‘Mr. Robot’ Surprisingly Keeps True To Real-Life Hacking Culture
By Andy Manoske
Producer’s note: Someone on Quora asked: Mr. Robot (TV series): Is Mr. Robot a good representation of real-life hacking and hacking culture? Is the depiction of hacker societies realistic? Here is one of the best answers that’s been pulled from the thread.
I’m a huge fan of Mr. Robot, and as a security professional working in threat intelligence / security research I’m floored by how much work has gone into making this show pretty realistic – even so far as mentioning malware that my team has done research on IRL.
The Limitations of TOR
The privileged nature of being a TOR exit node has made privacy exports who use TOR wary and generally avoid establishing circuits through nodes like this one that are suspiciously close to organizations like NSA
The vulnerability that Elliot describes exploiting to de-anonymize his target is real, though not so much the result of a flaw in Tor as a limitation of the protocol.
Elliot says he controlled a sufficient number of Tor exit nodes to correlate the traffic back to his target, noting that “once you had enough exit nodes you could control the traffic.”
Control is a harsh word. As anon well explained, exit nodes are basically the shephards between the Tor network and websites and servers outside on the “regular” web. If that traffic was encrypted, as anon rightfully notes, Elliot’s role as master of N-number of exit nodes doesn’t really matter because he can’t see what Ron is sending unless he breaks that encryption.
Vulnerabilities like Heartbleed and the most recent Man in the Middle attack on OpenSSL show that it’s more than possible to break HTTPs encryption and get at user’s data – even if it’s expensive or extremely hard to do
That, as we have seen with OpenSSL’s recent patch, isn’t impossible to do but does require the exploitation of exotic or even 0-day vulnerabilities to pull off properly. Elliot is presumably one of the top 1% of security researchers in the world, so he could have access to this data and make use of it. But still, this is pretty hard to do.
To add to some critique of the realism of this hack, Elliot maintaining command over a sufficient number of exit nodes to de-anonymize someone is a little ridiculous given he’s one man. The only people with the technological resources (as well as the statistical acumen and computing power) to pull off statistical de-anonymization attacks to properly “guess” traffic attribution of traffic are folks like the NSA, and even then it’s not an easy thing to do given how many exit nodes there are out there.
The DDoS Attack on Evil Corp
This isn’t so much technology as culture/people, but the reaction of EvilCorp and their retained MSSP to F-Society’s brutal DDoS is pretty accurate in terms of what major corporations do when they’re hit with similar types of attacks.
First, in the episode Elliot’s boss Gideon says that they should call up their CDN and try to cut traffic at the provider level. This is pretty common as a response, and there are a host of companies like Cloudflare (who I think was also mentioned in this series) exist to deal with this kind of problem.
That doesn’t seem to work though, which is fairly realistic as many modern methods of DDoS are more about exploiting imbalances in the data sent/received in protocols than just ramming hundreds of slaved machines’ traffic down your throat. A protocol-based DDoS like that could be something outside of the scope of the CDN’s control and necessitate manual intervention on the behalf of security staff.
Right before they sprint off to the data center in a private jet – which is so unnecessary given that as their MSSP they already have remote access to Evil Corp’s infrastructure but whatever – Gideon mentions that they should call up Prolexic.
Prolexic is a real DDoS mitigation company, and just like Sony dialing up Mandiant after the North Korean attacks this is a frequent step done to get subject matter experts on that style of attack into the room to help with the post mortem of the attack.
The Portrayal of Remote Access Trojans (Evil Corp’s attack, hacking Michael’s computer)
RAT (or Remote Access Trojans) have been employed in several episodes of the show, and were used both by F-Society to hit ECorp in the pilot as well as to break into Ollie’s computer and monitor him and Allison.
In real life, RATs are some of the most common types of malware employed by hackers of all skill levels and means. The attack that hit Ollie and Allison was a little ridiculous as an installation vector (waiting outside their house and getting them to run a CD to listen to your music), but it’s a pretty old school way of getting users to install a RAT – having users execute files accidentally or that they believe are legitimate files or executables.
In terms of application, the RAT that the mercenary hacker uses to control Michael’s computer bares a lot of resemblance to a RAT called DarkComet.
DarkComet is a controversial remote administration software that can have legitimate purposes, but is frequently used by hackers because of its ability to clandestinely install itself and control/monitor all aspects of a computer. The webcam scene where the mercenary watches Allison shower is unfortunately well precedented in security, and there are scores of groups across the Dark Web that traffic stolen voyeuristic webcam video.
The RAT installed by FSociety was less flashy and was used to exfiltrate data anonymously as well as control Evil Corp’s IT infrastructure. This is a frequent technique, seen in most of the major data breaches including the recent attacks on Anthem and OPM, and the software they describe bares a resemblance to software such as the infamous Sakula family of malware.
Tyrrell Hacking an Android Phone
In the third episode Tyrell hacks an Android phone in order to….well we’re not really sure what he’s doing, Tyrell is kind of crazy.
How he does it makes a lot of sense though. Mr. Robot takes a very in depth approach to showing him running a boot loader off of a chip he inserts into the phone. He then runs an application, which installs malware onto the phone that allows him to presumably monitor his target’s activity.
The application that Tyrell uses, Flexispy, is a real smartphone monitoring tool. Again, pretty realistic shout out.