A brief analysis of scenes from the TV-show “Mr. Robot” focusing on the cyber security realism of a fictional cyber attack.

This “scene” refers to several scenes in the first episode of Mr. Robot where the main character, Elliot Alderson, a cyber security engineer, conducts a vigilante cyberattack on his target, Micheal Hansen. This scene is a good use case for a typical lone-operator attack against a regular civilian.

Elliot on the phone with Mr. Hansen

Recon

The attack begins with Elliott reconnoitring Mr. Hansen. After observing Mr. Hansen leaving a taxi, Elliot pretends he forgot his keys in the specific taxi used by Mr. Hansen and the company gives him Mr. Hansens home address. Elliot approaches Mr. Hansen while he is walking his dog and uses social engineering to borrow Hansens phone and calls himself. The intent is to obtain Mr. Hansens phone number which he will use for his attack later. In this scene, Elliott approaches Mr. Hansen carefully. According to Christopher Hadnagy (author of Social Engineering: The Science Of Human Hacking), any social engineering attempt is build on answering the targets following questions within the first ten seconds:

  • Who are you?
  • What do you want?
  • Are you a threat?
  • How long will this take?

Elliott is able to do this in around eight seconds. He presents himself as a shy but friendly person needing to call his mother, due to his own phone being dead. This is not unreasonable, and has a fixed time requirement, being the call itself. This keeps Mr. Hansens brain in what Dr. Ellen Langer refers to as alpha mode. This is where the brain is operating on low speed, and acts on routines, like the social norm of helping a fellow person with something mundane.

Finally, Elliot makes extensive use of OSINT at home where he researches his target, through the use of social media and other online sources. This information is leveraged in Elliotts preemptive attack, a vishing attack on Mr. Hansen. Vishing is the use of voice calls to obtain information or system access. In this example, Elliott pretends to be Mr. Hansens bank, and quickly establishes a fake breach as an excuse to ask  security questions from Mr. Hansen. The speed is crucial here, as Mr. Hansen quickly becomes suspicious but has already answered the questions.

Attack

For the actual attack, Elliott attempts to breach Mr. Hansens social media account. This is done using a brute force attack. The point of the phone-call covered earlier is to utilize that information in a tool to test many possible passwords. Usually people utilise simple, predictable passwords relating to their own life. This makes brute force attacks very effective with minimal required reconnoitring. As Elliott asks for, things like favourite sports teams or pet names are typically found in big password leaks. For this particular attack, Elliott starts off unsuccessful, but recognises that Mr. Hansen is using a fake name, as he is cheating on his wife with Elliots shrink. While not shown in the show itself, it is implied Elliott is then able to breach Mr. Hansens real social media account as he later confronts him about the affair using his real name at his real address.

Elliot during the attack, note the commandline on the left and the packet sniffer on the right

For the main attack phase, Elliott is making his attack from a machine running Kali Linux distribution. This is a popular real world distribution of Linux used for pen-testing and hacking. His attacks are made from the command line interface, that unlike many of its peers, this show accurately depicts. While not directly used in any of the scenes covered, some form of packet analyser is seen on Elliott’s second monitor. This looks similar to, assuming it isn’t exactly, the packet analyser Wireshark, a very common tool used in attack analysis and pen-testing. For the brute force attack depicted, a tool named Elpscrk is used. This is very similar to real life tools such as BruteX or GoBuster. Subsequent to the shows airing, user D4Vinci on GitHub has created a functioning version of Elpscrk, and therefore the show is now retroactively accurate in the portrayal of its brute force attack.

For a technical summary of the attack, it is portrayed exceptionally accurately. The show depicts its attack in a way that undoubtedly can, and likely has, transpired. From the use of social engineering and OSINT to technical tools displayed the show has clearly put the effort in for authenticity and realism.