Security News

Mr. Robot Review: Eps3.1_Undo.Gz

Michael Healey, 20 October 2017

Avast Threat Lab lead and malware expert Jakub Kroustek hacks the hacks in episode two of Mr. Robot, Season Three.

At the end of episode one, Elliot asks Angela for a job at E Corp. Angela, like a true best friend, delivers.

Episode two opens with Elliot on his way to work. He has taken a position with E Corp’s Recovery team. His goal: to undo the hack and fix the world he broke by putting it back together, better than it was before.

We learn that E Corp is delivering paper records from its buildings to one centralised New York office. Elliot believes this is an inefficient, insecure and expensive operation. He plans to digitise all paper records in local E-Corp facilities.

Elliot gets to work by setting up a meeting with his manager William to explain the concept. His pitch miraculously fails. William has a Goo Goo Dolls concert to get to. Elliot retaliates in classic style. He hacks William’s work email account and learns that he’s been ordering his engineers to install rootkits on all of Evil Corps’ phones so they can illegally sell private consumer data. Elliot tips off the FBI. William is arrested and Elliot targets the new executives in the chain.

Mike: Jakub, how does Elliot hack into his manager’s email account?

Jakub: To access his manager’s mailbox, Elliot probably used a simple combination of password guessing and bruteforcing. You might have spotted the password “aboynamedg00”. This is a modification of “A Boy Named Goo” - an album by Goo Goo Dolls that William, Elliot’s manager, mentioned to him during the presentation.

Elliot’s next meeting follows a similar pattern. The executive isn’t interested so Elliot puts him behind bars, too. As he works his way up the management chain, he simultaneously re-directs the paper record shipments back to the local facilities. However, he needs to keep the UPS system safe. With the right malware, the backup batteries in the New York facility can become weaponized by Dark Army. Elliot creates a patch that ensures the UPS devices can only run trusted code that’s digitally signed by E Corp. Why? Because even if the company believes that the paper records arrived at the New York building, Dark Army won’t be able to destroy it.

Mike: Jakub, a couple of questions for you. Firstly, could the right malware theoretically turn backup batteries into bombs?

Jakub: In theory, yes. Actually, this is the same method that was used in episode 2.9. Elliot is using the IDA Pro disassembler for analysis of the battery firmware… like a pro :)

Mike: Elliot talks about protecting a UPS system. Can you explain what this is and how Elliot is keeping it safe with the patch he’s created?

Jakub: Usually, manufacturers try to protect their devices against unofficial modification of the internal software (firmware). One way of doing so is to only allow modifications that are digitally signed - the others will not be accepted by the device. In this case, Elliot acted as this authority and added such a code check. Dark Army will be unable to upload their own destruction firmware to these UPS systems.

Now the episode’s narrative kicks in. Elliot is granted the meeting with the VP of Technology to discuss the paper records situation. Once the executive team is on board, he plans to start rebuilding the database and reversing the hack.

However, another incident of severe loneliness delays his progress. Elliot visits Krista, his therapist, and discovers that what he misses most is his alter-ego, Mr. Robot, and the deep desire to make a difference in the world.

In a sudden turn of events, we learn that Darlene, Elliot’s sister, is working with the FBI as a confidential human source (CHS). She has been tasked to retrieve intel from Elliot on Tyrel Wellick. After Tyrel’s wife Joanna is murdered by ‘ex lover’ Derek, Elliot agrees to meet his sister after a period of separation. It’s Elliot’s birthday and he asks Darlene to keep him company for night before she leaves town the following day.

But, in the middle of the night, Elliot catches Darlene fiddling with his computer. Elliot, now in Mr. Robot mode, interrogates Darlene before a fight between the pair breaks out. Darlene leaves the building in shock.

In the scenes that follow, Krista is finally introduced to Mr. Robot. He tells her that his plans have been compromised, but doesn’t disclose who’s to blame. Mr. Robot fades away into the background and Elliot returns. His conscious kicks in. He starts to question the closure of Stage Two and the individual that’s scuppered Mr. Robot’s plans. He arrives at his home and sits down at his computer. He notices the screensaver on his desktop has changed. He reboots the computer and launches Kali Linux which is running Rootkit Hunter version 1.4.2.

Mike: Elliot’s jungle instincts come into play in this scene. He is clearly suspicious of something. Jakub, can you explain to us what Rootkit Hunter is?

Jakub: Rootkit Hunter is a security tool for finding rootkits and similar malicious codes in POSIX compliant systems. Roughly speaking, it’s a virus scanner for Linux.

As it turns out, Elliot’s suspicions are legitimate. His computer activity is being simultaneously logged by the FBI, thanks to Darlene.

Mike: How do you think Darlene did this?

Jakub: Darlene was interfering with a the back of Elliot’s monitor. It looks like some kind of video signal logger and sender. Just like a hardware key-logger is used for re-sending user keystrokes to the bad guys, this one did the same with images. You can actually buy such devices for spying.

But Elliot is no fool. His inner voice has served him well. Aware of the prying eyes watching over him, he counters brilliantly. He sends an encrypted email to Tyrel Wellick with a link attached. The FBI agent sees this and takes the bait. He clicks the link. Elliot now owns them.

Hacks in this episode were few and far between as the broader narrative took centre stage. Nevertheless, some interesting concepts, programs and code were explored. There promises to be more juicy material to analyse in future episodes and a foray into the world of cryptocurrencies.