Avast's Jakub Kroustek explains the hacks and terms used in Mr. Robot season 3, episode 4.
This week’s episode was all about the stories data can tell.
The opening scene is Darlene channeling her inner Elliot, making the girl with the pink hair who pickpocketed her in the subway, very uncomfortable. Rather than asking for her wallet back, Darlene just asks the girl for the polaroid picture that was in the waller. Later on in the episode, we see that the polaroid is a picture of her family, when Darlene leaves the photo in Elliot’s apartment. Perhaps Darlene wants the photo to remind Elliot of something?
The next scene shows Elliot going to Darlene’s safehouse, snooping around her mailbox and garbage, saying the following:
“Metadata. The story behind the data. Getting information is one thing, but how it was created, where and by whom, can often be illuminating. Like most pics people post on Instagram or Facebook, they don’t realize they just gifted whatever social media site their camera type, phone model, name, and location, all hidden inside the photograph’s metadata.”
Stefanie: What is metadata and is what Elliot says about social media true?
Jakub Kroustek, Threat Lab Team Lead: Metadata is data that describes other data, basically. Elliot gives a good example of what metadata is, in his example of people giving social media information without realizing when they upload an image. When you upload an image to most social media sites, the image usually contains something called EXIF, which stores all the information that Elliot describes, the camera or phone type with which the photo was taken, GPS coordinates, etc. Websites also use metadata, so that search engines, like Google, can recognize what kind of page it is and what type of content is on the page, which can help people decide if they want to visit the page or not.
Elliot gets into Darlene’s apartment by picking her door’s lock, which something Elliot in the past described as “every hacker’s favorite sport”.
Stefanie: Is this a hobby of yours too?
Jakub: Actually yes, although I’m not that experienced and skilled in lockpicking as Elliot is :) As a malware analyst you try to break virtual malware protections all day long, so it is nice to do something similar in real life and “reverse engineer” a solid padlock, but just for fun, of course!
Darlene comes home and Mr. Robot confronts her about the hardware wired to his monitor’s display controller, along with a small cellular modem taking screenshots every 10 seconds, sending them out somewhere.
Stefanie: Can software do this too? Or does hardware need to be attached to a targeted PC?
Jakub: In this case, it was not done by software, to avoid being caught by Elliot. Instead the FBI used hardware equipment, just as we thought two weeks ago. And yes, devices like these are available for sale on eBay and the likes. Now, it’s time to check your displays ;)
In real life, software that can capture screenshots is much easier and is heavily used by cybercriminals, most often by banking malware to capture sensitive user information.
Angela and Tyrell discover that Elliot is abusing his privileges while working at E Corp to try to stop Stage 2 from happening by messing with the shipping orders. Needless to say, they are not happy about his interference, neither is Mr. Robot, as Whiterose has them on a strict deadline.
Elliot tells Darlene that he has been monitoring traffic at E Corp, which lead him to an unpatched web server. Darlene then shuts Elliot’s laptop closed. Darlene doesn’t want to hear about Elliot’s research, she wants to know why Elliot hasn’t given the FBI an anonymous tip and walked away from it all.
Stefanie: I understand Darlene’s concerns for her brother, given her collaboration with the FBI. However, I am a little upset that she didn’t let Elliot finish explain his research! Jakub, what do you think Elliot found on the unpatched web server?
Jakub: Do you remember the end of the first episode of this season of Mr. Robot? How they used Shodan.io to search for E Corp servers running a software called Tomcat. For a few seconds in today's episode, there was a screen of an E Corp server running a vulnerable version of Tomcat together with a log file containing evidence of exploitation of this vulnerability. So, Elliot must have discovered traces of his alter ego, Mr. Robot on it.
The FBI arrest a Mr. Nouri, who seems to have uploaded FSociety’s latest video. During interrogation, Dom explains to Mr. Nouri that they obtained his Vimeo connection logs through a court order, for the account he uses and that led them to his IP address, and his home address.
Stefanie: Can someone really be traced like this?
Jakub: Yes, but like Dom said, they received the logs through a court order, so not everyone can obtain your logs to find out who you are and where you live. However, there are ways to hide information like this, like by using the Tor browser or anonymous VPN services. Dom questions what Mr. Nouri and FSociety are up to, as it seems a bit suspicious that FSociety practically handed the FBI Mr. Nouri’s location. I guess we will have to wait and see what’s really going on!
I am curious to see if Tyrell and Irving can pull of Stage 2 or if Elliot will put all the pieces of the puzzle together to shut Stage 2 down.
Avast's weekly review of Mr. Robot, season 3, featuring Avast's Director of Threat Intelligence.
Avast recaps Mr. Robot episode eps3.5_kill-pr0cess.inc. feat. Michal Salat, director of threat intelligence at Avast.