If you’re anything like us, you’ve started looking at the world in a different way since the premiere of USA Network’s incredibly satisfying and terrifying series Mr.Robot. The runaway hit from creator Sam Esmail took a world exhausted by its own inequalities by storm with its anarchistic dissatisfaction with the state of America today. But it also received raves for its attention to detail when it came to portraying hacking on screen. So just how authentically plausible is the hack that took down E-Corp?
The Cafe Wi-Fi Hack
The first time we meet Elliot, we see how his moral compass shows through in his approach to security — and hacking. Much like Dexter, who only murdered society’s low-lifes, Elliot’s hacker motivation is to go after thieves, liars, and, in this case, pedophiles.
He’s de-anonymized traffic through the TOR network using the cafe’s surprisingly fast Wi-Fi network, where he discovered the cafe owner’s kiddie porn site and stash of pictures on the Dark Web. “The one in control of your exit nodes is the one in control of your traffic…which is me,” Elliot tells the dumbstruck coffee shop owner. As he gets up from the table, police stream in to catch the pedophile, after receiving an “anonymous tip.”
Reality: While the hacking itself is pretty realistic, the way the cops instantly popped into the picture is far less realistic; just sending in a tip is unlikely to prompt a police throw-down within minutes. The lingo used during this scene is spot on, though, establishing both the show and Elliott as real security experts.
The DDoS Attack
Later in the first episode we’re witness to a major Distributed Denial of Service attack. The DDoS attack — aimed at AllSafe, Elliot’s employer — was designed as a cover for the bigger hack. F-Society, the ficticious hacking collective, had installed a rootkit in the system that would be used to steal data from AllSafe’s client, E-Corp. Elliot, later realizing that the hackers are targeting him and asking for his help, stops the attack from infecting other E-Corp servers but keeps the rootkit open on his own computer, allowing F-Society to maintain their presence in AllSafe’s systems.
Reality: This attack is well-done in terms of its realism, and Elliot even refers to a real DDoS mitigation organization, Prolexic, to further cement the attacks real-life rooting. DDoS attacks by themselves can do damage, but a DDoS attack that hides other attacks is a major threat to organizations can cause major issues when it diverts all the attention to the DDoS attack.
The HVAC Hack
Yet another example of the show mirroring reality is how F-Society used an air-conditioning system to get into the “most impenetrable” datacenter in the fifth episode by overheating the building in order to ruin the back up systems. HVAC is how experts speculate that Target was originally infected with the POS malware that caused the biggest hack of 2013.
Reality: This hack is possibly the least believable, if only for the fact that somebody would probably notice a rise in the temperature, prompting at least a look into the HVAC system. Additionally, at a place as secure as the fictional Steel Mountain Data Center, it’s likely that all systems are actively monitored and that even their HVAC system would be able to detect changes.
The Raspberry Pi part of the hack is most believable, because as the show’s technical advisor told Forbes, the device would connect, via Ethernet and the devices cellular network, to the building’s HVAC system in order to gain access. Just how real? This tutorial will teach you how to use a Raspberry Pi to control systems remotely.
The USB + Bluetooth Hacks
In the sixth episode, Elliot is blackmailed by a drug dealer he put in prison through an anonymous tip, in order to save his neighbor and love interest. Elliot tries to infiltrate the police department and change the prison records by spreading USBs around the department’s parking lot. His goal: to get a police officer to plug in the malicious USB and grant Elliot access to the department’s data. However, the malware on the USB wasn’t hidden well enough to evade the police department’s malware detection program.
Elliot moves on to Plan B, narrowing the attack range to just one police officer’s car, as opposed to the station’s network. By spoofing the cop car’s bluetooth connection to Elliot’s mobile keyboard, he’s able to take over the computer in the cop car and upload malware to the prison’s database to complete his goal.
Reality: Hackers trying to get into hard-to-hack organizations have long used the method of dropping USBs into parking lots of a business they’re trying to hack. It’s also a long-known security industry practice to avoid sticking USBs you don’t own into your computer, specifically because of situations like the one in Mr. Robot. Bluetooth hacking is another plot point taken from real life, and there are real tools that can scan bluetooth points and extract information — some without even needing to be paired to the device.
Throughout the first season, social engineering played a starring role. One of the most memorable scenes is the one where Elliot gets a tour of the Steel Mountain facility after giving reception a fake name and building a Wikipedia page around that name. Bill, the man tasked with giving tours, first brushes Elliot off because he has no appointment, but after looking up the fake Wikipedia page, agrees to give him a tour. Elliot later verbally shreds Bill to pieces, using Bill’s weaknesses to exploit him. After Bill is replaced with a supervisor, the team fakes a dramatic and mysterious text message that makes the supervisor run out.
Reality: Social engineering is a huge part of the Hacker’s Toolbox, and can help get information or access for a bigger attack. Even the tools F-Society uses to social engineer Steel Mountain’s employees are real hacking tools. The Social Engineering Toolkit is used to spoof the SMS sent to the supervisor, and Kali Linux is used to break into the facility, a program pen testers use regularly to test security standards.
What all can you do to avoid getting hacked?
Be suspicious of emails
A great deal of cyberattacks are launched through simple malicious email campaigns. Email is a wonderful communication platform because you can sending anything to anyone, but that means it can be a huge security risk. Phishing, for example, sends victims seemingly innocuous emails that will lead victims to fake websites asking to update their personal information.
The best way to avoid being scammed by phony emails is to just make sure the recipient is who you think it is. Check the email address to see if they match with website you think it’s from. To be extra cautious you can check the IP address of the sender.
You can do this by finding the source information from the email and looking for the IP address that follows the line “Received: from.” You can then Google the IP address to learn the email’s source.
Check link locations
Unknown messages contain links to unknown sites. Surfing to a mysterious website can bring about unintended consequences. For one, it could mimic a site you know and trust and help you fall prey to a phishing scam. Or, it may be unsecure or infected with malware.
If you are tempted to click on one of these links, you better know exactly where it’s taking you. The best way is to copy and paste the link location into a new browser to see what site is on the other side. If it’s a shortened link, you can use tools like URL X-ray that figure out the real destination before you click it.
Also, encrypted sites are the safest ones to visit. You know they are safe when you see HTTPS in the URL and the lock icon on your browser.
Never open attachments (unless you’re really sure)
A good rule to follow is never open attachments unless you are 120% sure of where it came from. One of the easiest ways for hackers to download malicious code onto victim computers is by sending emails with virus-laden files.
A frequent way enterprise companies get hacked is by one unsuspecting employee downloading malicious software that infiltrates the entire network. The most dangerous file types are Word, PDFs, and .EXEs.
Use two-factor authentication
As bigger companies get hacked, the likelihood that your password is leaked increases. Once hackers obtain passwords, they try to figure out which personal accounts they can access with the data they stole.
Two-factor authentication – which requires users to not only enter a password but to also confirm entry with another item like a code texted to a phone – is a good way to stop attackers who have stolen passwords. More companies are making it standard for logging in.
Slack, for example, instituted two-step authentication once it owned up to a recent data breach. This meant that if hackers did steal Slack user data, the hackers would still most likely not be able to get into a user’s account unless they had another personal item that belonged to the user, like his or her phone. If two-factor authentication is an option for your accounts, it’s wise to choose it.
Use advanced passwords
This may be the most obvious yet overlooked tip. A strong password includes uppercase, lowercase, numbers, punctuation, and gibberish. Don’t make the password a personal reference, and don’t store a list in a saved file.
Most importantly, don’t use the same password for multiple accounts.
There are some great tools like LastPass and 1Password that securely store passwords. Also, it’s crucial to change passwords frequently – especially for vulnerable accounts like email and banking.
Be wary of the cloud
Here’s a good rule of thumb – if you don’t want people to access your information, don’t share it. This includes cloud storage. No matter how secure a platform says it is, you ought to keep in mind that you’re giving it to someone else to watch over. While it’s in the company’s best interests to keep it secure, many privacy experts maintain that anything you put online stands the chance of being published online.
Does this mean you shouldn’t store anything in the cloud? Not necessarily, it’s just helpful to remain wary where your files are going. And to know the practices of your cloud storage provider.
Additionally, be sure that if you delete files on your computer or smartphone that they are also deleted on any cloud backups you have too.
On public Wi-Fi? Don’t share personal data
Thinking about buying that plane ticket or checking your bank account while sitting at the coffee shop? You may want to think twice about that, as you have no idea how secure that connection is.
The same goes for places like hotels and conference centers. Security researchers just uncovered a vulnerability that made Wi-Fi traffic at some of the world’s biggest hotels vulnerable to attack. There is no way for an individual to know if this is happening, so it’s best to be judicious with where you are surfing.
If you must access private information while on these networks, it would be good to use tools like virtual private networks (VPNs), which encrypt traffic so the Wi-Fi network can’t see where you’re surfing. Or, better yet, just set up a hotspot using your mobile data.