Mr. Robot season 2 finale eps2.9_pyth0n-pt2.p7z – the security review

Mr Robot

We made it, folks. The end of season 2. And I’m as confused as you are.


There was really only one mention of anything tech or security related in this episode, so since that’s our angle, let’s take a deeper look. As always, I look forward to hearing your take in the comments.

“Explosive” infrastructure hacking

While the finale, in its very Mr. Robot-y way, left us with a number of cliffhangers and more questions than ever, we did (presumably) find out what the oft-mentioned “phase 2” entails.

With ECorp circling their wagons after the massive 5/9 hack, they’re bringing in all paper backups of crucial documents – like trusts and deeds – into one central, locked-down location in New York for safekeeping. To take out this paper cache, Mr. Robot and Tyrell figure it’s time to hack it the old fashioned way: with fire.

Specifically, the plan was (and perhaps still is) to get malware into the machines controlling the power backups as well as the environmental controls for the building. It’s a bit of a Rube Goldberg machine in terms of all the steps they’re going to take and are presuming will work: overriding the safeties and overloading the internal UPS, breaking and overriding controls for the ventilation fans and shutting down fan backups – all in a specific order in order to create a large amount of hydrogen built up in the building with no ventilation, and then ignite it all via overloaded batteries. (N.B.: I didn’t catch every step verbatim, I’m sure I’ve missed a step somewhere, but this is the gist.)

If everything goes off without a hitch, it will be a big explosion, the building will be leveled, and the paper cache is lost.

The show went a bit light on some of the details here, but basically to make all these bits of hardware misbehave, Elliot needs to load up malicious versions of their firmware via malware that apparently he has already created.

Thanks to Tyrell having the building’s blueprints on hand, Elliot presumably knows exactly what kind of infrastructure firmware he’ll need to attack and can target his work accordingly.

Still, there are a lot of “ifs” in this whole scenario.

While nothing like this has ever come close to happening – yet – it does still have the whiff of plausibility. As we saw with the Smart Home hacked earlier this season, everything from a residential HVAC all the way up to public utilities like water processing plants, can be vulnerable to attack.

You might remember an infamous quote that came up earlier this season, directly from former Defense Secretary Leon Panetta, one about a “cyber Pearl Harbor.” It was derided by some in the security industry as fear-mongering, but many others thought he was right on for trying to call attention to the alarmingly poor state of infrastructure cybersecurity back in 2012. Naked Security thought the metaphor didn’t help – as our own Lisa Vaas said at the time “SCADA threats are real. They could, indeed, result in a body count. But let’s keep the rhetoric sane.”)

Whether or not his statement was FUD, combined with the Stuxnet worm discovered a few years prior, people certainly started to pay more attention to how truly vulnerable critical systems were, and depending on who you ask, still are. (And of course, those who might use these vulnerabilities for their advantage in an attack paid even more attention, too.)

In fact, at Defcon 23, there was an ICS (industrial control systems) village that focused specifically on securing these infrastructure systems, like power grids and water sanitation. As many of these crucial systems are updated and modernized, security is too often the last thing on the agenda, if it is on there at all. As a result, a shocking number of these systems could be found openly on the internet without even so much as basic password access.

So if that’s the case, why haven’t we seen a massive attack on critical infrastructure systems yet, or at least something on the scale of what Tyrell and Mr. Robot have planned?

For one thing, attacks that have successfully targeted hardware to cause physical destruction are sophisticated and extremely rare: Stuxnet and the German steel mill hack are really the only examples that come to mind. (Oh, and perhaps a fried laptop for good measure.)

Where things stand today, the destructive potential of a hack still doesn’t seem to rival more gruesome, direct methods that terrorist groups favor; building a bomb is easier.

But as more systems go online and hacking tools and techniques become more sophisticated, that may change. Especially if you have a hacker like Elliot in your back pocket.

Given the flickering lights we’ve been seeing and the massive blackout at the end of the episode, I have a feeling infrastructure hacking may play some kind of role in the plot of season 3 as well.

But I’m curious to hear your take. What do you think we’ll see in season 3? Do you think the “phase 2” hack has any chance of succeeding or is it too far-fetched? Let us know in the comments.

Image courtesy of USA Network.