Mr Robot Hack Report: Cantennas and Dirty USB Drives
Mr. Robot is a show built on hacks. The mother of all hacks serves as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activities — who got hacked, why, and how much magic would be required to make them actually work.
* * * S P O I L E R S F O L L O W * * *
So that was a lot of robot! Dissociative pastiche! The Brechtian distance effect! Alf! After simmering for the first few episodes, we’re starting to see a lot of the paranoid and upsetting style that made the first season so unpredictable. F-Society is back in action, Angela is stressing out, and horrible things are being done to Elliott’s mind and body. It’s just like old times!
Dissociative pastiche! Alf!
We also got our first honest-to-god heist sequence, with Angela venturing onto the FBI floor of the Evil Corp offices to plant the exploit-laced femtocell. We laid out the core of the femtocell hack in last week’s report, but making it happen required a lot of extra tricks, and there was a lot more to them than met the eye.
While Angela is getting in position for the femtocell drop, we see Darlene break into a hotel room using a combination of wigs, gadgets and sleight of hand. It all happens pretty fast, and the upshot is basically "she got into the room with technology," but what she’s doing is a lot more grounded and plausible than you might think.
The core trick here is cloning the maid’s hotel key, which can open any room in the hotel. The card itself is just a number encoded on a magnetic stripe. Getting the number is as simple as swiping the card, which we see Darlene doing with what looks like a Square reader. Most credit card readers don’t store the number after it’s gone through (that would be asking for fraud), but there’s no technical measure stopping them from storing the number and reproducing. That’s how most ATM fraud happens, and as long as you’re dealing with magnetic stripes, this kind of attack will be a problem.
Of course, Darlene doesn’t have time to print and encode a new card, so things get a little more interesting from there. Instead of printing the magnetic code onto a stripe and swiping it through, she uses a gizmo to transmit it directly to the lock.
That gizmo is actually a Magspoof, a credit card spoofing device designed by Samy Kamkar. (Kamkar is also known for creating the first MySpace worm and building a drone that hacks other drones — so not too surprising that the writers looked him up!) The Magspoof uses an electromagnet to reproduce the same pattern a reader would get from a swiped card, basically making the reader believe that a card has just been swiped through. There’s even a method for disabling Chip and PIN, although Kamkar has since removed it.
Most importantly, it’s all an open source design, so if you’re plotting your own hotel heist, you can build your own from the design available here.
RESETTING THE WI-FI
Once she got into the room, Darlene set up a tiny tripod tube at the window and proceeded to talk Angela through the process. Of course, a regular phone call would a paper trail, so they’re talking over Signal, an encryption app that scrupulously deletes metadata.
The more interesting part is how Darlene is connecting to the femtocell from a hotel room across the street — which is where that tube comes in. It’s not explained in the episode, but it looks an awful lot like a Cantenna, an old-school trick for extending the range of Wi-Fi networks. A Cantenna is literally just a can — you can even use a Pringles tube in a pinch. The lining blocks out extraneous signals from the side, so the only thing the internal sensor picks up on is signals in the tube’s line of sight. If it happens to be pointed at a Wi-Fi router, that focus lets you pick up on faint signals that would otherwise be drowned out. (It also works in the opposite direction, with a router in a can pointed at a specific access point, but let’s keep things simple for now.)
A Cantenna is literally just a can
It’s not totally clear if Darlene’s connecting to the femtocell directly or connecting through Evil Corp’s local Wi-Fi network, but it doesn’t really matter because pretty soon everything goes to hell. As Darlene puts it:
We lost wifi. You need to get to a terminal and bring it back up.…If we can’t get the interface to load, we can’t use the juniper screen OS backdoor to own the network, which means I can’t wipe the security footage of you planting the femtocell.
It sounds complex, but in the end it’s just what it sounds like: resetting a router because the damn thing won’t work. Sometimes that’s all you need to do! (Mesh networkers might also notice that Darlene’s hacked femtocell is running on OpenWRT, a familiar sight if you’ve ever tried to make your router do anything unexpected.)
CHEKHOV’S USB DRIVE
There’s one other part of the heist that didn’t come up. Just as Angela is leaving the F-Society HQ, Mobley gives her a USB stick he calls a Rubber Ducky. If she can’t make the femtocell work, he says, just plug in the USB key, give it a few seconds to run, and then pull it out. If it works, they’ll have a bunch of FBI passwords for their trouble.
The Rubber Ducky is a real tool, a highly programmable hacking tool beloved by penetration testers and available online for $45. It works by masquerading as a keyboard and typing in whatever commands have been programmed in. If you’ve got physical access to a computer, you can run whatever program you want without doing anything indiscreet.
In this case, the Ducky is programed to run a tool called Mimikatz (also real), which hoovers up all the hashes and passwords from available memory. That’s not everything, but it’s an awful lot. Mimikatz is also open source, so you can get the whole thing here. Use it only for good!
Of course, the heist went fine, so Angela didn’t need the USB key — but she’s still got it. If she gets backed into a corner by DiPierro or Price at some point in the next few episodes, all she needs to do is break out the USB drive and make 15 seconds of small talk.
Or maybe we’ll never hear about it again? You never know!
That’s this week’s hackery, but we’re talking through plenty more on the Mr Robot Digital Aftershow above, including the new hints about Price’s connection with White Rose and E Coin. Plus there was the whole opening dream sequence, which might be the most bizarre and stressful thing I’ve ever seen on television? As always, let me know if you have any questions — otherwise, see you next week!
Disclosure: NBC Universal, owner of USA Network, is an investor in Vox Media, The Verge’s parent company. Additionally, we are an independent editorial partner in the Mr. Robot Digital After Show hosted by The Verge.