Mr. Robot Disassembled: eps3.0_power-saver-mode.h

Hello friend. I’m Ryan Kazanciyan, Technical Consultant for Mr. Robot and Chief Security Architect for Tanium. I’ve been working with Kor Adana — Writer, Producer, and mastermind behind the ARG — and the rest of the Mr. Robot team since the second half of Season 2. Throughout Season 3, I’ll be writing about the hacks depicted in the show, how they came together, and their basis in reality.

Spoiler Alert! This post discusses events from the first episode of Season 3.

Shall we Play a Game?

The Capture the Flag (CTF) tournament at the hackerspace was the first technical scene that Kor and I designed for Season 3, and a cool opportunity to get Elliot back on keyboard. We wanted to draw from real-world CTF events and incorporate something that was realistic and credible for our infosec-savvy audience, but equally accessible for everyone else.

minesweeper.py

After spending nearly a week researching puzzles from past CTFs, I stumbled on an interesting challenge based on Minesweeper. It’s a terminal-based version of the game that’s fully-functional on the surface, but requires some clever exploit code to recover the “flag” needed to win. It was originally used as a CTF stage during the 29th Chaos Communication Congress in 2012. This event, and the Chaos Computing Club that founded it, are a core part of hacking history and culture (especially in Europe) so I was excited to reference them in the show.

As Kor and I worked through the scene, we agreed that going with Minesweeper seemed like a really good fit. Nearly everyone has played the original game, so it served as a familiar and approachable basis for a hacking challenge. And like any good puzzle, there are many creative ways to solve it. Elliot’s explanation of how to poison the save file, defeat the checksum validation, and inject malicious code to grab the flag is based on actual solutions from winning teams. Credit to Rami Malek for delivering those dense lines of technical jargon without missing a beat.

Since this was going to be filmed as a long take, we needed to prepare several animation sequences that covered various stages of the game and in-progress attempts at solutions. I worked with the original Python script to capture what the minesweeper board and output messages looked like in different states: solved, failed, saved, reloaded, and so on. I also played, and lost, many rounds — I’m terrible at Minesweeper.

Here’s one of the original mock-ups that I built:

There are two instances of the game board on the top left, and part of the solution script (meant to be a work in-progress) in vim on the bottom left. The original source code is on the right, with the cursor on the function call that loads a saved game.

I tend to assemble these sort of dense screens with several open windows so that they look visually interesting from far away, but also provide plenty of material for multiple single-window close-ups. (They also reflect the sort of cluttered mess that is my own desktop).

This ended up being very close to what was produced and filmed, although in this particular scene, the camera movement unfortunately doesn’t provide a clear shot of the monitors. You can catch still a few glimpses as Elliot approaches and speaks with the two CTF players that are stuck on this game.

Hijacking the Dark Army’s Backdoor

While the hackerspace crowd celebrates winning the tournament, Elliot can focus on the real task at hand: shutting down the backdoor that provides the Dark Army with direct access to the UPS management system in E-Corp’s paper-records facility in New York. He is working on borrowed hardware and borrowed time. He has no access to Evil Corp’s internal network or any Dark Army systems. He needs to quickly cut off their ability to use the backdoor, while ensuring they don’t have an opportunity to detect and stop his efforts before it’s too late.

After talking through the available options, Kor and I set down the path of having Elliot perform a domain takeover compromise.

For viewers and readers that might not be familiar with some of these technical concepts, I’ll provide a bit of background. Most backdoor malware periodically communicates with a server to provide status, receive updates, or give an operator the ability to issue commands. This communications heartbeat is called “beaconing”; when an operator or system responds by taking control or issuing commands, it’s known as “command and control” or “C2”.

How does the backdoor know where to send its beacon or C2 traffic? If an attacker hard-codes an IP address when creating and deploying the malware, it may be difficult to change that setting later on. C2 server goes down? IP gets detected and blocked on the victim’s network? You might be out of luck and unable to reach your infected system to fix things. Using domain names provides greater flexibility: they can be updated to resolve to a new IP address, which might be served up from any location, without needing direct access to the malware itself.

The downside to this approach is that it adds another point of failure: the registrar business responsible for maintaining the name records, and the hierarchical system of DNS servers that resolve domains to IPs. If you gain access to the user account that has administrator access for a set of domains — or worse, to the registrar’s entire web-based management interface — you can take control of these addresses. Among many configuration changes, you can then ensure that traffic originally intended for those domains ends up going to an IP address under your control.

And that’s how Elliot pulls off the domain takeover hack. Kor and I streamlined the timing and complexity of it all, but the underlying technique has played out in many real-world incidents. And yes, even some of the most sophisticated attacker groups use legitimate registrar services for their command-and-control domains.

The pace of the scene unfortunately didn’t afford much on-screen time to show how Elliot actually compromises the registrar in the first place. In my head, I reasoned that he found a basic web application vulnerability, like SQL injection or a poorly-secured administration interface, that was hackable straight from a browser. Again, plenty of real-world precedent for that. But you do see a few glimpses of the attack’s aftermath, shortly after Elliot has successfully logged in and tampered with the domain settings.

I wanted to base these screens on a real Chinese registrar — not just to nail the look-and-feel of the management panels, but also to get some contextually accurate language used to label the user interface. After a long evening of frustrating searches and copious use of Google Translate, I struck gold: a registrar with a publicly-available demo site that allows visitors to log on to a test account and explore their domain administration tools.

I worked through the pages relevant to reconfiguring domain name settings, and assembled a set of reference screenshots like the one above. These served as basis of the design for the fictitious registrar site that you see in the background when Elliot regains access to the backdoor.

Once the domain takeover is complete, the backdoor’s next automated attempt to connect back to its C2 server leads it to an an IP address under Elliot’s control. Success! He’s back on the UPS management system.

We previously saw this backdoor in use back in Season 2, Episode 12: it’s a publicly-available Perl reverse shell called “rwwwshell” that simply provides remote command-line access to an infected system.

Tech-savvy viewers might observe that “rwwwshell” is not the most interesting or contemporary example of covert backdoor malware. True, but we can presume that the victim host might be an old or bare-bones *nix distribution that lacks key dependencies needed for something more sophisticated.

Elliot quickly types a `shred` command to wipe out the backdoor script, and drops the connection, thereby eradicating the Dark Army’s foothold.

Hacking Cars the Old-Fashioned Way
(Updated 10/15/17)

Earlier last week, Kor and I hosted a Reddit AMA in which someone asked about how we avoid “hollywood hacker bullshit”. The FBI / Irving car pursuit is a great example of a scene where, in any other show, an imperiled hacker might pull out a laptop with a magical set of pre-loaded tools that can stop any vehicle in its tracks. (And if the situation is fast and furious, they might conjure up a botnet of attacking zombie cars.) We had to keep it real…but how?

There have been a few examples of remotely exploitable car hacks — but within very sets of conditions, and only affecting a few specific makes and models. Metasploit for cars doesn’t exist yet. So as Kor and I pitched ideas for the scene, I realized I didn’t want this attack to depend on traditional hacking tools at all. That led to researching the different ways that telematics systems can control a vehicle — and ultimately yielded Irving use of social-engineering against an OnStar-like service to initiate a “stolen vehicle slow-down”.

Russel Brandom at The Verge picked up on some key elements that we included in the scene; for instance, flashing the hazard lights so that the requesting officer confirms they’re about to halt the right car. That detail, along with other steps that Irving followed, came from a “best practices” document for public safety officials that I stumbled upon after a long night of hunting for reference material.

Old-school social engineering, supported by just the right types of domain knowledge and information, delivered without missing a beat. Exactly the type of hacking you might expect from someone like Irving.