The Mr. Robot Hack Report: Hacking Android Phones with a Rogue Femtocell
Mr. Robot is a show built on hacks. The mother of all hacks serves as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activities — who got hacked, why, and how much magic would be required to make them actually work.
* * * S P O I L E R S F O L L O W * * *
Going full robot
After three weeks of psychological torment, this week’s episode stepped on the gas. We finally got a look at Ray’s "online business," which turns out to be a Silk Road clone, right down the the "dread_pirate_roberts" admin login. We also got the closest look yet at White Rose, who turns out to be living during the daytime as the head of Chinese state security. Plus, the show’s first actual gunfight!
But for the purposes of the hack report, the most interesting part was Elliott’s plan for hacking the FBI, delivered in a breathless cold-open monologue. After three weeks in analog lockdown, he puts together a remarkably complex attack in just a few minutes of screen time. Split screens! Zooming! Wistful childhood remembrances! He’s going full robot, which makes it nearly impossible to keep up. So let’s take it one piece at a time:
ANDROID ZERO DAYS
Let's start from the top, minus any references to Elliot’s childhood library hack, as well as the more complicated delivery mechanism we’ll get to later.
Step one, identify the target and its flaws…the Android zero-days I’m using to own the FBI standard issue smartphone…Step two, build malware and prepare an attack. At my fingertips the zero-day is wrapped in code like a christmas present, then becomes an exploit…Once I [launch the exploit], I’ll own the Android phone of every FBI agent in that building. I’ll own all of Evil Corp’s network applications, everything.
Metaphorical bluster aside, this is pretty close to how exploits get built. Darlene dropped a hint in the IRC chat last week that the FBI switching from Android to Blackberry phones had given them an opening — and now we know what she meant. Elliot is sitting on a few undisclosed Android vulnerabilities. Those are the zero-days he’s talking about — so-named because Google has had zero days to fix the bug. But even after he knows the security flaws, he still needs to write a program that exploits those flaws — hence the gift-wrapped exploit we see him coding up in the intro.
Is it realistic that someone like Elliot would have undisclosed Android vulnerabilities? Sure! That’s exactly the kind of thing a genius hacker would be able to dig up — and they’re discovered at a fairly regular clip. This month’s Android security bulletin lists 42 separate vulnerabilities, including eight critical bugs. Of course, all of those were disclosed and patched — but if Elliot decided saving the world from capitalism was more important than a secure mobile ecosystem, there would be nothing stopping him from keeping the bug to himself. And that’s assuming the FBI phones are even getting the available Android patches, which is a whole other headache. Point is, the bugs are out there, and Elliot’s sharp enough to find them.
FEAR THE FEMTOCELL
Things get interesting with Elliot’s plan for delivering the exploit. Here’s that part of the speech:
Step three, load the malware into a femtocell delivery system, my personal cell tower that will intercept all mobile data…hidden within the kernel is a logic bomb…should the FBI take an image of the femtocell, all memory will self-corrupt or explode.
So there you have it: Elliot’s delivering the malware through a self-destructing cell tower. He wants to take over the FBI office’s cellular network with a femtocell — basically a router for cell service — which will allow him slip the exploit seamlessly into cellular data traffic. The result will look and feel like connecting to the regular wireless network, but anyone in range of the cell will be routing through fsociety’s new box.
Femtocells are a real thing, typically used to patch up dead zones where the cell networks don’t reach. You have to buy them directly from your wireless carrier and connect them to a specific account, but beyond that they’re pretty easy to get, and it’s likely you could get one even more easily on the black market.
"A natural extension of what we worked on at Black Hat"
They’re also entirely hackable. In a 2013 Black Hat presentation, a researcher named Tom Ritter showed how to hack a femtocell into intercepting calls, texts, and even cloning phones to eavesdrop on calls in progress. Dropping in malware would take a little extra know-how and so would setting it to self-destruct if examined, but it’s all entirely possible.
When I caught up with him this week, Ritter said the show’s proposed hack was a "natural extension of what we worked on at Black Hat." Femtocells are weird, specialized devices, but at their heart, they’re computers running software, and that software can be modified or replaced. "The one that we attacked, you could think of as just a small Linux computer," says Ritter, who is now the principal security consultant at NCC Group. "The limitations were that it didn’t have a lot of storage space, but it certainly had enough to do what we needed."
That hack is particularly hard to avoid because, unlike a Bluetooth pair or a public Wi-Fi network, there’s often no indication that your phone is connecting through a femtocell. As far as the phone is concerned, the femtocell is just another part of the cellular network, even though it’s far more hackable and less protected than a cell tower. Ritter says the best protection would be a phone-based opt-out, giving the user an explicit choice when a femtocell appeared as the nearest connection — but so far, no phone companies have decided that security measure is worth the hassle.
The trickiest thing for fsociety will be keeping the femtocell plugged in and discreet. For a femtocell to provide actual coverage, it needs to be connected to the network. That usually means plugging it into an Ethernet port, but that seems somewhat tricky under the circumstances! When Darlene makes the pitch to Angela, she describes it as a simple dropoff, but it’s more like plugging in a router than dropping a USB stick. Even with physical access to the space, it would be tricky to install one of those cells in an office without arousing some kind of suspicion. But maybe Angela is sneakier than we thought?
Of course, there’s lots of plot that didn’t cover, including a ton of new questions about the real motivations of White Rose and the aftermath of the 5/9 hack that closed the first season. We dive into the rest of it in the Mr. Robot Digital Aftershow above, and as always, let me know if you have any other questions you’d like to see us address. Otherwise, stay Roboting!
Disclosure: NBC Universal, owner of USA Network, is an investor in Vox Media, The Verge’s parent company. Additionally, we are an independent editorial partner in the Mr. Robot Digital After Show hosted by The Verge.