The psychological thriller Mr. Robot, which airs on the USA Network, is a fan favorite among cybersecurity professionals. What differentiates the show from its predecessors in the cyber-thriller genre is the depth of technical research involved in developing each episode. I'll plan to dissect each episode from a technical perspective, examining the extent to which the cybersecurity related dimensions are realistic.
In the two-part premier of season 2.0, there are two noteworthy attacks.
The first attack involves the smart home of Susan Jacobs, Evil Corp's General Counsel, getting massively hacked. Attacks of this nature are quite plausible since smart home appliances are often rife with technical vulnerabilities. See for example, the following academic research paper:
More so, even if patches are available for these vulnerabilities, they are often not applied. Aside from that, owners of these devices often fail to configure them securely. For example, they may fail to change the default password. Even if the technologies themselves are bulletproof, it's possible to attack the human element by trying to pilfer the account information and password of the user.
The only stretch in terms of reality is that many home automation systems don't always operate so seamlessly. That said, they are improving over time and I imagine that these kinks will be worked out in the near future.
The second attack involved a piece of malicious software that F-Society deployed within Evil Corp's networks that encrypted all of their critical data. The promise is that for a ransom of $5.9 million (perhaps an allusion to the 5/9 attack from last season), the decryption keys would be provided. This type of attack paradigm is very well known and referred to by the term ransomware - a concept that is over two and a half decades old, but that had a recent surge of interest.
Modern ransomware typically demands payment in bitcoin in exchange for the decryption key. In Mr. Robot, payment was demanded in cash - which is unusual, but certainly very plausible. The main head scratcher in the story is when Evil Corp CTO Scott Knowles first reacted by saying they would find ways to decrypt the data on their own. Any technologist who is well versed in cybersecurity should already know that trying to decrypt this type of data on your own is an exercise in futility.
The other consideration is that large financial institutions tend to be relatively mature when it comes to their cybersecurity capabilities. First, I would imagine that most financial institutions implement some form of network segmentation, so that compromising one network doesn't impact the others. Second, they would appropriately manage their individual systems to make it challenging for a single threat to seamlessly move through their entire network with impunity.
All of the above not withstanding, the attacks mentioned are plausible, although some artistic liberties are taken to fit the made-for-TV genre. If the first episode is any indication, we are in for a scintillating series ahead.
Author: Zulfikar Ramzan
Category: RSA Point of View, Blog Post
Keywords: Mr. Robot