The Mr Robot Hack Report: Just the Fax
Mr. Robot is a show built on hacks. The mother of all hacks serves as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activities — who got hacked, why, and how much magic would be required to make them actually work.
* * * S P O I L E R S F O L L O W * * *
The Dark Army doesn’t play around!
We take one week off on the Mr. Robot Digital Aftershow (Hacking Robot will be doing a full download tonight on USA; we’re back next week) and of course, everything goes off. Stage Two seems to be underway? Tyrell might be alive but he might also be dead? Plus, something weird is hidden in Elliot’s apartment and we’re not sure what it is.
But most important for our purposes is the hack at the center of the show, a simple answer to a classic Mr. Robot problem: How do you find the source of all the anonymous calls you keep getting from a crazed banking executive who’s supposed to be dead?
The answer: use a fax machine!
HAX YOUR FAX
City police are pretty good at finding phones, it turns out! If they get a call that presents an immediate danger of death or bodily injury, they can get fast-track help from the phone company by claiming "exigent circumstances." It doesn’t get police off the hook for probable cause entirely, but carriers are willing to see the evidence after the fact as long as the officer testifies there’s an imminent threat. Policies vary between jurisdictions, but generally a fax, a phone call and some verifiable personal details are enough to get you all the information the phone company has.
City police are pretty good at finding phones
Of course, Elliot isn’t a cop, so he has to get more creative. Luckily, the whole "exigent circumstances" system runs on faxes, so all Elliot has to do is fake a fax. He reinstalls the firmware on a printer/scanner, which lets him edit the fax’s metadata to make it seem like it’s coming from the police station. Then he calls in and does a little light social engineering to close the deal.
There’s one more wrinkle. All Tyrell’s calls came in with blocked Caller ID data — but it’s the phone company that’s stripping that data out in the first place, so they still have a record of where each call came from. It’s different if you actively spoof the Caller ID, as we’ve seen in some swatting attacks, but it doesn’t seem like Tyrell got into that.
It’s worth mentioning that this is all cell site data, triangulating the phone’s location based on the strength of the signal from nearby cell towers. Elliot says it’s good within nine to twelve meters, which is about right — but that’s only just barely enough to place someone in a specific building. In fact, if you subpoena carriers for that information, they’ll often emphasize that point in the court filing, saying the data isn’t accurate enough to place someone at the scene of the crime. (They’ve been listening to Serial too!) And just like GPS, it’s completely useless on the vertical access, so even if you’ve found the building, it’s anyone’s guess what floor it’s coming from.
There are ways to get more specific. The most famous tactic is the Stingray, a miniature cell tower that lets police pinpoint a specific signal by driving through a neighborhood — but after recent legal challenges, it’s become more controversial than ever. There’s also the location tracking system within Android, which police have started filing warrants for — but both of those require a lot more legwork and legal standing than Elliot can muster this week, so for now, nine to twelve meters will have to do.
RETURN OF THE CANTENNA
A slightly less urgent question: What the hell is Eliot doing with that Pringles can?
The hackier version of Darlene's cantenna
He’s building a cantenna! The circuit board he drops inside the can is a wireless card, connected to the computer through USB. The foil in the Pringles can blocks out radio signal, so the antenna can only pick up on signals coming directly down the tube. That lets him connect to wireless signals much farther away, blocking out the extraneous noise that would otherwise drown out weaker signals. Once the tube is pointed at a Wi-Fi network across the street, that’s the only network the antenna can pick up on. Every signal that’s not headed straight down the barrel of the tube gets blocked out. It’s the same trick we saw Darlene pull when they planted the femtocell back in episode five, although she used the shiny, out-of-the-box version that looks like a telescope. This is the hackier version that just looks like, well, a Pringles can.
The end result is that all the nefarious faxes are actually coming from the network across the street. So when the police figure out what happened and come after him, they’ll be kicking down the door of some poor sap across the street.
Of course, they’ll still have Joanna’s phone number, which Elliot had to transmit to the phone company in order to get the records in the first place. And since she’s the wife of the most wanted fugitive in the world, that might raise a few red flags? But that’s assuming Phase Two hasn’t killed everyone first, which is seeming like less and less of a safe bet.
That’s about it for this week’s hacks, but check back next week for the grand finale of the digital aftershow. As always, let me know if there are any other hacks you’re scratching your head about. And try not to incur the wrath of any international cybercrime consortiums while we’re gone!