Security News

What we can learn from the hacks on season one of Mr. Robot

Stefanie Smith, 13 July 2016

Avast takes a look at the hacks from season one of Mr. Robot and explains what consumers can learn from them.

Mr. Robot is coming back to USA Network on Wednesday, July 13th at 9/10 pm Central (tonight!) for its second season and I cannot wait (especially since I missed Sunday's sneak preview)! Season one was full of complex hacks that were, for the most part, accurately portrayed. By speaking to various Avast experts, I learned a lot about the hacks on the show last summer and how they could affect consumers like you and I.

Mr_Robot_season_2.jpg

Image via: USA Network @whoismrrobot

Here’s a recap of what we learned from the hacks in season one of Mr. Robot:

Use Avast :)

The episode eps.1.5_br4ve-trave1er.asf was an exciting one for Avast, our antivirus was featured on the show!

In the episode, Elliot tries to find a way to hack into a prison’s network and Darlene helps him by uploading an exploit kit onto USB sticks. The USB sticks are branded with E Corp’s logo, to look trustworthy. She drops the USB sticks on the prison’s parking lot. A police officer takes one of the sticks and inserts it into his work PC. First, a window appears saying “get your free $100 eTunes gift card”, and then a window asking him what his favorite music genre is appears. He clicks through several questions – and then BAM! Avast detects the exploit!

Main lesson learned from this scene: Use Avast and stay protected from malware, like the exploit Darlene uploaded to the USB sticks. You never know when malware may try to sneak its way onto your device and it is always better to be safe than sorry!

Use strong passwords to protect your accounts

In the show’s pilot, eps 1.0_hellofriend.mov, Elliot hacks his therapist Krista’s accounts. He said it was easy, because her password was her favorite artist and her birth year backwards.

Always use a strong, random, and unique password for each of your online accounts. The best way to ensure your passwords are strong is to use a password manager like Avast Passwords. Passwords should be more than eight characters long, include numbers, upper and lower case letters, symbols, and should not include any personal information, nor should your password be a dictionary word. - Jan Sirmer, Senior Malware Analyst

Never give anyone claiming to be calling from your bank or other institution any personal information

In the pilot episode, eps 1.0_hellofriend.mov, Elliot calls his therapist Krista’s boyfriend, Michael, pretending to be from his bank’s fraud department, confirming his address and asking him security questions to verify his account. Using this information, along with a dictionary brute force attack, he figures out Michael’s password.

No one from your bank or any other service you use should ever call you asking for sensitive information. If this happens, it is almost certainly a scam and we highly advise you do not tell them anything, even if they seem to know about you and your account information. Elliot convinced Michael into giving up personal information, because he knew Michael’s address, but information like this can easily be found online. - Jaromir Horejsi, Senior Malware Analyst

Cover up your webcam!

In eps1.2_d3bug.mkv, Angela’s boyfriend, Ollie, is hacked via a CD he buys from a musician on the street. The CD contained malware that gave a hacker access to Ollie’s laptop webcam, which the hackers used to spy on Ollie, taking photos of him and his mistress, which they later used as blackmail.

To protect your computer’s webcam, you should have antivirus installed on your computer and should make sure your antivirus is always up-to-date. You should also make sure your home router is secured, as attackers can hack a router to control and abuse IoT devices like baby cams and CCTV devices. Make sure you change the default username and password for these devices. Default usernames and passwords are often available on the Internet and if these devices are connected to the Internet, anyone can log in remotely and control them. An additional step you can take to prevent hackers from watching you via your webcam is by taping something over your webcam.  - Jan Sirmer, Senior Malware Analyst

Keep your car safe

The first IRL (in real life) hack we saw in Mr. Robot was in eps1.3_da3m0ns.mp4 when Elliot and the fsociety gang hacked a car. While the method they used was pretty old school, there are more and more new methods that you should be aware of.

Car hacking is a real risk. The FBI recently issued a warning about the growing threat of Internet attacks on vehicles. Most new car models are Internet connected, either to support an infotainment system or so that car owners can control their car using an app. Cars that are connected to the Internet can be hacked, either via the car’s app or via the infotainment system. The FBI also mentions that hacks can happen if someone has physical access to a car. Hackers can change settings, lower security and install additional devices for malicious purposes, like tracking the car’s location.

If for any reason you feel like someone is trying to steal your car, for example, your car door is unlocked when it should be locked, get your car inspected immediately. Radio attacks that amplify car fob signals have been proven to work  and can allow thieves to not only open the car but also drive away with them. - Nikolaos Chrysaidos, Mobile Malware Analyst

Beware of social engineering

In eps1.4_3xpl0its.wmv, Elliot and fsociety social engineer their way into Steel Mountain’s facility.

You used to have to worry about someone trying physically social engineer their way into your home by pretending to be the cable man, you now need to watch out for cybercriminals trying to digitally social engineer their way into your accounts. Always double check emails from your bank, for example, to make sure they are legitimate. Banks and online services should never email you asking to enter sensitive information via a link or send vital information as an email attachment. The same goes for emails from friends that contain links or attachments, if they seem fishy or off, call your friend and ask if the email really came from them before you take any action.

As for mobile apps, make sure you only download apps from official app stores, like Google Play. If you do choose to download from a third-party store, make sure you have an antivirus solution installed and running. If an app asks you for permissions that don’t make sense to the app’s functions or if the app wants you to alter your security settings, then something is wrong and you should not download the app. You should be similarly cautious with advertisements offering you video players or adult content.

To maximize your protection against threats, you should have antivirus software installed on your PC and mobile device. In case you accidentally fall prey to a social engineering trick, antiviruses, like Avast, will catch malicious programs and websites before they can cause damage. Nikolaos Chrysaidos, Mobile Malware Analyst

You can read my review of the final episode from season one here to jog your memory before the premier of season two on Wednesday, July 13th. Make sure check out the Avast blog every Thursday for Mr. Robot hack reviews, with security tips from Avast’s security experts!