Mr. Robot eps3.2_legacy.so – the security review

We’re going back… all the way back to the Five/Nine hack.

Here’s something to get us properly in the mood, as often seen via the very-necessary closed captions for this show:

(brooding music)

There.

WARNING:SPOILERS AHEAD – SCROLL DOWN TO READ ON

 

The Attribution Trap

Since this episode mainly filled in the blanks on what happened to Tyrell for most of season 2 when he was curiously off-screen, there’s not a lot from a technical point of view to cover here. One theme that runs throughout this episode is that seemingly everyone surrounding fsociety was, in fact, explicitly working for Dark Army.

Cisco, Darlene’s networkingly-named boyfriend who she gave the femtocell to modify? He handed it over to Dark Army.

Tyrell? Writing Android malware for Dark Army.

Dom’s boss in the FBI? Getting his hands very bloody for Dark Army.

Leon, Elliot’s sitcom-loving buddy? Informing for Dark Army.

Keeping that in mind, we have more evidence than ever that the massive Five/Nine hack that is fsociety’s claim to fame was, in fact, facilitated behind the scenes entirely by Dark Army – one could even argue that they were solely responsible, not fsociety (but I’ll let you debate that in the comments).

Still, the revelations in this episode underline an important tenet in the murky world of cybercrime: Attribution is hard, a lot harder than people realize.

It’s tempting to want an open-and-shut case when a crime happens. It’s satisfying to point the finger at someone definitively to try to get closure when a hack occurs, but the uncomfortable reality is that correctly identifying the source of an attack can be nigh-impossible.

The reason is simple: It’s easy for skilled hackers to cover their tracks or completely misdirect.

Sometimes a group will take credit for an action they didn’t take, sometimes an attack is unleashed that’s (arguably) not even ready to be deployed, sometimes – as we saw in this episode – it’s not even clear to the criminal actors involved in an attack, who’s really pulling the strings.

This is why many in the information security field are skeptical of attribution claims when a big hack or malware attack occurs, and often why cybersecurity experts push back on legislative proposals for actions (like hack-backs) that hinge on attribution – it’s frighteningly easy to get attribution wrong.

Other notes

  • Seems to be a recurring theme, but we saw a decent amount of social engineering in this episode. Notably, Irving, our favorite social engineering car salesman from episode one this season, got Tyrell to trust him thanks to a tacky coffee cup and a well-told lie about fictional kids. He’s so good at his job it’s easy to forget how dangerous he is.
  • Very briefly we saw the name of the malware Tyrell wrote for the femtocell (which was the star of the show in season 2): android_knox_exploit.rb – likely this was malware targeting the vulnerable KNOX platform in certain models of Samsung Android phones.
  • We got two brief glimpses of Tyrell engaging in some good ol’ fashioned network mapping (of E-Corp infrastructure no doubt). They were probably the neatest hand-drawn network maps I’ve ever seen, though given how meticulous his character is I’m not surprised. I wonder if we’ll see the digital version he made later pop up again this season.
  • The web-enabled baby monitor Tyrell was using to see his child, was he viewing it through the OEM web portal or did he hack into it? Anyone catch that detail?