TV Show Mr Robot analysis

Broadcast since 2015, Mr. Robot is an American TV show which highlights important cybersecurity issues. The hero, a hacker named Elliot, is involved in cyberattacks against the biggest organizations in the world such as international banks. Well researched, this TV show presents a very realistic representation of hacking and its methods. Let’s focus on a particular episode to decode how the hero proceeded with his cyberattack in 8 steps:

  • Elliot: the main character who is a hacker.
  • Darlene: Elliot’s sister and also a hacker.
  • Shayla: a friend of Elliots.
  • Vera: a criminal (drug dealer) in jail because of Elliot. He kidnapped Shayla in order to demand Elliot’s skills.
  • Isaac: Vera’s brother, also a criminal (drug dealer), who is following Elliot in order to be sure that he will perform Vera’s demands.

Elliot must help Vera to escape from the prison. He has to find a way to hack the prison otherwise, Isaac will kill Shayla.


Step 0: Mobile phone hacking

Before starting anything, Elliot searched on the Internet to find the cellphone number of Isaac. Later in the episode, we will discover that Elliot hacked Isaac’s cellphone to grab all information about the criminal organization.

Elliot performed this attack as a life-insurance. Indeed, he grabbed all information about the drug organization and used a script which is developed to, once per day, automatically leak all information if Elliot himself does not deactivate it.
Editor’s note:

The serie does not explained how and when this cellphone attack was performed.


Step 1: USB key infection

Darlene dropped malicious USB keys near a police station. A policeman found one and plugged it into his computer which seemed to be connected to the police network. The Policeman opened the USB key and a popup appeared as an advertisement proposing a discount to buy music on a website called “eTunes” (scam to iTunes). Suddenly, the Avast antivirus raised an alert saying that a malicious code using Internet Explorer has been blocked. At this moment, the policeman has a reflex to cut the power off.
Editor’s note:

The infection displayed by Avast is JS:ScriptPE-inf. It means that a web page containing malicious JavaScript code has been detected. Elliot has probably hosted the malicious JavaScript code on a web server. The malware on the USB key requests this malicious web server to infect the policeman’s computer through Internet Explorer.
From his flat, Elliot said that the connection to the infected computer has been lost.
Editor’s note:

Elliot is logged on a shell as root@elliot (bad to stay as root…), typing “ssh” and obtaining an error message saying “Connection closed by remote host”. Obtaining this message is strange because it means that a connection has been initiated.

Two points are interesting at this step:

The JavaScript downloaded an ssh server on the policeman’s computer, executed it and Avast blocked this threat. In this case the connection would have been impossible and the message different.
In addition trying to reach a ssh server is pointless. Even if the attack succeeded, we hope that this policeman’s computer is not directly connected to Internet with a public IP. So, even if the malware installed a local ssh server, Elliot would not be able to reach it from outside.
But wait, let’s make an assumption, what if the ssh server was not to reach the policeman’s computer but a command and control (c&c) server controlled by Elliot?

First, it would not have been smart to control this c&c through ssh. Indeed, even if the whole communication is cyphered, tracing this direct communication is easy and so dangerous for Elliot.
But just in case, we looked at the IP address used by Elliot. The IP address is located in Taiwan:

descr:          Government Service Network (GSN)

descr:          No.21-3, Sec. 1, Xinyi Rd., Zhongzheng Dist., Taipei City 100, Taiwan

descr:          Taipei Taiwan 100

The IP address is truly controlled by the Government but in Taiwan. The policeman is supposed to be in the United States. The director probably made this choice to avoid publishing a US government IP range. A breath of Rapid9 (Rapid7) is made through a discussion on developing the exploit. This is funny because later, Elliot will use Metasploit with meterpreter.

Elliot is angry with Darlene who used an exploit detected by Avast and named her “Script Kiddie”. A “Script Kiddie” is a type of hacker who does not have deep knowledge about hacking but more about using public hacking tools without understanding them.

Step 2: PLCs control

Because the previous attack failed, Elliot started again to search a new vector to infect the prison.
Editor’s note:

On his screen, we can see a whitepaper from 2011 written by Teague Newman, Tiffany Rad and John Strauchs called “SCADA & PLC VULNERABILITIES IN CORRECTIONAL FACILITIES” (PLC-White-Paper_Newman_Rad_Strauchs_July22_2011.pdf).


As one example, a very large prison cannot instantly and simultaneously open or close all doors. The power in-rush would be massive, destroying the electronics and possibly physically damaging door components. The doors are gradually cascaded, group-by-group. If we controlled the PLCs, we could override the cascade program.

Even a conference at the DefCon 19 has been performed.
At this point, Elliot just found a way to open all cells and perform the escape but he still need access to the jail’s network to control PLCs.

Step 3: Wireless signals: Wi-Fi

Elliot went near the prison and started doing some wardriving by foot with his cellphone (some warwalking 😉 ).
Editor’s note:

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle. The goal can be finding open access points; mapping the Wi-Fi network…
With no results, Elliot decided, as a common visitor, to meet the criminal inside the prison. The goal was to reach any of the prison’s wireless signals. Unfortunately, all signal were properly secured using WPA2 and in the time frame he had it was too short to capture and crack the handshake.
Editor’s note:

A short view on his mobile phone shows the usage of Kismet on Android. Kismet is one of the most famous and common tool to sniff Wi-Fi wireless networks. Indeed, this software provides a list of reachable Wi-Fi wireless network with all associated details including the encryption method and users connected to which access point.

Soft Kismet

Step 4: Wireless signals: Bluetooth

Outside, Elliot noticed a Bluetooth device around him corresponding to a police car. A Bluetooth keyboard was on the car dashboard.  He deduced that the car was connected to the CCTV network of the prison through a 4G network.
Editor’s note:

Attack design:

Elliot —Bluetooth—> police car (Bluetooth keyboard + computer) —4G—> Prison network —?—> PLC to open cells doors.
Moving from the Prison Network to the Industrial Network is possible only if they are connected. It is an assumption by Elliot.

Global interconnection

Step 5: The remote access

Darlene stopped and distracted a policeman in his car to immobilize the car. At the same time, Elliot hacked the Bluetooth keyboard from the police car and took remote control of the embedded computer blindly.
Editor’s note:

The police computer has to approve the new Bluetooth device. A solution for Elliot would have been to spoof the keyboard in the police car previously approved on the computer. A brute force attack would have been possible but needs more time.
IS IT POSSIBLE? Not so easily.

Step 6: The infection

Elliot downloaded and executed on the police car computer an executable program called PLCpackage.exe. He downloaded this file from a ftp server.
Editor’s note:

The IP address requested is located at:

OrgName:        Akamai Technologies, Inc.

OrgId:          AKAMAI

Address:        8 Cambridge Center

City:           Cambridge
This means that the police car has Internet access which is not that surprising. Nowadays, being connected to internet is quite useful to have access to additional information like social networks.

Step 7: The exploit

Once the infection was performed, the car went away and Elliot used a meterpreter through Metasploit to run a package called PLCpackage.rb.

Following this, Elliot performed a process migrating to keep the connection and inject additional dlls on the target.
Editor’s note:

We can suppose that the exploit is composed of several layers:

  • A payload doing a reverse meterpreter connection from the computer in the police car to Elliot’s meterpreter server session. The migration is used to move the meterpreter client from the initial infected process to another more common one like a Windows one. Thus, it can avoid detection and able to retrieve the connection even if the computer is rebooted.
  • A worm spreading inside the prison network to find the SCADA station.
  • A last layer containing the exploit, wait 21h49 and order the SCADA to activate PLCs.

Another possibility is:

  • A worm spreading inside the prison network to find the PLC network and PLCs controlling cells doors.
  • A new malicious industrial program is downloaded on each PLCs to open doors at 21h49.

Regardless of the exploit itself, the series does not explain the way that Elliot retrieved all information regarding targeted PLCs.

Indeed, in order to develop this exploit, Elliot needs:

  1. The type of targeted PLC → To know how to find and communicate with it
  2. The installed firmware → To determine if there is any vulnerability
  3. The current installed program to analyze it or the industrial process → To know which parst have to be modified.

The link between OT (Operational Security) and physical impact is quite complex and different from one equipment to another. Some PLCs uses Modbus protocol, others S7, BACnet…

In addition to the way to communicate with the PLC, it is mandatory to have information related to the industrial configuration. In this example, Elliot does not know which output of the PLC is related to the function “Open Cells Doors”.

Hereafter, an example of a cell door controlled by a PLC. The interconnection is quite complex and cannot be “guessed”:

Cell door controlled by PLC

Additionally, each door can be operate differently. For example, the perimeter gate is also operated by a PLC but the engine and the contactors may be different:

Perimeter gate operator controlled by PLC

That’s why targeting industrial networks to change a function in a facility process needs to analyze the program first or at least know which type of PLC and registers have to be targeted.
IS IT POSSIBLE? Yes but not so easily and that’s why Sentryo CyberVision is there to detect those kind of threats on OT networks…
This global scenario is quite interesting and the realism level is quite good!

Fsociety Mr Robot