Episode 5 of Mr. Robot’s final season was riveting. We discussed [SPOILERS, obvs] burning evidence, fake ideas, physical security, social engineering, firmware updates, lockpicking, 3D fingerprints, and more. (The chat transcript has been edited for brevity, clarity, and chronology.)
This week’s team of experts includes:
- Emma Best: a former hacker and current journalist and transparency advocate with a specialty in counterintelligence and national security.
- Bill Budington: a long-time activist, security trainer, and a Senior Staff Technologist at the Electronic Frontier Foundation.
- Jason Hernandez: Solutions Architect for Bishop Fox, an offensive security firm. He also does research into surveillance technology and has presented work on aerial surveillance.
- Harlo Holmes: Director of Digital Security at Freedom of the Press Foundation.
- Trammell Hudson: a security researcher who likes to take things apart.
Trammell: That episode was so [ＡＥＳＴＨＥＴＩＣ]. I loved that it started with "We don't have to talk," then had ZERO dialogue, and ended with "It's time we talked". It felt like the bold stylistic decisions the show was making back in the earlier seasons.
Emma: Agreed, the aesthetics were very good. It's one of those episodes I'll enjoy watching a breakdown of by film buffs on YouTube. I know there was a lot I didn't get.
Trammell: So many film references and tropes… also looking forward to the film buff analysis.
Yael: I like how they played “Ode to Joy” right when Darlene found Elliot. I also like how it started out with Elliot trying to "burn the evidence" but, like, burning doesn't always destroy forensic evidence.
Emma: Under the circumstances, it was nearly the best they could do. I would've tried to keep the doors secured shut but broken any side and rear windows (leaving the front windshield intact if possible). That guarantees airflow and maximizes convection, raising the temperature. We're dealing with digital data, and physical damage to the medium helps, but the data can be reconstructed out of heavily damaged materials in ways that it couldn't a few years ago.
Yael: They zoomed in on an automated license plate reader (ALPR), though. ALPRs don't just take license plate images, they also capture photos of drivers and passengers, too.
The Crime Scene
Trammell: Did Dom do anything on the scene, or was it all implied that she handled it by her being there?
Emma: I think she was just looking around and trying to get info.
Yael: Yeah, Janice tells Dom to use her FBI credentials to intercept intel and ID the body… but can you do that? I thought the FBI only had jurisdiction to investigate state crimes if it involved interstate travelers, serial killers, etc.
Trammell: "You give me any of that 'juris-my-dick-tion' crap…"
Emma: She said in a Signal message that she didn't get access on the scene, and that was why she went the other route.
Yael: Her donut phone hack was pretty clever. But I was wondering, why is Dom writing down the license plate numbers of Dark Army vans near the end of the episode? Isn’t it a bit late for that?
Emma: I'm also not sure why the FUOU markings were crossed out on the document Dom looked at. That's something you'd see if it were downgraded or approved for public release, but that wasn't the impression I got with it, especially since there was a color picture attached. You don't usually get that in FOIA releases or leaked documents, lol.
Trammell: Yeah, that clearly wasn't a real FOIA since it didn't █████████ █████(b)(4) and hadn't been photocopied at least ██████ (c)(1) times.
Yael: Price getting a “bill” that’s a note and then getting the dry cleaner address from a trombone player and then another address in his dry cleaning was pretty clever. I’ve seen people set up two meeting locations (you meet at the first to get the address for the second) but I’ve never seen something like that IRL.
Emma: Price chasing the meeting info was a fairly realistic example of when people (or their trusted minions) have to put in the legwork of setting something like that up.
Trammell: Although what's the point of sending Price on an item quest?
Yael: I think to avoid someone else finding out where they're meeting.
Emma: It's also counter-surveillance. Making numerous stops makes it easy to compare anyone showing up at multiple points, and the travel distance provides more opportunities to watch for them. "Running errands" can be a great way to ID a tail. Do it long enough and you can even ID a team working in tandem.
Yael: I like how Darlene used an AlphaCard Pilot ID card printer for her fake ID, and that Elliot was scouting Virtual Realty’s security, which was conveniently described on its website.
Bill: But…. just because she printed the ID doesn't mean it's valid. By the way, Darlene's fake ID is for "Dolores Haze", who is a character in the novel Lolita by Vladimir Nabokov.
Trammell: Darlene has been using the Dolores Haze moniker since season 1, and it’s how she is listed in Elliot's Signal contacts.
Yael: Darlene’s socially engineered costume was pretty effective, as well as “dropping her purse.”
Bill: Then Elliot comes in with his mad dash to the access control station.
Yael: …and then Darlene "forgetting" her phone was a nice touch.
Trammell: The guard watching Die Hard is more evidence that Die Hard is a Christmas movie.
Harlo: The guard at Virtual Realty did all he could do, but they still got pwned. For a Common Access Card, it's recommended to have a photo printed (for the human to verify) and a chip (for machines). Darlene's fake ID was definitely going to fail on the machine-readable side, thus it falls down to the human to verify. But, what can you do when someone inserts the matching photo ID into the employee database?
Harlo: It’s interesting to think about co-tenancy as a vulnerability.
Trammell: That’s a good point. At many colocation centers that I have visited there is a guard to let people into the server room, but all of the tenants have private cages with locks that the guards explicitly do not have access to.
Harlo: My question about tenancy has to do with the unique ability for attackers to pivot from one point of access to another [eg. gain entry to the gym but wind up in the server room]. That is sooooo 2010s—actually, not uniquely 2010s, even though we have coworking spaces that make that simpler.
Trammell: To update that for 2019 you could probably pull off a coworking space attack against someone with a Macbook and an Apple Watch. Wait for them to go to the restroom or get another coffee and you can probably unlock their machine with the watch’s Bluetooth while they are still close enough.
Harlo: I guess the main problem here is that the company that manages the building has complete access to everything its tenants are leasing. I wouldn't think it super wise for building management to have access to the server floor, but they did, and that's how Elliot and Darlene got in!
Jason: Yeah, I think the physical security would fail most audits.
Harlo: IT ALWAYS DOES.
Jason: The physical access controls at Virtual Realty are just not up to what I'd expect for even a cutrate colocation provider.
Yael: 20/20 hindsight, but I feel like the guard had bad peripheral vision, and he was super slow.
Trammell: He moved at the speed of the plot.
Jason: The guard didn't ask why she was there on Christmas day.
Harlo: True. He wanted to be nice. Also, they took advantage of the partner's smoke break or whatever. That's why you have a buddy system, to help you double-check your judgement.
Jason: She's not dressed like anybody who is coming in to work on a server on Christmas day.
Yael: What would her costume have to be?
Jason: More casual. Or some kind of work uniform, if one exists.
Trammell: Seems like a random server maintainer costume for a visit on Christmas day would be whatever she happens to be wearing when she got the call to deal with maintaining the server.
Yael: I feel like women can't always get away with the jeans and hoodie look, though. There are double standards about what people give you shade for wearing.
Jason: Agreed that there are double standards, but there should be some kind of a consistent narrative about why she's coming into the building on Christmas day, ideally designed to exploit the security staff's likely expectations. I think she would have been better off coming into the building in the yoga outfit, saying she's on call and she got paged out of yoga. She could say a hard drive died on a production server and she's new so she got stuck with being on-call over the holidays.
Trammell: I'm not sure I've ever had the ground floor desk ever ask me why I'm coming into the office on a Sunday or after midnight or anything. That's really not their job.
Yael: Would she bring her badge to yoga?
Jason: If she's on call, she better.
Harlo: Darlene's first look provides excellent contrast with her second look: basic Barbie yoga gear. Pretty lucky, if you ask me.
Yael: Well, she also was able to think quickly, too. She’s so good at social engineering.
Yael: Elliot got through that combo lock wirelessly with his laptop pretty quickly.
Trammell: That seemed unrealistic. There are hacks against some electronic locks, but most require some sort of connection, and likely some detailed recon to know what models are in use. The camera maintenance panel login was admin/admin. That is 100% realistic.
Yael: So, Elliot updated the firmware, which somehow made the elevator cam turn off… Does it just turn off when the firmware is upgrading? And there’s really no way for anybody to cancel it?
Jason: Firmware updates often overwrite really critical components of memory and disruptions to the process can leave devices in an unusable state, i.e. making it a brick. Software to update firmware usually tries to protect users from this, so there's typically not an easy or safe way to stop an update. Seemed clever to black out cameras with a firmware update.
Trammell: The firmware update running serially (0/152) and taking down the entire system is 100% realistic.
Yael: What does running serially mean?
Trammell: One at a time. So rather than saying "All cameras! Update your firmware!" it says "Camera 1! Update!" and waits for it to finish, then says "Camera 2! Your turn!"
Yael: I guess they should just prevent getting pwned by keeping their firmware updated.
Harlo: Or maybe it explains why they never update.
Emma: Darlene staring at the elevator camera like a total goober was painful to watch.
Yael: Maybe she assumed they'd erase the tape.
Emma: You can't count on wiping the footage, and staring at the camera waiting for it to go out is a dead giveaway that you were involved, while giving them a direct look at your face.
Trammell: It certainly made the break-in easier to have the Kraftwerks makerspace and chemlab in the same building. (And their slogan "Do. Make. Live." is similar to NYC Resistor's "Learn. Share. Make.")
Bill: Regarding the 3D printed fingerprint mold, a 3D printed fingerprint got past Samsung’s Galaxy S10 fingerprint sensor earlier this year. We see the fingerprint is crafted into a .gcode file. "A GCODE file contains commands in G-Code, which is a language used to describe how a 3D printer should print a job."
Yael: Elliot is really good at picking locks. I thought they did a good job of showing how when Darlene and Elliot had some access they could use it to get more access. So, uh, smart move of Elliot to cut the power when the guard goes in to investigate but I think he should’ve shown Darlene the clock much sooner. Also, in my 20/20 hindsight backseat hacking, I think they should've disabled all the security guards’ elevator access.
Trammell: PLC hacking was a nice touch. Although as with many things in the show, Eliott's ability to break into every system without any recon is a bit unrealistic. Why doesn't Darlene just say hi to the guard? She works for the company in server maintenance. That seems like she should be the one in the cage. Eliott could hide somewhere.
Yael: I liked how Elliot and Darlene ended up having two wildly different escape strategies. Elliot bought some time with the zip line on the one door but then had to attack and run into traffic, while Darlene just posed as a gym-goer.
Emma: Darlene hiding and then changing her coat and walking out was a good move, but she should've been stopped. Regardless of chasing Elliot out, the police should have kept the building sealed and questioned anyone coming out—or at least checked their ID. But at least she changed her coat. If Elliot had had enough sense, he would do that instead of plowing into civilians and making a scene after he was out of the cops' line of sight.
Yael: Yeah, I think Elliot should take off his hoodie when running from the cops. Not that there was time or that it would've helped.
Trammell: After he ran through the couple and tripped over the pram, did anyone else expect Eliott to run through a pane of glass that two workers are carrying across the sidewalk?
Emma: I noticed tipping over the carriage full of cans. Definitely a moment of panic before it became clear that it wasn't a baby in there. (Yes, I know it's not real….)
Trammell: It was full of cans!
Trammell: A question I asked last week: if this operation is going down TONIGHT, why are they being so careful to cover all their tracks? It seems like they need to be burning the bridges at both ends at this point.
Emma: Because they still need it to take some time to find them.