Mr. Robot Review: da3m0ns.mp4
This week’s episode was a little confusing for me – and I'm not only referring to the trippy dream Elliot has while going through his drug withdrawals.
It seems I wasn’t the only one who had questions about the hacks in this week’s episode; Forbes published an interview they did with Michael Bazzell, Mr. Robot’s technical consultant and cyber crime expert explaining the hack attack on E Corp that Elliot comes up with at the beginning of the show.
In the article, Michael Bazzell explains how Elliot plans on destroying E Corp’s data storage facility, using Raspberry Pi. Sounds like a very yummy method – too bad there's an “e” missing at the end of “pi”! Michael explains that Raspberry Pi is a very small computer that can be accessed via the Internet through its built-in cellular chip. Using this, Elliot wants to control the facility’s climate control system to overheat it, thus melting E Corp’s tape-based back up.
While Forbes focused on the more complex hacks that targeted large corporations like E Corp and Allsafe, I was intrigued by the two physical hacks in the show.
The first “IRL” hack is when two members of FSociety hack a minivan – keep in mind that FSociety does everything in their power to not leave a trail, so they need a stolen car to get to E Corp’s data facility center in order to prevent being caught.
The FSociety guys casually sit on a sidewalk and wait for someone to park and lock their car. Using what looked like an old radio to me but is more likely a transmitter, they were able to send a command to unlock the car - politely thanking “mom” for giving them the opportunity to steal her car. Once inside the car, they connect the car to their laptop using a cable and ran the code to get the car started.
I asked my colleague, senior malware analyst Jaromir Horejsi, what he thought of the hack:
All they needed was the cable and specialized control software for cars. This software can access data from sensors in the car and it can control the car’s behavior. With that, they just had to connect everything together and select their desired actions. – Jaromir Horejsi
This method of hacking a car seemed a little old school, given that there are now so many cars on the road that are keyless and start with a push of a button. Nick Bilton, technology writer and Disruptions columnist for The New York Times, recently had his car hacked and stolen and he wrote an interesting column about his experience.
Nick describes how he was standing in his kitchen and watched as two teenagers stole his Toyota Prius. Prii and many other modern cars are keyless and require the fob key to be within a certain range to start. Nick did more research into how it was so easy for the teens to steal his car right in front of his home and found that there are various gadgets on the market that can unlock BMWs, Toyotas and many other keyless cars. These gadgets are radio transmitters that either use brute force to cycle through car key fob codes or simply amplify the distance the car searches for a key fob, as was done in Nick’s case.
The solution Nick found to this problem? Putting his key fob into his freezer, which acts as a Faraday Cage that blocks external electric fields.
En route to E Corp’s data storage facility, Elliot vomits due to his withdrawal symptoms and the FSociety team has to make a stop for him to recuperate. They stop at a hotel and plug a small device into the room’s key card lock port. Within the blink of an eye they have entered the room and made themselves at home.
This made me ask myself: Can someone really enter a hotel room that easily? (I also thought it was rather convenient that they just happen to have this device with them, but I won’t get into that here ;)).
I did some research online and found out that it is very possible to hack one’s way into a hotel room and that this was proven back in 2012 by Cody Brocious. You can find his paper describing how he hacked the Onity HT lock system for hotels here.
However, we are now in year 2015 and times are changing! Now, many major hotel chains, like Hilton and Starwood, are using NFC and Bluetooth keys combined with mobile apps in place of key cards and physical keys.
The security of any application and system depends on its design and proper implementation. Vulnerabilities cannot be avoided. However, it depends on whether these vulnerabilities are exploitable or not. If exploitable, it depends on who discovers them first – the good or the bad guys. If discovered, it also depends on how quickly they are mitigated. Customers should not be discouraged from using new technology. Conversely, the more people use new technologies, the higher the chance is that potential problems are discovered and fixed -- the same goes for mobile apps that work as hotel room keys. –Jaromir Horejsi, senior malware analyst at Avast