Mr. Robot eps3.6_fredrick+tanya.chk – the security review

Last week’s episode may have left us with a cliffhanger, but this week’s episode tied up a big loose end from last season… though not in the way I imagine any of us wanted.

Darn you, Sam Esmail!


Dark Army hacks planes to go down, not sideways

At the end of the episode, we see the Dark Army agents (very sadly) use Mobley and Trenton as pawns in their greater scheme for their next attack – creating malware that targets major air traffic control systems in huge US metro areas to simultaneously crash airplanes.

The idea of hacking planes isn’t new, though it has been relegated to the realm of the theoretical or extremely unfeasible until the last few years.

Two years ago, researcher Chris Roberts claimed to have successfully hacked a plane on which he was a passenger by messing with the in-flight Wi-Fi.

Roberts tweeted that he was able to play with the oxygen mask deployment protocols, and according to the FBI, even said – to much disbelief – that he was able to make the plane briefly fly sideways by messing with the engines.

Around that same time in 2015, the US Government Accountability Office (GAO) released extensive reports about airplane and air traffic security, leading to rather wild headlines such as “hackers could bring down [planes] using passenger Wi-Fi”, a claim that we felt rather mis-represented the points that the GAO was trying to make.

With this backgound, it’s not a surprise to see plane hacking come up in the Mr. Robot story now as a real attack vector used by the Dark Army.

I should add that this week’s episode is particularly topical, because just a week ago the Department of Homeland Security claimed that it had remotely hacked a plane in a controlled experiment. (They didn’t share how it was done, or even what was hacked – I imagine they don’t want anyone else to give it a shot.)

Other notes

  • It was a nice touch to nice to see Trenton messing with the bike lock around her wrists. Lockpicking – ahem, I mean locksport – is a cool part of hacker culture, practised as a surprisingly relaxing hobby by many security researchers. I’ve attended many hacker conventions, from the big ones like DEF CON to small local BSides chapters, that have a lockpick village or a lockpick table where you can try out lockpicking for the first time, brush up on skills, or help teach others. Granted, cheap bike cable locks are no more than half a step up in complexity from a child’s diary lock, and we didn’t see Trenton do anything more sophisticated than messing with the numbers until she felt the lock tumblers set in place, but it was still nice to see.
  • I chuckled when Elliot’s therapist, Krista, got yelled at about potentially violating HIPAA regulations. We hear about HIPAA a lot in the professional information security world, as keeping patient data safe is a legal and ethical concern for so many organizations. It’s easy to forget that organizations outside the world of computer security have to comply with HIPAA regulations as well, so it was interesting to hear about it in a non-security context.

As always, I’d love to hear your thoughts on this week’s episode.

Are you alarmed about Angela’s suddenly very fragile state of mind?

I’m hoping Dom is the one person who manages to unravel Whiterose’s whole plan, but it’s not looking likely at all.

How about you – does Mr. Robot (the show, not the character) have you rooting for the Feds, or are you Team Hacker no matter what?