Mr. Robot eps2.6succ3ss0r.p12 – the security review

We’re about halfway through season 2 of Mr. Robot now. Depending on how much you’ve been enjoying things so far, you’re either thinking “Already halfway?” or “Only halfway?”

I’m firmly in the “Already” camp, and based on how things have progressed so far I’m intensely curious about how certain plot lines are going to turn out. (Though I’m sure Sam Esmail and team have it all planned out in agonizing detail.)

But not unlike downloading internet content on a mid-90s modem, we’re going to have to wait patiently for things to resolve so we can see the big picture.

In the meantime, let’s talk about this week’s episode and its security concepts.


A hacker cat-and-mouse game

In tonight’s episode we got to see how fsociety’s Mobley and Trenton met for the first time – in a coffee house, playing a cat-and-mouse game, though the mouse might not have realized he was one.

Trenton used a bit of social engineering on Mobley – he didn’t suspect she might also be a fellow blackhat – to innocuously ask what kind of phone Mobley used, and he was only too happy to divulge. Trenton even got Mobley to visit a specific website, one that she presumably owned and could monitor all incoming traffic.

Target’s operating system: Check.
Target’s IP address: Check.
That’s pretty much all the information she needed.

All while they were chatting, we see Trenton’s laptop running in promiscuous mode, sniffing the local cafe’s Wi-Fi traffic with a listener script.

With Mobley visiting the website she owns from his phone, she’s able to quickly obtain his IP address and filter the traffic accordingly. And given that Mobley already told Trenton that he’s a big Android fan, Trenton relied on her knowledge of active Android vulnerabilities and makes an educated guess that his phone was, at the time, vulnerable to the Stagefright vulnerability.

It seems she was right, as she was pretty close to her end goal, rooting Mobley’s phone, when Darlene conveniently interrupted the attack in progress. Lucky for Mobley, his  phone was safe for the moment. But hopefully this experience helped him realize that he fell for social engineering tactics a little too easily.

“We’re burnt.”

We don’t see it for more than a few seconds, but the messaging app Mobley and Trenton use to quickly relay updates is Wickr, a secure messaging app that takes user privacy quite seriously. The app uses end-to-end encryption and has a number of features for even the most paranoid of users, including self-destructing messages, which we saw both Mobley and Trenton use.

Wickr has a stronger track record than many apps of guarding user privacy and disclosing any kinds of federal requests for information access. So Wickr is a smart choice, but it’s not 100% without risk. (Is there anything that is?)

Still, it’s certainly much more private than plain old text messaging, at least.

The walls had ears

A key plot point in this episode was fsociety eavesdropping on a confidential FBI conference call. (Presumably they were able to grab the conference call dial-in information from their earlier Femtocell/in-office hack.) While listening in to a conference call itself isn’t a high tech hack, it can have major security implications.

After all, most conference calling systems are open and easy to access by necessity, so they can be a weak link. All you usually need to gain access is a phone number and call PIN. And most of the time, there’s no way for the legitimate call attendees to know that someone is listening in on a muted line.

If this sounds a bit too easy or far-fetched, sadly it’s not. In fact, just a few years ago it actually happened to the FBI and Scotland Yard. Hackers obtained the call dial-in information, listened in on a call between the two agencies, and recorded the entire call.

Minor notes

  • It was amusing to see fsociety, which is so on-the-ball with its technical prowess, so utterly fail at basic physical security when Susan Jacobs waltzes back in to her fsociety-occupied home, right in the middle of the group’s shadowy operations. It seems they were so caught up with what they were doing that they forgot to monitor where she was. (I realize it was crucial for the plot but it still struck me as a bit funny somehow.)
  • “Or, what about this?” Trenton walking out of Susan’s office with Susan’s post-it note of her username and password was a brilliant counterpoint to the rest of fsociety trying to come up with technical solutions to obtaining her credentials. The easiest path was the correct one in this case. Sadly, Trenton knew that most people don’t follow good password hygiene and often keep credentials in plain sight, i.e. on the ubiquitous under-the-keyboard post-it note.

While we didn’t see Elliot this week, fsociety certainly kept us on our toes (and/or tied up near a swimming pool).

Did you see this week’s episode? What did you think?

Image courtesy of USA Network.