Mr. Robot Disassembled: eps3.1_undo.gz

Hello friend. I’m Ryan Kazanciyan, Technical Consultant for Mr. Robot and Chief Security Architect for Tanium. I’ve been working with Kor Adana — Writer, Producer, and mastermind behind the ARG — and the rest of the Mr. Robot team since the second half of Season 2. Throughout Season 3, I’ll be writing about the hacks depicted in the show, how they came together, and their basis in reality.

Spoiler Alert! This post discusses events from the second episode of Season 3.


The first eight minutes of “eps3.1_undo.gz” feature more shots of security and hacking tools than you’ll find in the entirety of most TV series or films. The last five minutes showcase a bleeding-edge, covert attack based on real-world research and hardware. This episode is full of easter eggs and eye-candy for technologists and infosec practitioners, and has some of my favorite sequences in the entire season.

Social Engineering, Revisited

As Elliot navigates the hierarchy of incompetent and corrupt managers at E Corp, he uses a variety of tools and techniques to steal passwords and get access to their e-mails. (His job title might be a security analyst, but that doesn’t mean he’s granted unfettered access to all systems and users.) One of these attacks features a a blink-and-you’ll-miss-it shot of Dave Kennedy’s Social Engineering Toolkit (SET). SET is a swiss-army knife, and the show has featured its different capabilities several times in the past. Darlene uses it to build a USB-based ransomware payload that Mobley delivers to Bank of E in Season 2 Episode 1; it’s also used to carry out an SMS spoofing attack in Season 1 Episode 5.

Here’s the original mock-up from what I staged in my lab VMs:

Original mock-up — Social Engineering Toolkit (SET) configured to host a fake Outlook Web Access page

Let’s break down how this attack works. Elliot uses SET to host a fake version of the E Corp Outlook Web Access (OWA) portal. This is a common phishing tactic (for example, used by the Syrian Electronic Army back in 2014). If an attacker can convince victims to supply their usernames and passwords to a cloned version of the real web site, they can compromise those accounts without the need to deliver malware or any other payloads. Many users will ignore browser warnings and willingly submit their username and password to a site that looks legitimate.

A quick shot of the command line shows Elliot reviewing the output of the “harvester” log file that contains the stolen credentials.

root@kali:/var/www/html# tail harvester_2015–08–26\ 17\:21\:11.781065.txt

which outputs the OWA username and password captured by SET:

Array
(
[destination] => https://webmail.e-corp-usa.com/OWA/
[flags] => 0
[forcedownlevel] => 0
[trusted] => 0
[username] => william.braddock@e-corp-usa.com
[password] => aboynamedg00
[isUtf8] => 1
)

Disrupting the Stage 2 Attack

As an E Corp employee, Elliot needs to take advantage of his legitimate access to the network to hinder the Dark Army’s ability to proceed with Stage 2. Kor and I drafted a slew of steps that Elliot might take to secure the environment and set up roadblocks. Inevitably, some of the details fell to the cutting room floor. For instance, Elliot’s voiceover describes how he hacked E Shipping, redirecting shipments of the paper records while tampering with the manifests, in an effort to buy himself more time. We originally planned to show a few steps of a SQL injection attack against the system’s web-based management interface. This ultimately got dropped for time — though I’m glad to make that tradeoff for the great scenes of hapless Earl in Sioux Falls.

Fortunately, lots of fun technical content still made the cut. Aside from obvious steps like hardening the network and isolating sensitive systems, Elliot needs to fix the underlying vulnerability that allows the UPS to run malicious code in the first place. One approach is to patch the software responsible for updating and loading firmware such that it enforces a digital signature check. Simply put, this is a mechanism to validate that software is known-good. Any firmware loaded onto the UPS would have to match a cryptographic value that can only be produced by E Corp.

Deploying the Patch

I try to keep my work with “Mr. Robot” largely independent of my day job at Tanium. Nevertheless, I couldn’t resist the opportunity to include our software among the many other commercial and open source tools woven into technical scenes throughout the season. I was happy to find a spot where it was a natural fit, and Kor and team were supportive of its inclusion.

For those unfamiliar with Tanium — it’s an enterprise security and systems management platform that covers a wide range of use-cases: collecting information from servers and workstations, detecting and responding to attacks, deploying patches and software, and enforcing secure configurations. In this scene, Elliot uses Tanium to deploy his firmware patch.

The screenshot below comes from one of my virtual machines and, aside from a few minor edits, closely matches what is shown on-screen:

Tanium console deploying a package to install the UPS firmware patch

The “Files” section in the lower-right corner indicates that the patch package is comprised of “.bin” firmware files (matching the naming convention shown in prior episodes — consistency is important!), along with a shell script that would presumably invoke the upgrade process. The “Target Group” section basically defines that any system with a specific firmware version (“640.0.0”) would be in-scope for the patch.

Firmware Analysis, Update, and Verification

During the final episode of Season 2, we saw Tyrell working on the malicious UPS firmware using the open-source tools “radare2” and “binwalk”. (I previously blogged about designing this scene last year). I had hoped to incorporate more binary analysis and reverse engineering into future episodes, so I chose the firmware patching sequence in “eps3.1_undo.gz” as an opportunity to include a shot of IDA Pro — one of the most popular tools in this field.

Disassembly for the UPS firmware update in IDA Pro

This depicts the IDA disassembly for a firmware installer that Elliot has patched with a digital signature verification check. The main window shows IDA’s flow chart interface, which essentially breaks the code into function blocks; the arrows represent the different paths of execution that can occur. The larger function references a string that hints at its purpose: “signature check failed, update halted”.

Next, we cut to Elliot reviewing at a log file that shows the results of the UPS firmware update. The log entries record the update tool authenticating to the device, sending the firmware via FTP (embedded devices often don’t support secure protocols!), initiating a restart, and confirming that the new software successfully installed. The text we used is based on the firmware update process from an actual UPS device.

09/28/15: 10:51:21 xxx.xxx.xxx.xxx: Pinging (via ICMP) device
09/28/15: 10:51:21 xxx.xxx.xxx.xxx: Device connection passed
09/28/15: 10:51:22 xxx.xxx.xxx.xxx: Testing FTP Log-in
09/28/15: 10:51:25 xxx.xxx.xxx.xxx: FTP Log-in passed
09/28/15: 10:51:26 xxx.xxx.xxx.xxx: Saving data file
09/28/15: 10:51:37 xxx.xxx.xxx.xxx: OS Prior to firmware transfer: Network Management Card OS v6.4.0
09/28/15: 10:51:44 xxx.xxx.xxx.xxx: Saving event & configuration files
09/28/15: 10:51:49 xxx.xxx.xxx.xxx: Transferring firmware file (1/1)
09/28/15: 10:53:21 xxx.xxx.xxx.xxx: Attempting connection to verify restart
09/28/15: 10:53:29 xxx.xxx.xxx.xxx: Device(s) successfully upgraded

Finally, we see Elliot working in the UPS device’s management interface, which features a terminal prompt labeled “ups>”. The selection of commands and their respective output were once again inspired by real-world hardware. Elliot runs “cfgpower -all” to check the current transfer voltage settings, and “upsfwupdate -lastresult” to check the status of the last firmware update.

Working with the UPS management interface

Hacked, and hacked-back

In the closing minutes of the episode, we see Elliot sit at his computer…and quickly realize that something feels wrong. Has he been compromised? He reboots into a Kali Linux live CD to work from a known-clean operating system, and runs the following commands:

mount —�-rbind /sys /mnt/sys
mount —�- rbind /dev /mnt/dev
chroot /mnt /bin/bash
rkhunter —�-check

rkhunter” is an open source tool that scans a Linux system for rootkits. Since Elliot has booted into a live CD, he first needs to mount a few paths from his host machine’s OS (i.e. the one he suspects is infected), and “chroot” to effectively change the running environment for subsequent commands. This ensures that “rkhunter” scans the host system’s files, rather than those on the live boot image.

Original mock-up — Elliot uses“rkhunter” to scan his system for rootkits

We then cut to Dom, whose computer displays a view of Elliot’s screen. This isn’t just a single window — it’s the entire contents of his screen, periodically updated as a receiver script running in a Cygwin window logs the receipt of a new PNG file every few seconds.

Original mock-up: Dom’s FBI system running a Python script (in Cygwin) that’s receiving images from the remote implant in Elliot’s monitor

So how did the FBI gain remote access to Elliot’s system? Kor and I realized that we needed to show an advanced, bleeding-edge hack for this scene. The odds of Elliot eventually discovering a rootkit, or other form of persistent backdoor malware, on any of his operating systems are high. But a hardware-layer implant would be much harder to detect.

As a few viewers have already discovered, this is inspired by “Monitor Darkly”, first presented at DEF CON 24 in 2016. The researchers discovered vulnerabilities in the display controller firmware used in millions of LCD monitors. Given access to the HDMI or USB ports, this attack can capture — or even manipulate — whatever is displayed on screen. Since this purely targets the monitor hardware, it leaves no traces behind on whatever computer might be connected.

This is one of the few examples of a tool or technique that post-dates the episode’s time period. In this case, we decided that it was reasonable to assume that the FBI or intelligence agencies might have discovered the same underlying vulnerability beforehand, and had the resources to build tools and processes to operationalize and extend its capabilities for the field.

In the original research, Monitor Darkly used a USB Armory device — essentially a small computer the size of a flash drive. If paired with a cellular modem and the right hardware interfaces, you could have a covert implant device that is small enough to be hidden inside the chassis of a monitor, and capable of periodically transmitting a snapshot of screen contents to a remote listening server.

Of course, Elliot still discovers that something is amiss. He writes a fake e-mail containing a URL and successfully baits the FBI into following it, thereby confirming that he’s being watched. We’ll see the aftermath of this in future episodes…