps, but feasible yes and ever more so as we accelerate ourselves toward a world of ‘smart’ connected and driverless vehicles. One of the most intriguing hacks so far on the season has been the ‘backdooring’ of Elliot himself by Darlene, who we now know has reluctantly turned FBI informer. He glimpses her doing something behind his PC which arouses enough suspicion for him to later boot out of the LinuxMint OS he is running to a clean USB copy of his trustee Kali OS. Following this, he runs rkhunter to look for indications of rootkits that he doesn’t actually find. But then we switch to an FBI agent monitoring continual screengrabs from his session, suggesting that the hack was actually at some firmware or hardware level. Although not explicitly clear at this stage, there are clues and direct references that point to the monitor darkly POC. In a further final ‘hacking you, hacking me’ twist, Elliot sends an encrypted email during the monitored session apparently to the FBI's most wanted Tyrell Wellick. The message contains a link, which the FBI follows, downloads, and then realises that “This email isn’t for Tyrell, it’s for us!” I’ve previously blogged about Mr. Robot, questioning whether the intelligent prowess and outsider appeal of its central anti-hero characters could actually entice impressionable cyber talent toward the dark side. That blog was based upon the first season, however, which concluded with an apparent victory for the FSociety hacktivists. As soon became clear from the manifestation of physical violence and the claustrophobic sense of paranoia encapsulating its characters, the show certainly doesn’t shy away from the notion of consequence, however. Particularly of the more unexpected and less obvious variety. Somewhat inevitably, albeit belatedly, the show did actually spawn some less formidable examples of hacking life imitating art. Although in many ways, Petya/Non-Petya actually had far more in common with the FSociety python script used for ‘Stage 1’ than some of the less than subtle FSociety branded malware examples. Certainly in terms of being purely destructive malware cloaked as ransomware with no hope or intent of decryption. Although it should be stated that it had no direct reference or connection to the show whatsoever, As in the real world, the harbouring and purposing of software vulnerabilities for the creation of malicious programs for whatever reason, however well-orchestrated and executed, invariably yields unintended repercussions once released into the wild – sometimes right back on the perpetrator themselves in ways they did not intend or could not have anticipated. One of the most powerful scenes in the ‘Eps3.0_Power-Saver-Mode.H’ episode is where Elliot launches into one his more eloquent diatribes (paraphrased a little here):
“Did my revolution just bury our minds instead of freeing them? Encrypting Evil Corp’s data was meant to empower us, but instead it left us powerless, scaring us into even more submission. Five/Nine didn’t get rid of the invisible hand. It turned it into a fist – and, like a botnet, the fear I created is spreading so fast, it’s practically airborne.”
So, he sets about hitting a real-life ‘Undo’ command and fixing it all, which of course seems far too simplistic for this show and will invariably end in something far more complex and twisted. Indeed ‘eps3.2_legacy.s’ revisits and fills in detail we did not see previously about the 5/9 hack itself, suggesting that not only was it really a victory for the Dark Army rather than FSociety but they were always the true orchestrators and manipulators. “I need you to put Fsociety's origin on Iranian soil” – Whiterose, the dark army’s strange and sinister leader instructs. This raises one final pertinent security point here regarding attribution – or the lack of – when it comes to cyberattacks. Many from the U.S. security community have already raised concerns about the Active Cyber Defense Certainty (ACDC) bill. If passed, this would effectively give permission to companies and individuals to ‘hack back’ – an approach we could perhaps debate the merit of in a scenario where attribution was a ‘certainty.’ One problem being that with cyberattacks, provenance is rarely absolutely certain, and the apparent origin of an attack can simply be purposeful misdirection used to cover tracks, often to systems of an unwitting victim of another attack. But what other TV show would even get us raising such questions? Whilst sometimes uncomfortable and disturbing viewing, expressing some views far from my own, it’s certainly no ‘one trick pony’ either as it continues to explore less than conventional TV themes aside from hacking. These include geopolitical conspiracies, clinical depression, alternate realities, social anxiety disorder, media manipulation, and cryptocurrency monopoly. Make up your own minds, but Sam Esmail’s Mr. Robot is for my money still the sharpest, most mind-bendingly offbeat, darkly humorous, and cyber savvy TV by a country mile. Welcome back, indeed.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
