A Roundtable of Hackers Dissects ‘Mr. Robot’ Season 4 Episode 3: ‘Forbidden’

We asked for more hacks, and Episode 3 of Mr. Robot’s final season delivered. We discussed [SPOILERS, obvs] SS7, breaking and entering, social engineering, multi-factor authentication, and getting into Olivia’s machine. (The chat transcript has been edited for brevity, clarity, and chronology.) This week’s team of experts include:

Episode Titles

Micah: This season’s episode titles are named after HTTP error codes. The first episode is called “401 UNAUTHORIZED”, the second is “402 PAYMENT REQUIRED”, etc.

Bill: Also documented in cat form.

Micah: And this episode, 403, the HTTP error is forbidden, and the episode had a specific FORBIDDEN theme in it. Mr Robot said, “Every time I talk to Eliot about it, he puts up a wall. Like he’s flat out throwing me a FORBIDDEN error. Denying me the chance to even bring it up.”

Bill: Are they tracking the episode numbers? is the next one 404? OMG.

Retro IBMs

Yael: Do you guys think it’s worth discussing the part of the plot that’s essentially about China stealing IP from IBM? This is a big thing even now.

Jason: You can steal or clone a mainframe, but running one reliably without support from IBM is pretty hard…

Yael: Yeah, and in the meeting, it sounds like they were paying them money in this partnership, so I’m not sure what the plan was.

Trammell: On the retro IBM: was there ever a mouse available with that model? Because I’m that sort of nerd, the microsoft Mouse wasn’t introduced until 1983. The rounded one that I think is in the photo wasn’t until ‘87 or ‘93.

Retro Mouse, Image: USA

Jason: Yeah, it might be an XT (1983) or an IBM Personal Computer from 1981. The exterior looks similar for both models.

Trammell: I’m not 100% certain, but I think that predates the XT and is a 5150, the “original IBM PC.” Because that is the sort of minutiae that totally throws away any credibility… IBM PC XT has a label that says “XT.”

Image: Wikipedia

Location Tracking

Harlo: The Krysta scene—at the end, we see a dude tailing Elliot, and, unlike the Whiterose gang, he’s absolutely wayfinding (tracking a nearby signal) on his device. We see that again later on.

Trammell: Didn’t Elliot install a hacked version of Signal that leaks his location?

Micah: He did. Allegedly, it only leaks his location to Darlene though, but who knows what she put in that APK, really.

Harlo: Hmmmmmm. Darlene, you FINK.

Bill: I’m not sure if he installed a hacked version of Signal or he just was using the Signal API.

Harlo: Darlene did force him to install a modified version of Signal that lets her in.

Yael: Well, she took his phone and put it in. He could’ve said no or removed it, but he didn’t.

Bill: You can script signal messages using the Signal API, and he might have just been doing that to notify Darlene of his location.

Freddy: I don’t think this existed in 2016, but I’m not sure.

Harlo: Yo maybe Darlene is working with the drug cartel because she gets a good deal on blow in exchange for Elliot.

Bank Security

Yael: So they’re meeting on Christmas and Elliot and Darlene are planning to hack them to…steal the money? I think?

Jason: Yeah, I think that’s the plan. Hack them and wire a ton of money out of the Bank of Cyprus.

Yael: Okay, so say this hack works, which it looks like it did, and they drain the money. Does Cyprus National Bank not have fraud protection?

Jason: Usually there’s an approval flow with multiple users to initiate a substantial wire.

Harlo: Should be, right???

Jason: Yeah, probably need to hack some more people/social engineer.

Micah: It might be different if you have Olivia’s access, though.

Yael: I’ve had my bank tell me when it thought there were unauthorized transactions or freeze my account because I was traveling, though.

SS7

Yael: When Darlene and Elliot were arguing about who got to do what, Darlene said Elliot was supposed to get the SS7 license; anyone wanna talk about SS7?

Jason: SS7 is a shared network that virtually every cell carrier has access to. Karsten Nohl / srlabs.de is a good technical reference on SS7.

Freddy: SS7 is a signaling system that handles things like when you are in your car and moving but on a phone call. When you switch from one cell tower to another, you need to be able to handle that without dropping the call. That’s what SS7 does. It’s also notoriously insecure and you can use SS7 exploits to take over someone’s phone. It enables you to steal text messages to bypass two-factor authentication.

Jen: And/or track people’s locations.

Harlo: Or to intercept messages, calls, and know which tower a phone is connecting to via its IMEI [unique identifier assigned to mobile devices]. Actually, you don’t even need the IMEI, I think.

Micah: I think all you need is a phone number.

Jen: You also need an SS7 license (or to somehow otherwise get access to the SS7 network) in order to do any of this as an attacker.

Jason: If you can convince carriers that you’re a new cell carrier with paperwork, you can get access.

Olivia’s Machine

Yael: But then Elliot is also trying to get into Olivia Cortez’s machine. Are these just two approaches for the same thing?

Micah: The SS7 hack and getting into Olivia’s machine are two separate things. Elliot needs access to Olivia’s machine in order to access the Cyprus National Bank account.

Harlo: So, ultimately, Elliot and Darlene are yak-shaving. Ultimately, they just need to hack the human.

Trammell: I’m a little disappointed that Elliot setup the breaking and entering as some sort of elite thing to leave Darlene at home, but in the end the target had zero special effort required. Darlene has also shown her expertise at social engineering.

Bill: The hack on Olivia’s laptop is again a 2015 exploit. Basically, Elliot uses a hook that triggers the sticky key executable (sethc.exe). It is a helper process that is executed when you press the sticky keys combo at the login screen. Only, by replacing sethc.exe with cmd.exe, which is the Windows command line executable, he’s able to press the sticky key combo to get shell access.

From there, he is able to reset Olivia’s admin password and log in as her from the e-OS login screen. That allows him to steal the Firefox profile, which includes VPN access credentials from her laptop, which he then transfers to an instance of Kali Linux and runs.

He then runs ffpass to extract those credentials into his own Iceweasel (Firefox clone) profile, and gain VPN access. It’s only then that he notices he needs the physical OTP module in order to complete authentication.

It looks like from the git history that ffpass didn’t exist until 2018. This is the first time I’ve seen a tool which is newer than the time period, though.

Micah: First, he picks the lock in her drawer and finds her work laptop. Then he needs to reset her password, so he boots into “E Operating System Error Recovery”, which is literally exactly the same thing as the “Windows Error Recovery” screen; they just replaced “Windows” with “E Operating System.”

Jason: It’s kind of amazing that a bank’s corporate laptop wouldn’t have full disk encryption.

Micah: Actually it might have full disk encryption, but it’s Windows. If it uses BitLocker, then the encryption key is stored in the Trusted Platform Module [a dedicated processor used for encryption] and is passwordless, which means this hack could still work even with disk encryption.

Harlo: PSA: you can definitely enable passphrases in BitLocker. You would need to modify your group policy.

Micah: True, but it’s not the default behavior, therefore, no one does it.

Jason: That’s terrible.

Harlo: It’s a slog because Windows hates you, but it’s possible.

Trammell: Bitlocker TPM PIN seems like the right way to do it, although there is also the recently (end of 2018) discovered issue with self-encrypting disks and BitLocker. BitLocker will trust the SED, which in some cases turns out to not actually use any encryption.

Harlo: It’s advisable to ALSO enable software-based encryption in your group policy.

Micah: I also like the rest of the password reset hack, where, from an “open file” dialog in Notepad, Elliot was able to manipulate the filesystem, to rename cmd.exe to something else, to ultimately get a [command line] shell.

Multi-factor Authentication

Yael: When Elliot gets Olivia’s machine, he can’t get into it because she uses MFA. So if you wear one of your factors on your wrist, do you need a special secure locker for your hookups? Though I guess Dom had a locker and that didn’t work for her.

Bill: This reminds me of the scene in Season 1 where Tyrell sleeps with some guy to get access to his cellphone, in order to install some custom malware on it.

Harlo: This part made me really double-think how we normally keep our keys so accessible. How many folks do you know keep their 2FA on their literal keychain? (Raises hand.)

Emma: I may or may not keep my hardware key on a necklace rated to support up to 150 kilos along with a Kali USB key and an encrypted one for all my goodies.

Image: USA

Harlo: But can we talk about the social engineering?

Yael: My favorite part was when Elliot said people held him down and forced him to do heroin.

Trammell: It is interesting how Elliott’s social engineering was a tag team with Mr. Robot—they had such different pickup artist techniques.

Harlo: Love to have my dad as wingman. Ghost dad telling me to get it. My dead dad, like “go for it, son.”

Yael: Olivia got stood up (sort of) on Christmas and there was Matthew Sweet playing. She didn’t even stand a chance. I guess this hack wasn’t all that complicated? Would you agree? Like the password part was more technically difficult and the social engineering was pretty easy. And then poor Cyprus Bank practices, I guess.

Bill: I would say the reverse. Especially for introverts, the social dynamics stuff can be exceedingly difficult. The technical hack just takes time and persistence. The social hack is kind of a one-shot thing.

Yael: I don’t know. I think people are sadly easy to manipulate. Even people who should know better. We are just very trusting, in general.

Trammell: It is interesting how much better his turned out than Darlene/Dom, which ended with Dom delivering possibly the worst curse on Darlene. (Although Olivia doesn’t know she’s been hacked yet…)

Yael: “Finding” the Oxytocin after he got what he needed was a nice touch. But like she could’ve caught him with her security key, and didn’t. Some of this was luck. Sorry, Elliot. Literally if her date had showed up on time this wouldn’t have happened.

Trammell: Yeah, serious plot-armor on the luck between the date not showing up, not getting caught with the token, etc.

Jason: Elliot could have hacked her OkCupid and cancelled the date without her noticing. And done some additional research to improve his odds. A nice shirt also helps. 😉

Harlo: By the way, I told a couple of folks, but I don’t mind telling literally everyone: one time I literally burned my whole infrastructure because a handsome man was nice to me at a conference and i was so suspicious that it was an op.

Yael: Haha. I always get suspicious when people want to talk to me instead of me wanting to talk to them.

Harlo: Hack the human.

Trammell: Given the short time frame, I’m also curious why he didn’t burn the bridge and make a quick exit with the keyfob (and maybe wallet, etc) to make it look like a more normal theft. As in, the meeting is tomorrow, so they need to execute on the results of the hack RIGHT NOW.

Harlo: It’s worth noting that this shows how important multi-factor authentication is! The fact that Elliot had to go as far as he did to gain access to an account even when he already gained someone’s password is really, really important for viewers to understand!

Yael: Yesssss all he needs is to break both factors. They had this in the first season, when Elliott had to get Gideon Goddard’s phone for his RSA SecureID pin.

Emma: Elliot sent him a bunch of junk MMS messages to drain the battery and force him to charge it, then hit him with the distraction to get him to leave his office. Both instances though highlight an important point—the biggest threat are the people close to you. Elliot was able to do it to Goddard because they worked in the same office. Elliot had to get close to Olivia to get her fob. Like Harlo said, multi-factor authentication is super important and remote hackers can have to go to extreme lengths to compromise it (although it depends…. phone based MFA is a lot less secure than the fob).

Harlo: Especially when you’re dealing with a hacker with an “SS7 license.” This is why we go for apps or even better, hardware tokens for 2FA wherever they’re available!

Yael: There’s also Tyrell’s stalkerware. So, uh, password protect your phone, I guess.

 

Read More

Leave a Comment