Warning, this article contains spoilers from the Mr. Robot series, especially from season 4.
Mr. Robot is one of the most realistic television series on cyber security. Most of the hacking scenes are imagined, designed and filmed in such a way as to anchor the character and the situation as much as possible in reality. Season 4 is no exception.
In this article, we will dissect episode 5, entitled “Method Not Allowed“.
Manipulated by the Deus Group, a criminal organization controlling the world, and understanding the role he played in the cyber attacks of previous episodes, Elliott seeks revenge by attacking the root of their power: their money.
By compromising the organization’s lawyer using various methods of social engineering (phishing, blackmail, psychological pressure), he managed to trace the trail back to the Bank of Cyprus, which holds all the organization’s funds.
After a phase of rapid recognition (OSINT – open source intelligence), Elliott and Darlene manage to trace the transactions back to Olivia, a bank employee who manages all the transactions. Elliott seduces Olivia. During the night he spends at her home, he manages to steal a multi-factor authentication code from her, which Darlene can use to connect to the VPN of the Bank of Cyprus.
However, it does not have sufficient access, so the protagonists have to physically compromise the Bank of Cyprus servers to pull off the heist of the century.
The Bank of Cyprus’ servers are hosted by the Virtual Reality organization in the heart of New York. The objective for the protagonists is to physically enter the data center to connect directly to the servers and thus set up backdoors allowing them to remotely access the Bank of Cyprus’ infrastructure.
In preparation, Elliott is doing an overview of the security measures implemented by Virtual Reality on their website with the primary objective of recognition. He is also printing a Virtual Reality company badge bearing the name Dolores Haze with a photo of her sister. This badge does not currently have the rights to access the data center.
This is an essential step in carrying out the hack, in order to have a global vision of the level of security and to know what kind of mechanisms to expect. Although in the scene, we do not see a thorough and precise recognition, we can imagine that it has taken place before, in particular to find a visual reproduction of the badge.
Elliott and Darlene then post themselves in front of the data center, before waiting for one of the two security guards to take his break (at 11am sharp). That’s the time Darlene enters the data center. Of course, her badge doesn’t work, and while the guard investigates the problem concentrated on his computer, Elliott takes the opportunity to sneak into the data center by bypassing the barriers.
He then heads to the supervision room. Arriving in front of the room, using his Kali Linux computer and network frame capture software, he captures and replays a frame of the opening of the connected lock protecting the room, allowing him to give access to it.
Elliott’s entry into the data center is conditioned by the fact that the entrance gates represent a relatively easy passageway that provides access to the premises hosting the video surveillance. In reality, data centers meet very strict rules in terms of physical protection and it seems unlikely that the supervision room is protected only by a basic gate and a connected lock.
Elliott finds the supervision room with disconcerting ease without any further details on this point being given by the scriptwriters; one can imagine that in the reconnaissance phase, he had access to a plan of the building that had leaked on the darknet, which allowed him to quickly find the location.
Regarding the connected lock, it is very possible that it is vulnerable, as many connected objects are not thoroughly checked for cyber security. However, the speed with which Elliott is able to compromise the lock is quite disconcerting, given that he probably did not have the design of the lock and did not know the vulnerabilities.
Once inside the room, Elliott is able to log in to the administration console of the access control software: indeed, the console is locked, but the “admin” account is logged in. Elliott then tries a 5-letter password, probably “admin”, which unlocks the session. This is one of the main vulnerabilities of computer systems: default passwords and in particular the famous “admin/admin” couple.
He then creates the “Dolores Haze” profile and gives it all the possible rights. Meanwhile, Darlene is still at the reception desk with her “defective” badge, while the guard checks within his software if “Dolores Haze” actually exists.
Elliott having validated and created the account, the guard allows Darlene to enter the data center without asking her any more questions. This raises questions about the processes in place: the guard simply performed a visual check of the badge before granting access to Darlene. For a data center, one would expect the identity checks of an individual to be much stricter, relying for example on a second biometric factor.
Elliott, on the other hand, connects (again with access to the video surveillance software with “admin/admin”). He then launches the firmware update of all the video surveillance cameras, which are switched off. Two elements are exploited here: the fact that the cameras’ firmwares are not up to date, which is a very common vulnerability, as the cameras are similar to the industrial world in which updates are rarely performed. It is therefore not surprising that these firmwares are not up to date. The fact that the update makes the cameras inoperable is also exploited here.
The different technical elements are consistent: weak passwords, firmwares not updated… However, these are vulnerabilities encountered most of the time in companies with a low level of maturity in terms of cybersecurity.
In the case of a data center (which, moreover, hosts data for the most powerful organization in the world!), this does not seem very credible. One can also question the processes in place for access control.
While waiting for her badge to be verified, Darlene cleans her phone and intentionally leaves it on the guard’s desk. When the guard returns her phone to her, it leaves a fingerprint of her thumb, which Darlene immediately takes away.
She and her brother then headed to a floor with 3D printers, a place that was probably spotted during the reconnaissance phase. Using Photoshop, Darlene and Elliott are able to print a “finger” in about 20 minutes, which has the guard’s fingerprints. It can be used to access the biometrically protected server rooms at a later date.
This type of hack really exists: a hacker tested the manipulation on his own phone by taking a photo of one of his fingerprints, adjusting the image via Photoshop and then printing it on a plastic support (all in 13 minutes), which allowed him to fool the fingerprint reader, so we can imagine that the scene is realistic for fingerprint readers dedicated to access control.
However, there is still some luck in the way the guard handles the phone, as the phone could have left no prints or partial prints, making it impossible to duplicate.
Once inside the server room, Darlene and Elliott are able to find the rack corresponding to the Bank of Cyprus’ physical servers. Since it is difficult, if not impossible, to find servers belonging to a company in a data center, one can imagine that during the reconnaissance phase, the protagonists managed to glean information (darkweb or phishing).
The rack is unlocked, allowing the heroes physical access to the machine. Darlene connects to the server and then creates accounts with high privileges that will allow her to remotely access the bank’s infrastructure. She creates at least two accounts with visible names, sys_admin and sec_admin for which she configures passwords so that they never expire. In other words, it creates backdoors.
Elliott removes the “Dolores Haze” account from the access control database in order to erase all traces of their passage.
The connection to the Bank of Cyprus servers is not very developed in the passage, and if we see Darlene entering a password to log in, we don’t know how that password was obtained.
In addition, all the racks visited are unlocked, which does not seem very credible in a data center where physical security is essential.
While Darlene hasn’t quite finished setting up the accounts, the surveillance cameras are coming back on. Elliott then notices a product name (“ELAN”) on one of the electrical ducts in the room. He connects to an IP address on which he is asked for identifiers (probably default identifiers, “elan/elan”).
This gives him access to the administration of the building’s lighting system. In this way, he reconfigures the times at which the lamps are switched on so that they turn off, allowing them to escape despite the presence of the security guard in the room who has just seen them.
Corporate energy management systems are similar to industrial systems, which are poorly maintained and often have default passwords.
The only downside in this scene is the IP address to access the system: we don’t know how Elliott got it. The ability to access this network also implies that Elliott is connected to a local network, probably Wi-Fi. He has not been seen to compromise any passwords.
With this administrator access, Darlene and Elliott will be able to administer the system and later thwart the two-factor authentication for making transfers from Deus Group member accounts. However, it does not seem credible that after detecting an intrusion on the site and noticing an open rack, the company does not decide to carry out an audit of the accounts.