4 Cloud Security Lessons from the Hit Show ‘Mr. Robot'

A month ago, the USA Network hacker drama Mr. Robot ended. The show, featuring breakout star Rami Malek playing the paranoid vigilante hacker Elliot Alderson, was lauded among information security experts for its realistic portrayal of both hacker culture and cybersecurity in general. This isn’t surprising as many cybersecurity professionals like Ryan Kazanciyan, a security engineer at Facebook and former CTO of Tanium, and Marc Rogers, the current VP of Cybersecurity Strategy at Okta, served as consultants for the show. Although Elliot’s hacking days are behind him, we thought it’d be worth entering the world of Mr. Robot one more time to cover four of the show’s most interesting hacks and the real world security lessons they provide. While this post contains spoilers for the hacks themselves, we’ll be keeping the details about the plot points surrounding these hacks to a minimum.

1. Hacking E Corp - Steel Mountain [S1e5]

“Nothing is actually impenetrable. A place like this says it is, and it’s close, but people still built this place, and if you can hack the right person, all of a sudden you have a piece of powerful malware.”

The Hack: From the first episode, it was apparent that Mr. Robot was a different type of show—a drama that didn’t question its audience’s intelligence and solved plot complications through the use of grounded technical solutions. But the hack featured in episode five of season one truly pushed the envelope. It involved the titular character, “Mr. Robot” (played by Christian Slater) and his hacker collective fsociety infiltrating a secure data storage facility owned by Steel Mountain, a reference to the real world company Iron Mountain. While fsociety’s purpose was to destroy backup data tapes belonging to the financial conglomerate E Corp, the attack vectors used in the hack could also apply to the exfiltration of data on digital systems as well. Using social engineering, the protagonist Elliot is able to get two employees to break protocol and leave him unattended during an off-record facility tour. After a windy detour, Elliot implants a Raspberry Pi into an HVAC system, which he later uses to raise the temperatures of rooms storing magnetic data tapes in order to ruin them.

The lesson: With the Steel Mountain hack being one of the most impressive in the series, there are lots of lessons it offers both technical and non-technical viewers alike. The most apparent lesson is the sheer havoc that social engineering can bring down on any person or organization. Alongside this lesson, though, is another that should matter to companies. When choosing a vendor—be they a data storage facility or cloud service provider—it’s critical to have a solid grasp of their responsibility in securing your data. Part of this is understanding what certifications and standards the vendor satisfies and then assessing whether their practices will help you meet your compliance and security goals. It’s also important to understand how a vendor breach, regardless of how unlikely it might seem, may affect your own organization’s disaster recovery plans.

2. Hacking the FBI [S2e5 - S2e6]

“Step three, a reverse shell two-stage exploit the ideal package - load the malware into a femtocell delivery system, my personal cell tower that will intercept all mobile data.”

The Hack: Season two’s big hack involves Elliot writing Android malware exploiting a zero-day vulnerability present in FBI standard-issue phones to throw off the investigation into fsociety’s activities. From the details provided in the episode, Elliot’s malware is created with Metasploit and leverages a real remote code execution vulnerability found in Samsung Knox back in 2014. Delivery of the payload is carried out in episode six of season two with a femtocell, a device used to boost cell coverage within buildings. Kor Adana, the show’s lead technical consultant, has gone on record about how he was inspired by a 2013 Black Hat presentation detailing how femtocells could be modified into effectively behaving like IMSI-catchers, or stingrays, to intercept or modify cell traffic.

The lesson: Like with the Steel Mountain, there are a lot of good takeaways from season two’s best hack. As with your service vendors, the devices and programs you allow on to your networks should also be certified and vetted. You should also consider whether the developer of a piece of hardware or software you intend to use has a history of discovering and responsively patching vulnerabilities. Your organization might also want to invest in vulnerability management solutions to help you stay on top of the potential security risks posed by undiscovered vulnerabilities. The goal of a good vulnerability management program isn’t to make you fully immune to cyberattacks, but to help you come up with appropriate mitigation strategies for potential risks before they occur. Finally, given that you can’t easily determine when and where employees may be accessing company resources, it’s imperative to have controls in place that can secure company data both on-prem and elsewhere.

3. Hacking E Corp - ‘Stage two’ [S3]

“Come on. Still have plenty of work to do.”

The hack: During season two, we learn that the plan to target E Corp has two stages. Over the course of season three, we watch stage two unfold. Stage two is made possible by two critical components—misconfigured servers and an insider within E Corp. In episode one of season three we see Mr. Robot learn that his backdoor access to E Corp has been eliminated. In response, he heads to Shodan.io, a site known as “the world’s first search engine for Internet-connected devices.” Shodan crawls the internet discovering devices with open ports, often as the result of misconfigurations. Among the many things that have been found by real world researchers on Shodan is a particle accelerator. While using Shodan, Mr. Robot enters a query for E Corp servers running Apache Tomcat and uses one of these servers to stage the hack. This was timely in that season three of Mr. Robot aired in the fall of 2017, which is when the infamous Equifax breach occurred. E Corp, like Equifax, found itself susceptible to a type of Apache server vulnerability. What really brought the hack home, though, was that an E Corp insider was committed to seeing stage two through. This insider played a pivotal role in helping monitor potential responses to the Apache vulnerability and gaining physical access to key systems.

The lesson: Given that stage two hinged on a misconfigured server, this hack hammers some of the most important cybersecurity lessons from the past decade. Companies need to understand where their data is and what types of security they have in place to protect it. Cloud systems storing critical data or that are otherwise connected to critical systems cannot simply be set up and forgotten. This is why visibility is one of the most crucial aspects of managing and securing cloud systems. Another critical lesson is that organizations tend to underestimate the risks posed by insider threats. As we mentioned in our 2020 SaaS security risks blog post, insider threats are a persistent part of organizations’ threat landscape, and migration to the cloud only complicates the ability to monitor this threat properly. Having strong data policies and controls in place, as well as educating employees on recognizing the signs of unauthorized access by an insider can help address some of this risk.

4. Hacking a shady lawyer [S4e1]

“I left instructions on how to archive your inbox. Copy the .pst file to the thumb drive.”

The hack: Season four opens by setting the stakes and showing Elliot and Mr. Robot hacking a small law firm that created shell companies in the name of the high profile individual they’re targeting. Unable to get to this person directly, they blackmail Freddy Lomax, one of the partners of the firm, into providing them with client email correspondence. While not as extravagant as the other hacks featured on this list, this hack provides a thrilling opening for the final season and sets the stage for a bigger hack later in the season.

The lesson: Here, Mr. Robot once again demonstrates the danger of insider threats, this time through a compromised employee with high-level access. Despite the somewhat embellished blackmail setup, this hack is fairly grounded in that many cyberattacks result from privileged account abuse. Many organizations have few controls in place to detect or notify security teams about what can deceptively appear as an insider exercising legitimate privileges before exfiltrating sensitive data off-network. This illustrates the role that data policy creation and enforcement play in security. Assuming that insiders, whether compromised or not, will always follow intended data and security practices can prove to be dangerous to companies. The hack also illustrates a very common data governance practice, the storage of sensitive information over insecure channels like email. Even if industry regulations don’t inform what practices you should use to manage specific types of sensitive data, you should put into place practices that make breaches less likely. For example, deleting messages with sensitive information after a designated time has elapsed could spare your organization from an incident like the one that happened to Lomax & Looney. The biggest take away from this hack, however, is that security teams can’t see or react to every instance of unauthorized access without the proper tools. It’s become increasingly apparent that security teams need to invest in tools that provide better data visibility and help remediate violations of intended data policies. This is something that DLP solutions (like Nightfall) are designed to address.

Although Mr. Robot has ended, the show has genuinely set the bar for what future media portrayals of cybersecurity and technology should look like. We’re hopeful that someday another Mr. Robot will come along and provide audiences with greater insight into the world of technology.