‘Mr. Robot’ Rewind: Booby-Trapping Femtocells from the Forest in Episode 3

Agent Santiago in Season 3, Episode 3 of Mr. Robot. (USA Network Photo)

int SpoilerAlert (bool MrRobotS3EP3.view)
           if( MrRobotS3EP3.view == true ) {
           goto BeginArticle;
           else {
                       goto USANetwork;
//For the non-geeks, if you haven’t seen episode 3 of Mr. Robot season 3, there be spoilers ahead. Watch it first.


Welcome to my weekly Mr. Robot Rewind article, where I examine the accuracy of all the hacks and tech in the TV cyber thriller, Mr. Robot.

This week was another exciting episode, so let’s dive right in and talk about the hacks!

…  crickets …

Oh yeah… there weren’t any new hacks this week. That could be problematic for a “hackuracy” article, right? Never fear, though. A technically uneventful episode for Mr. Robot actually qualifies as a pretty geeky episode for any other show. While we didn’t really see any new hacks, we did flashback to some old ones, and the episode subtly introduces some new technical information and Easter eggs. Let’s focus on those.

Encrypting files over the network

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

 In a nutshell, this entire episode is dedicated to filling in all Tyrell’s missing time from season two. Season one ended with Elliot launching the Stage 1 attack (encrypting E Corp’s files) from Fsociety’s arcade with Tyrell. We know there’s a gun in the popcorn machine, but we never learn exactly what happened, and Elliot wakes up in Tyrell’s SUV three days later.

In short, we see Elliot start where he left off in episode nine of season one. He runs his and Darlene’s fuxsocy.py python script, which starts encrypting all of E Corp’s files. If you want my technical take on this original hack, see this article.

Although I’ve mentioned it many times before, I will say that one aspect of this scene still seems very strange. Why would Elliot, Fsociety, and the Dark Army encrypt these files rather than delete them completely? Encryption takes more effort, time and resources. The Shred command, which Elliot has used at other times, can securely destroy files so they can’t be recovered. If their true goal is to destroy the files for good, why encrypt?

Now, the show has said that Darlene wrote the script with a self-deleting encryption key, which—again—seems weird to me. It’s pointless to take the time to script encryption and then script the deletion of your encryption key, when you could just “shred.” This season, Elliot also said, pointblank, that he can’t decrypt the files. This statement does threaten my theory that someone will recover the encryption key, and get the files back. In any case, these encrypted files will either come back into play later, OR the show had a technical misstep, because in my opinion, no self-respecting hacker would waste time encrypting if their goal was to destroy (unless it was a false flag attack, like NotPetya).

Back to the new stuff. For the most part, the flashback of this attack is exactly how we remember. However, perceptive viewers might have noticed a new technical detail in a quick screen shot.

Figure 1: Encryption script uses Secure Copy to encrypt files across the network

You might have wondered how Elliot and team could encrypt all of E Corp’s files (which would likely be spread across many computers) by running a script on one machine. This screenshot answers that question. Looks like the fuxsocy.py script is using Linux’s Secure Copy (SCP) command. Most *nix users know the basic copy (cp) command to copy files on their own computer. SCP is the basically the same thing, except it can copy files across a network. In any case, their use of this command is technically on point.

Now character-wise, there’s a whole lot of other intense stuff that happens in this scene. If you’re a #tyrelliot fan, you probably loved it. However, since the Rewind series is focused on the hackuracy of the show, I will stifle my other thoughts about this scene and move on to the next (kind of) hack.

Writing “EnableAttack” scripts for SkriptKiddies (i.e. Angela)

As I mentioned, this episode had no new hacks, but it did shed some light on old ones. A big hack from season two was the femtocell hack. If you don’t remember all the details, read this, and this article. In short, Darlene (and Fsociety), Elliot, Angela, the Dark Army, and now Tyrell all worked together to implant a hacked device into E Corp’s network to spy on the company and hijack FBI phones. We already knew most of the details, but this episode reintroduces a few things from the hack.

First, we actually see when Darlene give the partially hacked femtocell to Cisco (of the Dark Army).

Figure 2: Darlene hands the hacked femtocell over to the Dark Army (Cisco)

However, in this episode we learn that Cisco gives the device to Irving (who also warns him against getting attached to Darlene), and then Irving proceeds to give the device to Tyrell, who played a part in this hack from his remote cabin in the woods.

Turns out Tyrell wrote the script, which Darlene gets Angela (a non-techie, non-hacker) to run, starting all the malicious programs on the femtocell. We know this based on the screen where we see Tyrell presumably writing the “EnableAttack” script.

Figure 3: Tyrell writing the EnableShell script

If you read the articles linked above, you know Angela ran the command, ./EnableAttack femtopwn WLAN0,WLAN1 (which she had practiced a hundred times in a montage). A quick screenshot from this episode tells us exactly what that EnableAttack command was. Turns out it’s a shell script that contains a number of other scripts for the other parts of the attack:

  • A script to setup the hacked femtocell to man-in-the-middle cell connection (femtopwn_config.sh).
  • A script for the Samsung Knox Android attack Elliot coded up to hijack FBI phones (knox_rce_init.sh), which Tyrell did not know about.
  • What seems to be a script designed to passively explore E Corp’s network (passive_discovery.sh).
  • Some sort of implant script (implant_deploy.sh).

We don’t see enough of this shell script to analyze it completely, but the main take-away is it is technically and syntactically accurate. Pedantic security nerds like me hate when movies and shows use pseudo code, but appreciate when they take the time to incorporate code that’s actually accurate (like my spoiler code above). Granted, most of the script we see is just setting up variables and echoing messages to the user, but it’s all accurate. In fact, it seems pretty clean to me too. Anyway, this is just another example of the level of detail the show goes into. This screen probably only flashed on your TV for a few seconds, but what they showed checks out!

Bad dads hack baby cams (and other Easter eggs)

While that’s pretty much it for any hack-related stuff this episode, there were some other interesting technical elements.

First, during the wood chopping montage, we see Tyrell doing other stuff on his computer while developing the Stage 2 attack. For instance, it looks like he is checking up on Joanna and his baby through a web cam.

Figure 4: Tyrell monitors his baby through a web cam.

We don’t know if he and Joanna openly arranged this, or if he hacked into the camera. However, you should know that these web cams are often very insecure and hackable. For example, there have been creepy incidents in the past where strangers yelled at babies through hacked web cams. More recently, my threat team has found plenty of vulnerabilities in these sorts of online cameras. If you use an IP-connected camera, you should definitely be cognizant of their security issues.

That said, the most fun part about this quick scene is the IP address. If you’ve followed my past articles, you know the show often uses real URLs and IP addresses (among other things) that often contain Easter eggs, or are part of a wider puzzle game the show is running. The IP address in the above shot actually redirects to a domain. If you visit it, you’ll see this:

Figure 5: Mr. Robot’s ARG baby cam site

If you like puzzles, there is more to find on this fake baby cam page, but I won’t reveal all the details. By the way, there’s plenty more to find in this episode. For instance, if you looked closely at my EnableAttack screenshot, you can find another URL for the femtocell’s command and control (C2) channel. I believe this URL was used before, but it points to an interesting 403 page.

While many people enjoy the show without even noticing these little Easter eggs, their inclusion illustrates just how well the show runners understand the tech and hacker community, who tend to enjoy these extra details.

Ironic but awesome Amazon Echo ARG

There might have been one more hack in this episode, and it was a real-life hack involving Amazon Echo products. If you watched closely this week, you probably saw a commercial for the Amazon Echo’s daily 5/9 update. In fact, if you had an Echo close to the TV responding to the “Alexa” name, the commercial may have triggered it.

Echo has already played a prominent role in this series, when we saw Dom talking to hers like a friend. It looks like the show runners have taken advantage of this interesting scene to launch a smart (though ironic) marketing campaign with Amazon. If you’ve followed the Mr. Robot ARG at all, you may have found one of their less hidden sites, my.e-coin.com. This site allows you to sign up for the fictional E-Coin service from E Corp, and the show has organized multiple events where you can use E-coin, or even receive some perks. One of those perks was sending a few lucky winners an Amazon Echo Dot.

Figure 6: E-coin’s perks page

Some ARG players might have wondered why an Echo Dot specifically, and we got our answer this week. Amazon and the show have created an interactive, “choose your own adventure” game for the Echo in the Mr. Robot universe. This isn’t limited to prize winners, anyone with any Echo might play. All you need to do is enable the “skill” on your Echo here. If you want to see how this looks, here’s a quick video:

Like the hidden Easter eggs, participating in this game isn’t necessary to enjoy this show, but it again illustrates how technically astute the show runners are to create these fun, technology-based tie-ins. On the flip side, it is kind of ironic to see a show that rages against commercialization and talks about hacks, create a corporate marketing gimmick using a device that listens to everything we say. Remember when Elliot said, “They’ve packaged our fight into product, turned our dissent into intellectual property, televising our revolution with commercial breaks.”

Other interesting odds ‘n’ ends

That brings us to the end of this episode’s technical analysis, but there were a ton of other interesting and non-tech elements present to enjoy too. Though the Rewind series isn’t about those details, let me quickly point out a few for fun.

  • Did you notice the many references to the movie, The Shining? Besides the credit scroll and the axe, there were also more buried and subtle references too. Irving eventually takes Tyrell to the Fukan hotel. If you Google translate the word “fukan,” you’ll find that it’s Mandarin for “overlooking.” The hotel in The Shining was called the Overlook Hotel.

  • Santiago, Dom’s FBI boss, is Dark Army! While I never mentioned it in my articles (that I can remember), I have theorized this in Reddit posts. This guy was either too stupid to be in the FBI, or actively working against the investigation. We learned it was the latter this episode.
  • Wow! Whiterose and the Dark Army sure have some intense interrogation procedures to ensure loyalty. First Angela and now Tyrell.
  • Speaking of interrogations, during Angela’s interrogation scenes last season, we see her walking past a picture of a person whose face is crossed out in red lines. During this episode, we see Tyrell walk past a similar picture in the Fukan Hotel. I’m not sure about its relevance, but it probably isn’t there by accident.
  • During the wood chopping montage, we see Tyrell researching the UPS hack. He even brings up some documentation that talks about the dangerous chemical reactions that can happen with lead-acid batteries. The show is probably trying to illustrate the “factual accuracy” of these batteries having potentially dangerous reactions. However, as I’ve said before, the explosive effect of these batteries is over-stated. Watch this this video to see what I mean. In short, even with a ton of batteries in E Corp’s server room, I don’t think this hack would have ever blown up that building.

There’s probably a hundred other interesting little details from this episode that I haven’t mentioned, so I highly recommend visiting the subReddit where users share their own findings.

Learning from Mr. Robot: Don’t desktop as root

There’s a lot you can learn from this show each week. This week illustrates the dangers of web cams or femtocells, and much more. However, as a main tip, I want to unveil one last small technical detail you may have missed. I’ve already shared a number of screens of Tyrell’s research and Linux scripting. However, did you notice he’s logged into his desktop as ROOT!?

Figure 7: Tyrell loads his desktop as root. DO NOT DO!

One of the smart security features in POSIX systems (and now Windows with UAC), is separating normal, and even administrative users’ privileges from the highest level of privilege: root (or SYSTEM for Windows). You should almost never log into your computer as root. Rather, you should log in as a normal user, and only elevate to root (via sudo) when you are doing administrative tasks. That way, if an attacker does pwn you, he doesn’t immediately gain full control of your computer. He or she would still have to figure out how to elevate his privilege to root. In any case, the fact that Tyrell logs in as root is probably a small technical flub. No self-respecting hacker would do that, other than for some quick configuration.

Thanks for joining me for another eventful Mr. Robot hackuracy analysis. Hope you found this week’s article as informative as usual, even without many hacks to explore. As always, I look forward to your comments, theories and feedback below, and don’t forget to join us again for Mr. Robot Rewind next week.