Mr. Robot eps3.7_dont-delete-me.ko – the security review

You can tell we’re nearing the end of the season – this episode was a deep breath before we plunge into the finale.

Not much to talk about on the tech and security front this time, just the one thing we’ll explore below. To fully recreate the mood from this episode, fire up the Bill & Ted’s Excellent Adventure original soundtrack and we’ll head Back To The Future for more analysis.

WARNING: SPOILERS AHEAD – SCROLL DOWN TO READ ON

 

“Don’t delete me”

I was despairing a little that I wouldn’t have anything to write about for this week as the episode went on. Thankfully, right at the end of the episode, the briefest glimpse of Trenton’s last email to Elliot gives us something to examine. My sincere thanks to the many fast screencappers out there who were able to catch Trenton’s email (sent to and from Protonmail accounts, a service well-loved by Five/Nine).

Let’s take a look piece by piece:

I may have found a way to undo the hack. I’ve been investigating Romero. He installed hardware keyloggers on all the machines at the arcade some time before five/nine.

Remember Romero, the older phone-phreaker member of Five/Nine, who we parted ways with at the beginning of season two? He had a few things up his sleeve, and by installing keyloggers on the arcade machine he would theoretically be able to easily keep an eye on anything people were typing on those machines. Software keyloggers, often paired with malware, usually “call home” somewhere with the information they gather. Romero, however, installed hardware based keyloggers – as the name implies, they are somewhere plugged into the computer itself and are designed to be part of, or look like, normal hardware or periphery.

Hardware keyloggers sit in the middle of the target computer and its periphery, quietly logging everything that passes through it, allowing it to snoop undetected by the victim machine. Given Romero’s nifty booby trapped hardware hacks, which we saw explode back in season 2, it’s not surprising that his hardware keylogger was subtle enough to fool even the Five/Nine team for a good while.

The NYPD imaged all of his data after he was murdered. I was able to get this chain of custody document from the NYPD when they prepared to transfer the evidence to the FBI.

“Imaged,” meaning they made a direct copy of all the contents of his hard drive (the disk image).

They couldn’t get into the encrypted keylogger containers.

Romero had grabbed the keylogger data from his nifty hardware keyloggers and regularly dumped that data onto his hard drive. The keylogged data itself was encrypted (I would presume his hard drive was too).

If Romero somehow got a hold of the keys, or even the seed data and source code for the encryption tools, the answer might be in those keylogger captures, but the FBI probably has those files now.

The keys Trenton’s referring to here are the keys needed to decrypt the keylogger data. The next bit, about the seed data and source code, means Trenton thinks there’s way to potentially reverse-engineer the key used to encrypt the data.

Ideally, encryption protocols shouldn’t allow any part of the the key to be figured out from the encrypted data stream, and but the email here implies that the process wasn’t cryptographically secure, so that it might be possible to winkle out out the decryption key, or to unscramble the data without the key, after all.

Perhaps Romero wasn’t a crypto nerd and this was a mistake, but it’s more likely this was by design so he could decrypt the data without having to remember or carry around a key. After all, an encryption key could look like this…

-----BEGIN RSA PRIVATE KEY-----
MIHtAgEAAjAAziOgSCYfbckh5tLO1ztkj/ggT80/3KOj2jQBTeJtPqX+3l8pen/V
yNGbv4+pRF0CAwEAAQIveUhuwmRjs3VWU/eOKQZRyX8Ei89IFqnED3JChX5RP4kE
8Ixl/6p+i1+NMDW4MoUCGA8nge3DNwNone+ifAqSxgeNgSg+Wug/LwIYDZpH/uwK
csRIfwb6M5X2COjcmAWSarIzAhgLbu47GU6XNsX5tyhIveXEawFoAGuLz6cCGA1g
oVVvRYdAyhtC/WUmIeT5PZi0Qh50SQIYBunB28gYf39am7WDp4GKeb696mmFgYeH
-----END RSA PRIVATE KEY-----

…whereas the seed to generate the key could be something as easy as a few digits of his choosing, like his birth year, or I don’t know, 5/9.

The next step seems pretty clear: I wouldn’t be surprised if Elliot and Dom work together to undo the hack, where Dom has access to the files and Elliot will need to decrypt them.

If they’re successful in stopping Whiterose and Dark Army’s next attack, they’d have Romero’s healthy hacker paranoia to thank. That would be some fantastic justice from the phreaker set for sure.