Security News

Mr. Robot review: eps2.4_m4ster-s1ave.aes

Stefanie Smith, 11 August 2016

Avast malware analyst Jaromir Horejsi explains how Mr. Robot's fsociety planted a femtocell to hack the FBI.

This week’s episode of Mr. Robot had an unusual start – more unusual than usual. The episode begins with Elliot, Darlene, and their parents in a 90s-style sitcom. ALF makes an appearance. Yes you read correctly, ALF, and he even runs over and kills Gideon! Gideon is, of course, not Gideon in this 90s episode, instead he is a cop who is looking for a family that has a person locked up in their trunk. Elliot’s family is the family that has someone locked up in their trunk -- Tyrell! Vulture wrote a nice article explaining how this scene came to be and how this was Mr. Robot’s way of distracting Elliot from all of the pain he is in in real life.

Mr._Robot_season_2_eps2.4_m4ster-s1ave.aes.jpgImage via: USA Network @whoismrrobot

We don’t see too much of Elliot outside of this bizarre scene, as he is hospitalized after being beaten by Ray’s men.

The women on the show, however, are in the forefront this episode and show off their hacking skills (girl power!). Angela is being taught to hack by Mobley, to help fsociety hack the FBI.

Mobley is teaching Angela how to hack and then gives her a “rubber ducky” and tells her that, if all else fails, she can plug it into an FBI laptop, wait 15 seconds and unplug it. Along with a tool called Mimikatz the rubber duck will pull all cached passwords and domain information.

Stefanie: What is a rubber ducky?

Jaromir Horejsi, senior malware analyst: A rubber ducky is a toy you use while taking a bath. It is small and yellow and when you push it, it makes a noise :).

Stefanie: -_- seriously, what is the rubber duck Mobley gives Angela? And what is Mimikatz?

Jaromir: Haha, okay, so the rubber duck Mobley gives Angela is a USB stick that can run any payload programmed onto it. Mimikatz is a post-exploitation tool. When you gain access to a device, you can run Mimikatz and it will scan the device’s memory and dump passwords and other data.

Darlene goes undercover and uses tricks to hack her way into a hotel room. Darlene calls the front desk to ask for fresh towels for her “room”. The cleaning personnel comes with the supply wagon and Darlene swipes a key card from the cart. She then uses a device to swipe the magnetic strip to unlock the room’s door.

Stefanie: This isn’t the first time we saw fsociety hack into a hotel room, but how did Darlene get the code from the room’s keycard? Is this easy to do and can this be done with credit cards?

According to the Verge, the device, MagSpoof Darlene uses to swipe the code was created by a well-known hacker Samy Kamkar and is open source.

Jaromir: Yes, Darlene used a skimmer to swipe the code from the key card’s magnetic strip. ATM skimmers can do the same with credit cards. Hackers can place card readers over ATMs and when you swipe your card at an ATM the card’s magnetic strip is read by a counterfeit card reader, rather than the actual ATM’s reader. You should always take a careful look at the ATM reader you want to use. If you see something suspicious or notice a device attached to it, you should not use it. Additionally, you should always review your card statements and immediately report suspicious activity to your bank.”

Darlene sets up an an antenna next to the window of her hotel room and then logs into her Kali Linux system. She then calls Angela to walk her through the steps to set up the femtocell.

Stefanie: What is the antenna Darlene sets up? We also see Angela accept a Signal call, what is that?

Jaromir: The antenna she sets up looks like an amplifier, like a Cantenna, and would explain why she specifically chose that room to work from. She is probably very close to the E Corp building, maybe she amplifying their Wi-Fi so she can be joined to the network.

Signal is an app from Open Whisper Systems that provides secure communication by using encryption and  deleting all metadata. If Darlene and Angela connected via a normal call, their service providers could hand over metadata to the FBI.

With the help of Mobley and Darlene, Angela successfully runs the script to enable the attack, to get the femtocell live. She then plugs the femtocell and its battery backup into the E Corp network. Just when they think they are done, they lose Wi-Fi. Angela has to go back to her desk to reconnect the Wi-Fi. Darlene instructs Angela to plug a flash drive into her computer and to boot from USB. She tells Angela to open a terminal and type in “ssh -l root l413116.e-corp-usa.com” along with more lines of code. Before Angela can finish, Dominique from the FBI interrupts her.

Stefanie: Why does Angela have to boot via USB and what does ssh -l root l413116.e-corp-usa.com stand for?

Jaromir: Darlene wants Angela to boot with the USB so that she can run a Linux distribution system with an ssh program so she can reconnect to the Wi-Fi access point. SSH stands for secure shell, a Linux program used for remote connections. Root is the name of the user, which is always the administrator administrator. The rest is the URL address of the computer she is connecting to

Through the flashback scene at the very end we learn how Elliot’s dad, Mr. Robot, lost his job and how he broke the bad news about his health to little Elliot. We also learn that it was Elliot who named his father’s shop “Mr. Robot”.

What did you guys think of the episode? Do you think Angela will have to resort to using the rubber duck or do you think she will be too nervous? I personally hope Elliot can escape from Ray and get back to working with the fsociety team!