All I Really Need to Know About InfoSec, I learned from Mr. Robot
I was trapped on a beastly 14-hour flight to China — complete with a jet-lagged newborn on my lap. Fortunately, the in-flight entertainment included a new cybercrime drama called Mr. Robot.
This show takes technical realism to levels unprecedented for Hollywood. It succeeded in distracting me from the awkwardness of being “that guy” with the crying baby. And I even learned a few things about information security.
Out of respect for readers who haven’t yet watched this Golden Globe-winning series, I’ve purged this article of any reference to characters or plots in the story. Read on with confidence — this is a spoiler-free article.
Without further ado, here are five information security lessons from season 1 of Mr. Robot.
1. A hacker can compromise your phone in seconds, and you’ll never even know it
Hackers don’t need to steal your phone — that would be too obvious, and would only give them access to your data from the past.
Instead, they can gain control of your phone using spyware. They can do this in minutes, and you’ll never even know.
In Mr. Robot, one of the characters installs a root kit on someone’s phone in less time than it takes to shower. Using Flexispy — a widely-used Android spyware tool — the character “roots” the phone — putting it in superuser mode — and then hides the normal superuser icon to obscure the fact that the phone has been tampered with.
From now on, the character is able to monitor all of that phone’s digital and audio communications.
Word to the wise — using your phone’s thumbprint scanner or setting a lock screen password will make it much harder for a hacker to do this to you.
2. Don’t accept CDs or USB drives from strangers
Emerging from the subway, a boombox-blasting rapper offers you a free copy of his newest album.
Now, you wouldn’t take candy from some guy in bellbottom jeans and stick it in your mouth. Don’t take a CD from some guy in a flat-bill cap and stick it in your computer!
To be fair, you would still need to execute a file. In Mr. Robot, hackers use an alluring filename like “Free iTunes Gift Card.exe” to dupe the victim into double-clicking it. This installs a Remote Access Trojan (RAT), effectively giving the attacker access to files and even webcams. Creepy.
- Hide things in plain sight Sometimes the best place to hide things is right out in the open. Who would think twice about that binder of old rock albums on your floor?
What looks like a normal CD — that even plays their album scrawled on it with a sharpie—actually contains an extra layer of data stashed within.
Removed from any network access, the only way to read the data on these CDs would be to physically enter the premise and get a hold of them. You’d then for at least long enough to spin up an optical drive and dump their contents.
If you aren’t using Bluetooth, turn it off.
If an attacker discovers an open bluetooth connection on your device, they could connect their own keyboard to it and start inputing commands.
Yes, it is possible to open up a terminal with a series of hotkeys in both Windows and OSX, and from there type in malicious commands.
As a bonus, turning off bluetooth when you’re out and about will reduce your battery consumption, giving you more time to read Medium articles like this one (and follow Medium writers like me).
You are your own greatest vulnerability
Throughout Mr. Robot, the most common exploit is good old social engineering — manipulating people into doing what you want.
Here are some red flags to look out for when interacting with strangers:
- a phone call that jumps straight into “I just need to ask you some security questions first” — many services use the same security questions, and these could also be used to speed up a brute-force attempt to guess your password.
- A stranger approaches you with an all-too-plausible story and asks to use your phone — this is an easy way to get your phone number or other identifying information
- Your own vanity, laziness, love of family, or fear of germs — these are all vulnerabilities that an attacker can take advantage of. If a stranger seems to be winding you up emotionally for no reason, they may be more than just a mean person. They may be an attacker.
The "hacking" that goes on is mostly true-to-life examples of how companies, systems, and people are exploited on a very real/personal level. It's a must watch for those who have an interest in coding, hacking and like to explore human nature topics with a dark theme.