The Mr. Robot Hack Report: Minesweeper and a fake stolen car
Mr. Robot is back, and the C Y B E R is back too. The show takes a special interest in showing off the details that usually get glossed over, often drawing on real hacks and real cybersecurity problems — so after every episode, I’ll be breaking down who got hacked, how, and with what. It turns out, there’s a lot more to each one than you can see on screen.
And we’re back! After a year away, Mr. Robot is coming back with a bang. Tyrell has literally gone underground, Elliot is souring on his anti-corporate crusade, and the world overall continues to fall apart. And it’s only 2015!
As season three picks up, Elliot has recovered from his episode-ending gunshot wound, just in time to resume the ongoing struggle within his own psyche, which may well determine the fate of capitalism. The battle lines are drawn, and power has been restored. We even got a dramatic putting-on-the-hoodie moment! Now let’s get to the hacks.
SWEEPING FOR MINES
This week saw Mr. Robot’s first full hacking tournament, a techno-themed basement rave that might be the first Capture The Flag tournament we’ve ever seen on TV. Elliot and Darlene are interested because this is the only hacker space in New York with a direct fiber connection. (In the Mr. Robot timeline, as in reality, Verizon has failed to meet its municipal franchise obligations.) But since they need the space to clear out, Elliot steps in to solve the challenge early, basically whispering the answer to a nearby hacker as if he were laying out a checkmate.
Competitions like this are a very real and popular part of hacker culture. They’re called “capture the flag” games because of the balance between offense and defense: you have to balance your team’s resources between exploiting bugs on the opponent’s network, and protecting your own. The biggest CTF tournaments happen at Defcon, but there are smaller ones throughout the year. In fact, the specific game they’re playing — breaking into a web-hosted version of the game Minesweeper, while hosting their own — is based on a real game that was played at the Chaos Communication Congress in 2012. You can see the challenge here, and check out a bunch of the solutions. Fair warning: it’s not as easy as it looks on TV!
SIRI, STOP THE CAR
Weirdly, my favorite hack of the week came from Bobby Cannavale’s Irving, the Dark Army fixer and barbecue enthusiast who has turned out to be one of season three’s biggest surprises. Escaping from the hacker space with Elliot and Darlene, Irving spots an FBI agent tailing them, and manages to slow the car to a stop just by talking on the phone. There’s a lot going on at once here. Irving is impersonating a cop, running the car’s license plate against a DMV lookup tool to work backward to its Vehicle Identification Number. Then he uses that to identify the car to a dispatcher and shut it down.
The important thing here is that the car has OnStar, which includes something called a rev-limiter. If OnStar thinks your car has been stolen, the company can use that rev limiter to force the engine to idle, at which point the car rolls to a stop so the police can swing by and pick it up. In practice, this tends to happen through GPS coordinates rather than VINs, but the basic hack here is very plausible.
You may remember, Irving says “I see the lights blinking” right before the FBI car stalls out. That’s drawn from real life too: OnStar will often typically flash the lights before a slowdown to confirm with the officer that they’ve taken control of the right car.
You might think a remote shutdown switch is a bad thing to have in a police car! But General Motors, which makes both OnStar and a ton of police cars, actually seems pretty excited about marketing the service to cops. It’s always possible there’s some secret cop-switch that you could flip to disable the rev-limiter, but since the shutdown request usually goes through the police office itself, it doesn’t seem like a huge problem in real life.
ONE LAST THING
If you were watching closely during that scene in the basement with Tyrell, Mr. Robot, and Angela, you might have seen an up-close monitor shot of a hackery-looking website. The narrative point was to confirm that E-Corp still has a vulnerability, and Mr. Robot’s plan for Stage Two is still viable — but the website itself is still very much a thing. It’s called Shodan.io, and it keeps a running tab on all the devices connected to the internet. A lot of them are internet-of-things devices like web cameras and smart doorbells, and a lot of them are completely unsecured — which is a big part of why it’s so important to keep tabs on this stuff. It’s not just for evil hackers, I swear.
That’s all the hacks for this week, but we talk about all that and more on the Mr. Robot Digital After Show, which you can see above. We still don’t know what’s up with Dom, or what any of the weird alternate timeline stuff is about. Let me know if there’s anything else you’re wondering about, by email, on Reddit, or by tweeting at us with the hashtag #RobotAfterShow. See you next week!
Disclosure: NBC Universal, owner of USA Network, is an investor in Vox Media, The Verge’s parent company. Additionally, we are an independent editorial partner in the Mr. Robot Digital After Show hosted by The Verge.