Mr. Robot' Rewind: Hunting for flaws in an intense Episode 6

Rami Malek plays Elliot in Mr. Robot. Photo via USA Network.

Rami Malek plays Elliot in Mr. Robot. Photo via USA Network.

BY COREY NACHREINER

Spoiler Alert: If you haven’t seen the latest episode of Mr. Robot yet, you may want to come back to read this later. While this column focuses on the technical aspects of the show, it may reveal some surprises from the episode. Consider yourself warned!]

If you’ve been watching the captivating USA Network series, Mr. Robot, and wondering how accurate the hacking aspects are, you’ve come to the right place. If you missed the first two articles in this series, check them out. Otherwise, let’s jump in.

This week’s plot was extremely intense, with powerful scenes involving Evil Corp executives vying for the CTO position, Elliot and his captors, and a tragic reveal. Yet, despite all this narrative drama, there was a lot of hacking.

As I predicted in the comments section of my last article, Vera (the incarcerated drug dealer) had his lackeys kidnap Shayla in order to extort Elliot into hacking him out of prison.

Digital prison breaks & ICS hacks

At a very high level, this premise of a digital prison break is totally legitimate. Researchers have already demonstrated that attackers can hijack the control (SCADA) software and programmable logic controllers (PLC) used by industrial control systems (ICS).

One of the most genuine aspects of this episode is how Elliot characterizes the prison attack, as needing the necessary research and time. Although they are considered specialized systems, many ICS components are just embedded computers running software. Thus, they suffer from the same types of vulnerabilities that any other computer has. In fact, many SCADA and ICS products have been found to be less secure than modern business products, simply because they have relied on “security by obscurity” for so long. However, the proprietary nature of these systems make them slightly harder to hack.

Dropping USB keys as a lure

Throughout the episode, Elliot uses different hacking techniques to establish a foothold within the prison systems.

He starts by recruiting Darlene to pull off a simple, but classic penetration testing (pen-test) technique—planting poisoned USB sticks in hopes that someone will plug one in. I can’t remember where this technique first started, but it’s probably been around since USB storage and “AutoRun” features first showed up.

Photo via USA Network

Photo via USA Network

If an attacker can get a victim to plug in a nefarious USB device, there are many ways it can be leveraged to automatically run malicious code. For instance, USB attacks originally started by exploiting Windows’ AutoRun and AutoPlay features, which specifically allowed this automatic execution behavior. As soon as we disabled AutoRun, more sophisticated attackers found operating system vulnerabilities (like the infamous Stuxnet .LNK flaw), which might also allow USB storage systems to automatically execute code. Most recently, with discoveries like BadUSB, attackers can now make a USB storage device emulate any other USB device, such as a keyboard. In this case, as soon as you plug one in, it can launch an attack that “types” a malicious script and executes code so fast that it’s virtually undetectable. In fact, a popular “white hat” store sells something called a USB Rubber Ducky to do just that.

The only problematic aspect of this scene was the number of USB keys Darlene drops in one small area. While hackers would typically need to plant several USB keys to increase the odds of one being used, I think seeing so many USB devices in one place would make even the least tech savvy person a bit suspicious.

Off-the-shelf malware fail

Getting a victim to plug in a booby-trapped USB key is really just the first step. To succeed with this hack, the attack also has to successfully leverage one of the aforementioned techniques to install a backdoor or Trojan. In this episode, we see antivirus (AV) block the malware Darlene planted on the USB, which means Elliot couldn’t remotely connect to the backdoor.

Photo via USA Network

Photo via USA Network

This is pretty true to life. Hackers aren’t super human, and not all attacks succeed. If hackers use off-the-shelf malware, basic security controls will catch it. Elliot even derides Darlene for her “script kiddie” technique.

There were other flaws in this scene.

First, almost all backdoors nowadays create a reverse shell connection from their victims, making an inside out connection back to the attacker, rather than opening a port and hoping the attacker can connect to it. In Elliot’s terminal screen, we see him trying to make an outgoing SSH connection to his victim. Any hacker today would use reverse connection payloads instead, since a basic firewall wouldn’t allow direct connection.

Photo via USA Network

Photo via USA Network

Second, Darlene complains that she used “off the shelf” malware since she only had an hour and couldn’t create a custom payload. I can buy that, but there are many quick, cheap and easy ways attackers can get their malware past traditional AV filters. Today, attackers sell underground tools that “repack and crypt” malware, basically jumbling it up on a digital level, so that it can evade signature-based detection technique. A malware coder like Darlene would probably have had access to those tools.

That said, it was a breath of fresh air to see an attack fail on a TV show. After all, hacks fail in the real world.

WPA2 cracking takes time

After the USB key method doesn’t pan out, Elliot tries another vector. This time he visits Vera in prison, for the sole purpose of getting his cell phone on premise. He runs a WiFi sniffer on his phone to learn about the prison’s wireless network. Unfortunately, the prison uses WPA2 encryption, which he correctly expresses as “borderline unhackable.”

Photo via USA Network

Photo via USA Network

This is all pretty accurate with one pedantic note. The truth is, on a relatively active WiFi network, attackers can sniff an encrypted handshake pretty quickly. However, the key would either be uncrackable, or, depending on the strength of the password, could take a very, very long time to crack.

A pretty big Bluetooth hacking mistake

At this point, the Trojan USB attack failed and the wireless network was too secure. As Elliot leaves the prison, he notices a police car pull up with a “discoverable” Bluetooth device. This leads us to the final Bluetooth hack, which though plausible, is actually the least technically accurate hack of the bunch.

Here’s how it went down: Elliot does a “Bluetooth hack” where he forces his laptop’s virtual keyboard on the police laptop via the wireless Bluetooth connection. Once he has control of the police laptop, he downloads his attack package via FTP. Elliot uses the laptop’s cellular connection to the prison network as a foothold to move his PLC attack tool onto the network and installs it on the proper PLC device.

All these concepts are somewhat “plausible.” Bluetooth hacking is a thing. You can use free sniffing tools (or special adapters) to identify discoverable Bluetooth devices. Once you discover these devices, there are ways to hack the PIN, and there are also Bluetooth man-in-the-middle attacks that allow you to intercept and manipulate Bluetooth communications. There are even specific Bluetooth keyboard attacks. However, the way Elliot’s attack to force a Bluetooth keyboard on the police laptop takes place is technically inaccurate. It all stems from this screenshot:

Photo via USA Network

Photo via USA Network

Some of the stuff you see in this screenshot is legit. Using hcitool to scan and discover other Bluetooth devices, and send inquiries to them is accurate. However, the main inaccuracy is with the “bluesniff” tool we see being used. In the episode, it’s implied that Elliot uses this tool to “spoof” his virtual keyboard as the police laptop’s Bluetooth keyboard. But this is all wrong.

Although the “bluesniff” tool is real, it actually just discovers Bluetooth devices, which Elliot already did with hcitool. If you look closely at the commands used here, it’s apparent that Elliot is actually using a real tool called csr_sniffer. Csr_sniffer isn’t used to spoof keyboards, rather it is used to “sniff” Bluetooth communications, with the hope that you can catch the pairing process, and later crack the PIN used to secure devices. Catching this pairing process is very unlikely, as it usually only happens once.

In short, the tools shown in the background during this Bluetooth hack would not allow Elliot to “force” his virtual keyboard to connect to the police car computer.

But, let’s assume Elliot could do this. The FTP portion of this attack is legit. Often, when attackers first pwn a PC, they’ll use FTP or TFTP to quickly download their favorite tools and scripts to load onto the victim and start lateral attacks. Seeing Elliot download his “PLCpackage.exe” makes sense.

However, at this point, the attack becomes very abstract. For this to really work, Elliot would have to use the cop’s laptop to get into the prison network. Even then, he’d need to jump through a range of PLC hoops. This sort of attack is plausible, but only with a ton of research, preparation and a number of lateral steps.

The show very quickly glosses over the complex steps it would take to actually find the right targets, and infect PLC gear. In short, the jump from the cop’s laptop to infecting a PLC device is much more complex than what this episode shows. IMHO it would take much more research and time than Elliot had.

Today’s APT threat actors

Although this episode delivers more technical missteps than the others, it does a great job of incorporating a new and modern threat actor we see today—the advanced persistent threat (APT) attacker. Once a target is locked in, hackers  continue trying new tactics until something succeeds, and Elliot’s attack progression illustrates this perfectly.

TLDR?

There were many attacks in this episode, so we can learn a lot:

USB devices can be dangerous. Don’t plug in unattended, unidentified USB devices—ever.
Use security software like AV, or even better, advanced malware protection. It can save you.
Use WPA2 with a strong password. It’s hard to crack
Secure your Bluetooth connections. NIST has a pretty in-depth guide that can help you.

That’s it for this week’s Rewind. While I still think Mr. Robot gets hacking right for the most part, it is not perfect. I believe most of the concepts are plausible, and when they do gloss over the technical details, it is to help drive the plot, not because they don’t know better. What do you think? Let me know in the comments section.

See you next week for another Mr. Robot Rewind.

http://www.geekwire.com/2015/mr-robot-rewind-hunting-for-flaws-in-an-intense-episode-6/