Mr. Robot Disassembled: eps3.6_fredrick+tanya.chk

Ryan Kazanciyan
Nov 24, 2017 · 5 min read

Hello friend. I’m Ryan Kazanciyan, Technical Consultant for Mr. Robot and Chief Security Architect for Tanium. I’ve been working with Kor Adana — Writer, Producer, and mastermind behind the ARG — and the rest of the Mr. Robot team since the second half of Season 2. Throughout Season 3, I’ll be writing about the hacks depicted in the show, how they came together, and their basis in reality.

Spoiler Alert! This post discusses events from Season 3 Episode 7.

Kor and I are often asked whether we’ve chosen to withhold certain details on the show, in order to avoid providing too much instruction on how to perform illegal, dangerous hacks. The answer has remained “no”. We rarely have time to display more than a few brief moments of these long, complex attacks. And the same tools that malevolent hackers use for evil can likewise be used for good — it’s all about the context.

That being said, I admit to being somewhat flummoxed when Kor first pinged me from the writers room about the events in this episode. “Could someone hack an airplane and make it crash? What would that look like?” I’m glad to say that I didn’t know the answer to that offhand. Over the years, researchers have poked holes in various components of aviation systems ([1], [2], [3]), but many of these attacks have fortunately proven to be somewhat over-hyped or impractical.

We didn’t want this to turn into a bullshit Hollywood hack and invent fictitious malware that could somehow take over a plane. This led me to think about other ways that a terrorist could use hacking to pose a threat to flights or passenger safety. It’s sobering to consider the breadth of potential targets: the TSA, FAA, airports authorities, airlines, and the entire supply chain of equipment and services that they rely upon. We landed (no pun intended) on showing elements that imply an attack against the FAA and its “NextGen” air traffic management system.

This is a frame job, so Trenton and Mobley’s computer screens had to show some incriminating content. I knew nothing about the FAA or NextGen, so I started with the same sort of “passive” research that I used to do in my early days as a penetration tester. I Google’d for publicly-available documentation and found thousands of pages of PDFs containing everything from surprisingly detailed network architecture references (for the benefit of commercial entities that have to interface with these systems), to technology procurement contracts and security audit findings.

Through this effort, I learned that the FAA uses Oracle WebLogic and Apache ActiveMQ technology for some of their systems. I also found some visually-compelling diagrams and maps of the NextGen infrastructure and its components. These elements served as the basis for what’s staged on Trenton and Mobley’s computers.

At the risk of repeating myself — everything depicted in these shots came from publicly-available documentation that was intentionally shared on the Internet by its authors. There’s nothing that explains how to hack the FAA, nor anything that highlights any open vulnerabilities in their specific systems. You could reproduce the same content in a few minutes of online searches.

Let’s start with Trenton’s screen. The “CVE Details” web page shows a listing of vulnerabilities in Oracle WebLogic Server. This implies she was researching exploitable security weaknesses in the various versions of this software.

Trenton’s screen, as shown in the episode

The image at the top-right, “Interfacing with NEMS”, is inspired from FAA diagrams of the National Airspace System Enterprise Messaging Services. Like other government agencies, the FAA loves their acronyms.

The VIM windows in the bottom left and center each contain Python scripts that take advantage of a critical security flaw in Oracle WebLogic: CVE-2015–4852. This is an example of a Java deserialization bug, and rather than attempting to summarize its technical details I’ll defer to this excellent writeup for a much more in depth explanation. So what do these scripts do? “” is a scanner that can quickly discover vulnerable WebLogic servers across an input range of network addresses. “” exploits the same vulnerability to run a user-defined command on a remote system. I’ve linked to the respective GitHub repo’s for each tool.

Original mock-up for “” in VIM
Original mock-up for “” in VIM

The rightmost window contains the output of “searchsploit”, a utility included in Kali Linux that — as the name implies — makes it easy to search for exploits. We see the tail end of a search for “WebLogic”, followed by another search for “ActiveMQ”. This further implies that Trenton was working to attack some of the underlying technologies in use by the FAA.

Original mock-up for “searchsploit” window

On to Mobley’s screen. This consisted of maps and images related to NEMS and other FAA systems. I’ve included one of my original mock-ups below. If you were to compare this to the screen as filmed, you’ll note that the diagrams have some slight changes and the windows are re-arranged.

Taken as a whole, it definitely looks like Trenton and Mobley are up to no good — even if we know better. It’s a sad end for two characters that I’ve truly enjoyed over the years. In fact, one of the first scenes I helped design for the show was last season’s flashback at Rob’s Coffee, where Trenton first meets Mobley and exploits his phone with Stagefright.

Only three episodes left, but there are plenty of hacks still to cover, including one with enough technical complexity to rival the HSM attack. I’m excited to share more with you all over the next few weeks!