Security News

Mr. Robot review: eps3.0_power-saver-mode.h

Stefanie Smith, 12 October 2017

Avast explains the hacks and terms mentioned in Mr. Robot: eps3.0_power-saver-mode.h

The long wait is finally over! Season three, episode one of Mr. Robot aired on Wednesday, October 11th on USA Network and it did not disappoint.

At the end of season two, we left off with Elliot shot by Tyrell, Cisco killed by the Dark Army, and Darlene interrogated by the FBI.

In this episode we meet used car salesman, Irving, who also works for the Dark Army. Through a conversation between White Rose and his colleague, we find out that Mr. Alderson, Elliot’s dad, AKA Mr. Robot, worked for the Dark Army, unbeknownst to him. In the next scene, Elliot wakes up with Angela by his side. Elliot is confused, did Tyrell really shoot him, does Tyrell exist outside of his mind? He borrows a preppy sweatshirt from Angela to go back to the location where he was shot. It has been wiped clean. Next, he goes to his apartment where Darlene has been waiting for him, scared of being caught by the FBI.

Elliot tells Darlene he needs to close the backdoor he created for the Dark Army, giving them access to E Corp’s internal network (which happened in the season finale of season 2). Due to the blackout, Elliot doesn’t have internet access at home, so Darlene says she’ll take him to a place that has access, but he has to change, because he won’t be getting in wearing “that shirt”.

Next, we see Elliot walking the streets with Darlene wearing his signature black hoodie. They arrive to the place that has access, which at first appears to be a night club. They walk downstairs to a room filled with hackers competing in a CTF tournament, which Darlene describes as the “hacker Olympics”.

Stefanie: First, I have to ask, do all hackers wear black hoodies, or is that just a stereotype?

Jakub Kroustek, Threat Lab Team Lead: *wearing a dark hoodie* it's comfy :)

Stefanie: Is CTF a real thing? If yes, has anyone from Avast participated?

Jakub: Yes, CTF, which stands for Capture the Flag, is a real thing. Basically every major security-oriented conference hosts its own CTF, e.g. DEF CON CTF. You need to qualify with your team to compete in the best CTFs. It’s all about hacking, reverse engineering applications, finding vulnerabilities, breaking ciphers… you know, exciting things! And yes, there are many skilled players who work at Avast, like Vojtech Vobr, Milan Bohacek, and a few other colleagues have participated in CTFs.

Elliot wins the CTF tournament, in two minutes, so that he can use a computer to close the backdoor he created. He explains that the backdoor had a hard-coded C2 (Command and Control) domain pointing to a listener on Tyrell’s machine. He says that all he had to do in order to close the backdoor was hack the registrar and change the name server configs. Once he hijacked the domain, he could shut down the Dark Army’s access before they even noticed.

Stefanie: Jakub, would it be possible for you to describe how Elliot was able to shut the backdoor, so that people like me can understand what happened in this scene? :)

Jakub: Sure. First of all, let’s clarify what a backdoor is: Roughly speaking, it is a program that tries to receive and execute commands from its “master”, the attacker. When it comes to backdoors, there is usually a master-slave relationship, where the “slave” is the program silently running inside of an infected system. In this scene, there is a running backdoor installed within the E Corp network. The network is protected, meaning no one from the outside should be able to access it, so a so-called reverse backdoor was used, one that is actually 15 years old, to access the network. The backdoor actively tries to receive commands from a pre-configured (hardcoded) master machine. Elliot was skilled enough to hijack this communication channel and acted as a new master. The commands he executed shredded the backdoor files stored in the E Corp network, effectively closing the backdoor.

The Dark Army takes Elliot and Darlene outside where Irving is waiting. They go for a ride. The FBI is on their tale and to shake them, Irving indirectly hacks the car the FBI is in by calling OnStar pretending to be a cop. He tells OnStar to initiate a slow down of the vehicle.

Stefanie: This was a little scary to watch, could a hacker theoretically also do this?

Jakub: This particular hack was successful because it was done via an anti-theft product, but whether or not a hacker can hack a car, depends on the vehicle, of course. At the end of the day, it is possible and it isn’t anything new! Back in 2015, Wired reporter Andy Greenberg published an article where he describes how hackers were able to bring the Jeep he was driving to a full stop on the highway, using a zero day exploit.

The three go to Red Wheelbarrow BBQ, which is owned by the Dark Army. Irving is not happy to hear that Elliot closed the backdoor, but he seems to accept the situation, which Elliot finds odd.

Jumping to a later scene, we see Angela wake up in the middle of the night. She goes to her living room, where we see Mr. Robot, Elliot’s father and alter ego. He wants to regain access to E Corp. Angela may be Elliot’s best friend, but she is Mr. Robot’s accomplice, and the person who has been put in charge by the Dark Army to manage Elliot. They go to visit Irving and Tyrell, and Mr. Robot gets to work. He searches “Apache Tomcat” and “E Corp” on a website called “shodan.io”.

Stefanie: What is shodan.io? And what is Apache Tomcat?

Jakub: Shodan.io is a search engine where you can search for internet connected devices (e.g. IoT devices) around the world, as well as services running on these devices. Apache Tomcat is an open source implementation of many Java-related technologies, used to run web applications.

Stefanie: Why would Mr. Robot be searching for devices that use Apache Tomcat?

Jakub: Shodan can be (and often is) used to search for vulnerable targets, i.e. devices that are running a particular service that an attacker can leverage, e.g. by using an exploit. So, my guess is he wants to hack an E Corp device running Apache Tomcat in order to gain access to E Corp’s internal network and thus continue what he stopped by closing the original backdoor.

The episode ended with Angela and Mr. Robot having a serious chat about how she treats Elliot and why she is playing game with him. She tells Mr. Robot she wants justice for her mom’s death, something she believes White Rose will help her with.

Much came to light this episode and I am curious to see how Elliot will react when he learns Mr. Robot is planning on hacking E Corp to give the Dark Army access the conglomerate’s internal network.