With Rami Malek, Christian Slater and the cast back for season three of ‘Mr. Robot,’ we spoke to cybersecurity specialists about what makes this show so impressively realistic in its portrayal of hacking culture.
It’s sadly too easy to rattle off the many ways Hollywood has watered down cybersecurity and hacking scenes in films and shows over the past two decades: Swordfish, Live Free and Die Hard, CSI: Cyber, The Net… I could go on and on. But it’s been difficult to name films or shows that accurately depicted cybersecurity threats, the defense against those attacks and the programming languages used by the pros…until Mr. Robot came along in 2015.
The series follows Elliot (Rami Malek), a hacker and programmer whose gang of fellow counterculture misfits aim to attack the online defenses of E Corp, a massive conglomerate resembling Google or Microsoft. Rami and his hacking crew, fsociety, aim to launch a socialist revolution by wiping out all of E Corp’s data, eliminating all record of debt and freeing the masses from oppressive capitalism.
In case you’re catching up on the show, I won’t give away too much. Instead I’ll stress how this show has been lauded for its on-point portrayals of online threats, strategies to exploit company vulnerabilities, and the cybersecurity community.
From DDoS attacks to USB-stick exploits to rooting through the Dark Web, Mr. Robot’s references resonate with audiences comfortable in the cybersecurity space.
Don’t take it from me. I spoke with three cybersecurity insiders who revealed why Mr. Robot is must-see TV for anyone involved in their industry.
“I really enjoy seeing elements of realism in a show about hackers,” says Jacob Wilder, a systems security analyst at the Maryland cybersecurity startup Enveil. “Despite the fact that they’re not always used quite right, many of the commands and tools are real.” He adds that the series is a big leap over most other TV shows and films which costar fake user interfaces and incoherent lines of text to represent hacking.
Wilder goes on to explain that Mr. Robot’s on-screen commands in terminals really exist. “SSH is used for remote connections, radare2 is used to decompile software, and bluesniff is for hacking into a laptop via its Bluetooth connection,” he adds.
When I ask Sandeep Lota, the senior cybersecurity engineer at ForeScout Technologies in Calgary, Canada, about the TV shows with hacking or e-security scenes, he quickly replies, “I don’t watch CSI: Cyber, because within the first five minutes I want to throw my remote at the screen because it’s all BS.”
But he admires Mr. Robot not only for the real-life programming languages and command lines but also how some plot points get to the heart of breaking into online infrastructure. Sometimes it’s not about the hours spent in a basement pounding on the keyboard and infiltrating past a company’s defenses; sometimes it’s about human error.
“You’re only as strong as your weakest link,” Lota tells me in an interview. He points to the critical scene in the sixth episode of Season 1 when the fsociety hackers leave USB sticks on the ground of a prison parking lot, hoping staffers pick them up and insert them into computers in order for fsociety to use an exploit on the sticks to access the network’s data. As expected one of the prison guards does exactly that (before antivirus software stops him) but that idea is ripped straight from real-life complacency.
A 2016 study found that 45% of USB drives researchers dropped on a university campus were picked up and had at least one file opened.
Lota says the drives might enable a pop-up ad to appear on-screen, and when the annoyed user clicks the X to close it, that X might actually be a command to run a program behind the scenes and install malicious software. When Lota conducts the drives-on-the-ground test at companies he’s worked with over his past 25 years in IT, with the drives labeled Staff Salary Information to further entice them, more than 75% of employees pop the drive into their work computer.
As Mr. Robot’s hackers prove, Lota says a major firm “can spend $10 million on cybercurity and firewalls, but all it takes is one clueless staffer to be that weak link.”
Enveil’s Wilder also credited that USB-drive scene as particularly memorable. “I think the consequences that follow from individual, human security failings in the show can drive home how important it is to practice basic security hygiene far better than the vague warnings found in a lot of corporate security education.”
What’s also critical to understand is Mr. Robot’s character development in fleshing out Elliot as a “white-hat hacker,” aka an ethical hacker. Especially in season one, we see Elliot taking down pedophiles and murderers via his online breaches. This type of righteous outlook riffs off what we’ve seen in the past decade, such as hacker collectives taking down the sites of the hate-mongering Westboro Baptist Church and the Nazi-friendly Daily Stormer.
This new angle of superheroism among hacking societies isn’t often revealed so deeply in Hollywood, and rarely does the writing get into the weeds of how the many vulnerabilities are exploited. Mr. Robot, developed by a longtime IT analyst Sam Esmail, wants to expose the exposable, and it does so impressively.
In the first season, when Elliot hacks a cellphone, he turns to the Linux distribution tool Kali, which is available today. Filip Chytry, a threat intelligence director at antivirus software firm Avast, explains how Kali works: Often used for penetration testing, Kali can be used to plant code on a device, but the user would have to connect to a fake Wi-Fi hotspot the attacker would set up.
“Once you’re in, you can find out that phone’s vulnerabilities,” he points out.
Chytry echoes the other cybersecurity specialists when he says Mr. Robot seamlessly adds real code on their terminals, “unlike The Matrix, which had Neo typing stuff that isn’t real onto a monitor,” he notes.
When I ask the interviewees what Mr. Robot gets wrong, Wilder says not every piece of code is exactly lined up with the intention. Chytry stresses that some hacks and downloads take seconds in the show, while they would take hours in reality. But so it goes with a show that has to wrap up multiple story threads within an hour.
Wilder reiterates, though, that Mr. Robot doesn’t need to tweak anything for the upcoming season, at least from a cybersecurity perspective. He says, “The writers have done a really good job of using hacking and computer security as a setting, backdrop and tool for the story they want to tell.”