The Mr. Robot Hack Report: Ransomware and Owning the Smart Home
Mr. Robot is a show built on hacks. The mother of all hacks serve as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activites — who got hacked, why, and how much magic would be required to make them actually work.
As season two opens, the orchestrators of the massive "5/9" attacks have been disconnected, so to speak. Elliott and/or/aka Mr. Robot are hiding out in Queens, living with Mrs. Alderson in self-imposed internet detox, and Tyrell Wellick is ... somewhere. But just because those two are off the grid, and the economy is in smoldering ruins, doesn't mean there wasn't plenty of hacking to do! The fsociety crew, growing in number and now led by Darlene at her angstiest, managed two major attacks, breaking into both an extremely shiny smart home and another major portion of the E Corp empire.
The general counsel of E Corp has a very nice smart home in the villanously wealthy block of Greenwich Village, and apparently the vendor has not been good about deploying patches. When she gets home, it starts acting up: first the stereo and TV, then the shower, alarm system, and eventually the thermostat, which goes so cold she has to break out her winter coat. Conveniently, this was an entirely fictional smart home, so it’s both seamlessly integrated between products (we wish!) and extremely easy to crack. After calling the company and playing poltergeist for a few hours, she is forced out of her home, and fsociety is free to move in and celebrate their recent castration of the Wall Street bull.
HVAC Twitter, please get at me
It’s unclear exactly who in fsociety pulled this off or how they did it, but at this point hacks like this are common enough that they don’t really need to explain. Back in 2013, Kashmir Hill took control of a home on the Insteon platform just by Googling for open ports, gaining access to the home’s floodlights, hot tub and water pump. More recently, researchers at the University of Michigan found vulnerabilities in Samsung’s SmartThings platform that let them set off smoke alarms or even unlock doors.
These flaws crop up all the time, and like any group of software vulnerabilities, we have to assume there are some that only the bad guys know about. The problem isn’t so much bad security as bad design. The devices aren’t very powerful, so even basic HTTPS encryption is asking a lot of their processors. That underpowered processor also makes it a significant headache to deploy a patch once a vulnerability has been found.
Still, I have to ask: what kind of air conditioning setup does this woman have? I am not an expert, but I suspect it would take a lot of energy and time to lower the temperature of an entire house to under 50 degrees? And this maybe also applies to the season one task of raising the ambient temperature of a data center above the melting point of magnetic tape? I am genuinely unclear on how all this works though, so HVAC Twitter, please get at me.
The Million-Dollar USB Drive
Not content with erasing all of E Corp’s data and upending finance capitalism as we know it, this week fsociety decided to hit E Corp with a ransomware attack. We don’t see exactly how it happened, but it’s strongly implied that Mobley took a part time job running IT for a retail E Corp branch, where he planted a worm that encrypted even more of E Corp’s data. (Always keep an eye on the IT guys.) It was a classic ransomware attack, demanding $5.9 million at a very specific drop point in exchange for the key to decrypt the data. We don’t know exactly what the ransomware went after — at this point, what’s left? — but whatever it was, it was enough for the company’s executives to shell out the money and leave the CTO to light it all on fire in a public place, which I’m sure was great for everyone's Snapchat accounts.
Always keep an eye on the IT guys
Bonfire aside, this is a very common way for hackers to make money. Cryptolocker is the best known variant, which in 2013 was bringing in as much as $1 million a day to some addresses. Once infected, targets usually have a matter of days to transmit the reward (usually bitcoin) in exchange for their decrypted files.
The price tag is often negotiable. One California hospital was hit with a demand for $3.6 million to restore control of its computer systems, but the company was able to talk it down to $17,000, which they promptly paid. The sad fact is that, in most cases, paying off the attackers early is the easiest way out.
Now, the question of whether you could pull that off from a retail banking branch is a little trickier. How partitioned is the local network that Mobley had access to? Is there enough data accessible from that local system that the company would be willing to pay $5.9 million? Hard to say, but if you’re part of a secretive hacking collective that has brought capitalism to its knees, it’s probably not too far out of reach.
Of course, none of that answers the big questions, like who was hacking Gideon and what the hell is going on with Tyrell, but there’ll be plenty of time for that later. In the meantime, let me know if you have any questions about the show’s various hacks, or need advice on fomenting your own Polanyist insurrection. I'll try my best to answer questions in next week's column. And stay tuned for the Mr. Robot Digital After Show Hosted By The Verge, which premieres next week after episode 2. We'll be talking tech, easter eggs, and indulging your wildest fan theories.