A Roundtable of Hackers Dissects 'Mr. Robot' Season 4 Episode 1: ‘Unauthorized’

Technologists, hackers, and journalists recap the much-awaited fourth season opener of the realistic hacking show.
October 7, 2019, 5:14pm
Image: USA

It’s been one year, nine months, and 23 days since the sizzling season 3 finale of Mr. Robot, and the show is back for its last season.

This week, we discussed [SPOILERS, obvs] the probability of getting an envelope with a ringing dumb phone with a hacker on the other end of the line, dead man’s switches, hacking cameras at Grand Central Station, and honeypot houses. (The chat transcript has been edited for brevity, clarity, and chronology.) This week’s team of experts include:


  • Emma Best: a former hacker and current journalist and transparency advocate with a specialty in counterintelligence and national security.
  • Bill Budington: a long-time activist, security trainer, and a Senior Staff Technologist at the Electronic Frontier Foundation.
  • Jason Hernandez: Solutions Architect for Bishop Fox, an offensive security firm. He also does research into surveillance technology and has presented work on aerial surveillance.
  • Harlo Holmes: Director of Digital Security at Freedom of the Press Foundation.
  • Micah Lee: a technologist with a focus on operational security, source protection, privacy and cryptography, as well as Director of Information Security at The Intercept.
  • Freddy Martinez: a technologist and public records expert. He serves as a Director for the Chicago-based Lucy Parsons Labs.
  • Matt Mitchell: a hacker and Director of Digital Safety & Privacy at Tactical Tech. He founded cryptoharlem, which aims to teach basic cryptography tools in the inner city.
  • Christina Morillo: a New York City-based information security and technology professional working as an information protector on Microsoft’s cloud & engineering security team.
  • Zachary Julian: Security Associate at the security consulting firm Bishop Fox.

Freddy and His Package

Yael: Are there instances where you get a package with a ringing phone, or is that just in TV/the movies? Like has that happened in real life?


Harlo: I don’t know about in real life, but this is a thing in Black Mirror, and American Vandal.

Micah: For it to happen, Elliot would have had to be tracking the package and waiting outside the building to know exactly when to make the call. Which he was.

Emma: If the phone had GPS enabled, Elliot could have tracked it and known when it arrived, assuming there wasn't already a webcam compromised in there. Elliot also could have been listening in through the phone’s microphone in real-time. He hears the phone arrive. Hangs up. Dials back.

Bill: I'm assuming Elliot had either delivery confirmation or a GPS unit to know when the phone and video was delivered.

Micah: I don't think he would have needed GPS. He could have just watched delivery person enter the building with the package, and as soon as they left the building made the call.

Emma: True, Micah. Even simpler, he had an in-progress call to the phone going.

Jason: There are Android apps that will trigger sending a text or whatever when they're in proximity to a given Wi-Fi access point or at a certain latitude / longitude. It's pretty simple to set up.

Matt: Tasker app does this.

Harlo: It doesn't seem to be Android. It's a dumb phone (probably a Tracfone or something similar). So it's likely Elliot has it tracked via… maybe skip tracing?

Bill: Yeah, it looked like a dumb burner phone.

Micah: I think it was like a pay-with-cash Tracfone, which is the smart way to do it anonymously anyway.


Freddy: The simplest explanation is that he had someone else watching him and tracking the dude and reporting back.

Yael: What's a Tracfone?

Harlo: It's a brand of pay-as-you-go phones you can buy from pharmacies, 7-11s and other places. it has only mobile text and voice; no data.

Micah: It’s just one of several types of cheap phones you can purchase at corner stores in cash. You don't need ID or credit card or anything, and they have fairly cheap options with old flip phones, even today.

Matt: Buying a Tracfone with cash, buying service for it with cash, and then not talking when you call the service number to set it up is a pretty anonymous way to get a U.S. cell phone.

Harlo: I agree with Emma that the easiest way might be keeping a live call on during delivery, then listening for the pick-up. Or having actual surveillance on the office. Or maybe even tapping into any video surveillance on premises.

Yael: He had access to Freddy’s screen too, right?

Bill: I don't think he had access to the screen… maybe he just saw via binoculars that he was watching the video.

Yael: Okay so flash forward to the call. So then Mr. Robot/Elliot is trying to get Freddy to click on a phishing link (which he thought was ransomware, but it wasn’t)—and to copy the .pst file in his inbox to the thumb drive. How does that work?

Micah: Since Freddy was copying the .pst file himself, and not the malware, my guess is clicking the phishing link was simply to get malware on the law firm's network for future use.


Harlo: Maybe this is either 1) a diversion for the IT admin to not notice the immediate export/download of an employee’s entire inbox, or 2) one of those things where you gotta hack the admin to complete the exploit.

Zach: It seems like the malicious link was just to provide an excuse as to why the inbox was compromised.

Freddy: If he had network access, he would just dump the active directory [a Windows service that controls access to shared resources on a network, like user logins and credentials], but the point of the plot was to incriminate the lawyer. It wasn’t about getting the emails. It was about incrimination.

Jason: Owning active directory usually takes a while and it can be kind of a hassle.

Micah: Elliot did need the emails to find all the banking details he needed.

Harlo: But if you want to hide your involvement, you're also pinning it on the mark who "clicked a link, oops totally not an orchestrated op by Mr. Robot."

Freddy: The way to get the emails isn’t really how you would do it if you already have malware on the network.

Micah: PST files are an Outlook inbox. A lot of the big email leaks that get reported on start out as a PST file. He was using a cool tool to import them and search through them, "Expansion Inbox," which I've never heard of.

Yael: So shout out to Iceweasel! We saw it on Elliot’s laptop on the train.

Bill: Debian's Iceweasel had resolved its naming issues with mainline Firefox in early 2016 but remember this is still in late 2015. So they're staying true to the time period.


Yael: Is Iceweasel like an open source Firefox? Wait, isn't Firefox open source?

Micah: Firefox is open source, but there was a trademark conflict for use of the "Firefox" name and logo inside Debian. Debian handled it by just renaming it to Iceweasel and providing their own logo.

Dead Man’s Switch

Yael: Elliot said he could get the videos to send to Freddy’s kids and the FBI… like a dead man's switch

Micah: OnionShare has a dead man's switch feature. You can set a time in the future to start sharing files, and it gives you the Tor onion address right away. It wouldn't work for this exact use case, but you could, for example, tweet an onion address and a date, and if you don't manually close OnionShare before that date, it automatically starts sharing whatever data you want.

Emma: A dead man's switch would be super easy to set up. Have a couple of computers running a check every 10 minutes on a data file, see if it's been 24 hours yet. If it has, send the emails. If not, check again in 10 minutes. The email doesn't have to have the data, just a key and instructions on how to access it. The data can be anywhere. Elliot could check in with infected machines via a command and control system and reset the clock in the data file. The data could be stashed on some random server. The email to the FBI could contain the target’s IP address, user/password and decryption key. The files would be too large to just send to the FBI directly, and if they were forcibly dropped on an FBI system, they wouldn't touch it. But of course, Elliot didn't need a dead man's switch. He just needed the mark to believe he had one.


Bill: I mean I don't think Elliot really wants Freddy to formally do something incriminating, it would be easy enough to frame Freddy, and Elliot doesn't care about laws. Maybe he just didn't have time to code the malware that would do all this email-copying for him. After all, he mentions to Mr. Robot that they only had two weeks to prepare for this target.

Harlo: Two weeks, and everybody's on drugs, so subpar performances all around.

Yael: Haha so much coke.

Freddy: Lawyers reading this chat: please don’t do illegal drugs.

Bill: Clearly you've never been in a 1980s law firm before.

Yael: It’s… not illegal if you don’t get caught?

Harlo: ALSO, it WAS SENT as a DVD. Which he left in the player. So the FBI will see the evidence when they go to his office anyway.

Zach: Perhaps Elliot was expecting him to clean up the evidence instead of killing himself ¯\_(ツ)_/¯. I think eventually it would become public that this law firm's emails were compromised, and Elliot/Mr. Robot needed a plausible excuse in place about why that happened to take the heat off of them.

Grand Central Station

Image Credit: Micah Lee

Grand Central Station

Bill: I like how Elliot mentioned to Freddy to turn off and leave behind anything "with an on/off switch"—but Elliot forgot about the fact that an RFID ping can also be used to determine location.

Harlo: It’s Bluetooth, actually!

Yael: I saw the Bluetooth symbol.

Bill: So is it actually Bluetooth? I mean, cheap RFID cards might have that symbol anyway.


Jason: Most access cards don't support Bluetooth, but you can buy access cards that include Bluetooth low energy (BTLE) beacons. They're a little more expensive and I wouldn't expect a law firm with what looks like kind of cheap IT and security to go for them, but they exist (about $10/unit on Alibaba).

Emma: It could be both RFID and Bluetooth. The presence of a Bluetooth connection is annoyingly used as a layer of security verification by some systems. -_-

Jason: Yeah, the cards I found have RFID and BTLE.

Bluetooth ID card

Image: USA

Zach: It’s interesting he left all electronics behind to go to the station, but I assume he would still be trackable through Tracfone pings to the cell towers.

Yael: Even with a dumbphone.

Zach: Those phones will still ping the cell towers.

Emma: That's not super precise, though.

Yael: Yes, it still pings but is not as precise, at least according to Serial podcast season 1.

Jason: You have to consider the setup time to follow a brand-new mobile phone with a fresh IMEI [device serial number] and IMSI [user identifier].

Micah: Those phones still ping cell phone towers, but I don't see how Dark Army would know which IMSI to try tracking in crowded NYC, assuming they had no idea about this phone thing ahead of time.

Bill: You could use something as simple as this Bluefruit LE sniffer to triangulate the location of the badge.

Jason: There are a lot of apps that scan Bluetooth for navigation. there's even one by Amtrak that is designed to help you navigate Penn Station (it might also support Grand Central now). if you had access to an ad network that fed back Bluetooth MAC addresses within range, you could get pretty accurate tracking.


Yael: How did Elliot get eyes inside Grand Central Station? Did he hack into a surveillance camera or something?

Zach: Seems that way.

Harlo: With an app that I think is made-for-TV. I can’t find it. CamSec Pro? Anybody? But I guess it's worth noting for the audience that, you don't have to restrict your Kali Linux setup to what comes pre-installed. You can totes outfit your Kali USB with persistence [preserving the filesystem instead of wiping everything every time the OS shuts down] and other cool things.

Fred: It’s movie magic for sure, most of those networks require some kind of VPN access and username / password. Hard to believe it’s hacked that quickly.

Jason: There are plenty of internet connected cameras with default credentials.

Micah: I would assume he pre-hacked the Grand Central Station cameras in anticipation of this operation, so he could have spent a few days on it.

Freddy: But to be able to get that level of access and to be able to move PTZ (pan-tilt-zoom) you would need access to the network operations center (NOC) for Grand Central.

Jason: A lot of these cameras are administered through simple web apps that might not be particularly locked down, even the pan-tilt-zoom controls.

Harlo: What if it were 2015/16? What exploits would we have used? Like, any NOC web app exploits that have been long since patched?

Zach: I saw this online from 2006: stationary Bluetooth devices throughout Grand Central Station. Something like that could be exploited by the Dark Army for Bluetooth tracking.


Bill: Who knows, there could be networks that don't advertise with beacon packets that are protected only with WEP [a weak and outdated security protocol for WiFi networks] or something that can be easily cracked. And the cameras often don't have any authentication layer at all, since it's assumed that the network will provide the security layer. I've seen a lot of these in stores, access points that don't send beacon packets but have devices authenticated with them.

Zach: I think IRL, though, the Bluetooth tracking would be difficult to set up. Either stationary devices in advance or some sooper-leet mass phone ownage to turn their devices into trackers, similar to FSociety's FBI hack. I would think the webcams in Grand Central Station are secure but honestly, who knows. That may be the most realistic part of this scene. Like Bill says, it could be a hidden Wi-Fi network secured with WEP and a bunch of security cameras.

Yael: I guess no cameras on the train that Elliot has evil Freddy meet him at?

Christina: I found that super odd. Like cameras everywhere but there, hmm.

Micah: Maybe there were cameras on the train. Elliot did have his hood up; maybe he didn't care.

Jason: Cameras on the train might not be internet-connected, if they exist. You'd have to figure out the network backhaul for that and it would be expensive and tricky (lots of dead zones in cellular coverage) for limited benefit.


Honeypot Houses

Yael: Did Mossack Fonseca have a distress signal/honeypot house where they torture people? How realistic is this?

Emma: As realistic as a hostile actor wants it to be. Formations House (#29 Leaks) wouldn't have. Some of their clients would, though.

Micah: I don't think it was a Mossack Fonseca-like company with the honeypot house, I think it was more like the Dark Army with one.

Yael: Hmm, do we know any IRL cases where people had a honeypot house? I guess they've kept them secret…

Harlo: Whitey Bulger.

Emma: The mob. Escobar, I think.

Micah: It would be really expensive to run a honeypot house. Like, even just having a normal house is expensive.

Bill: Well, when you own the world's currency it turns out you can buy a building in Manhattan.

Yael: With e-coin.

Emma: Well, the building would have served more purposes. It's fake addresses and mailing points. It's full of safe houses and temp housing. It has no prying eyes.

Yael: I know people have owned buildings for sketchy things but I'm not familiar with the process to get folks there via social engineering as opposed to, like, brute force. Do we know any IRL cases where people had a honeypot house? I guess they've kept them secret…

Christina: No but Jay-Z had a stash house on State Street, Brooklyn.

Harlo: Trump Foundation; I’m just throwing it out there.

Yael: I mean there was that newspaper that owned a bar in the greatest act of undercover reporting of all time…


Harlo: Something I dig about the honeypot house: cellular dead zone. Essentially a SCIF.

Emma: That can be done with the right paint, or even tape. DoD used to have its own special tape that could basically Faraday any surface. Make sure radio signals can't penetrate, soundproof, all panels secure. Often it has entrances guarded. It's usually in a government building of some sort, but Rockefeller had one in his barn IIRC.

Yael: “This doesn't feel right! The building is owned by E-Corp!" (Jump, Elliot, jump!)

Christina: Or like, don’t fucking go in, Elliot.

Bill: They couldn't get out the window. That's why you should Always Carry A Bat.

Harlo: Or a tactical pen?

Yael: And a ladder!

Harlo: Oh also, Christian Slater says something like "be careful, you're on the owner's Wi-Fi," which… hey hackerman: turn your radios off when not in use.

Micah: Did you all notice that at the end, when the Dark Army people were forcing Elliot to overdose, that he has a very old school rotary phone?


Micah: Man, in season 1 they were all like, "Let's get the Dark Army to help us with the China data center backups," and by season 4 I think they're understanding that was probably a bad call.