Warning: This piece contains minor spoilers for the most recent episode of Mr. Robot (S2E9)
Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involvesor , the series wants to ground its high-stakes story in a healthy dose of realism.
“The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow,” Kor Adana, staff writer and the show’s lead tech producer,. “The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality.”
In the series’ latest episode, hero-hacker Elliot Alderson launches an attack script called crackSIM from a real-world device—Pwnie Express’ PwnPhone—to allow him to eavesdrop on a cell phone call. As superhuman as the attack seems, it’s yet another realistic portrayal from Adana and his team. Yes, this hack is technically possible. It’s also possible for an attacker to eavesdrop on a cell phone call. But this being a ~50 minute cable series, creative license does ultimately rear its head. And unfortunately, the hack Elliot used wouldn’t work to do the eavesdropping as we understand infosec today. Instead, the show (rightfully) took a few artistic liberties when demonstrating how such an attack would happen.
A Pwnie party
Ars got a bit of a preview of the attack from the folks at Pwnie Express. As they discussed with us on this week’s Decrypted podcast (embedded below), the company was contacted by the producers of Mr. Robot to take part in the plot. Pwnie was able to take a small role in discussing what is and isn’t capable with the series staff during production, and ultimately the team was thrilled with the results. (After all, as the clip above shows, Elliot calls the phone the ultimate hacking device. Later in the episode, this attack earns him the title of “master” from a group of international hacker mercenaries called the Dark Army.)
in its previous incarnation and once even (don’t worry, he agreed to it). But since the Pwn Phone plays such a prominent role in this hack on this show, we wanted to talk with Pwnie’s vice president of marketing Dmitri Vlachos and director of product development (and former Air Force cyber operator) Yolanda Smith about this “crackSIM” attack. Even if it’s been fictionalized, could someone pull off what Elliot was doing in the real world?
CrackSIM is not included by default on the Pwn Phone, and that’s because it is a fake program scripted by Elliot within the show’s universe. But Smith said there’s research that suggests the capability of crackSIM, which broke the encryption on the SIM card, is plausible.by Karsten Nohl of Security Research Labs at last year’s Black Hat demonstrated that if an attacker had physical access to a SIM card, a hard disk full of pre-computed potential keys, and full knowledge of what the response from a phone for an Over The Air (OTA) update message would be, it was possible to grab a single 56-bit DES encryption key from the SIM. Even SIMs that use Triple DES encryption sometimes downgrade their key to just normal DES when the service they’re connected to requests it. This is the sort of attack that is used in , devices used by law enforcement to track cell phones and intercept their calls. [Stingrays lower cellular connections to 2G, weakening encryption on calls, to make it easier to monitor calls.]
However, Elliot’s hack took only seconds. And that is where, as Smith put it, the show took a bit of “dramatic license.” Elliot also appears to clone the SIM card to use it to intercept calls and listen in on his targets rather than intercepting the call Stingray style—a hack that would just give the attacker the ability to imitate the victim and take control of the hacked phone’s number rather than intercepting calls. That’s precisely what happened earlier this year whenand got access to his Twitter account and other accounts through password resets authenticated from the hijacked number.
When asked how she would pull off the hack herself, Smith said that the most likely route would be to exploit a. An attacker could, using the victim’s phone number, essentially route all the calls to that number through a proxy, allowing “man-in-the-middle” monitoring of calls and SMS messages. (Black Hat, DEFCON, et al: If you’re listening, we’re ready for next year’s Mr. Robot panel.)
Another real world alternative would require proximity to the victim—. A hacked femtocell would allow direct monitoring of the call without having to crack the SIM, because the femtocell decrypts signals it receives to route them over the Internet. [The femtocell has to be associated with the target’s home carrier for this to work.]
[Update: As a few readers have pointed out, the hack in the episode may have involved using the OTA key to send malware to the phone via a malicious text message. It’s been well-documented (as we’ve reported) that acould allow a remote attacker to eavesdrop on a victim using an Android device’s microphone. Cracking the OTA key would allow that sort of malware to be injected into the phone by masquerading as the carrier. That approach is entirely plausible, though it may not have been carried out as quickly as in the episode, despite the use of a cloud-based DES cracking tool.]
Regardless of the series’ staff stretching the truth a tad, the fact that a cable television show is going through the trouble of featuring the Pwn Phone in the first place, and working with consultants and PwnieExpress to ensure the highest degree of realism possible speaks volumes about Mr. Robot and overall interest in modern day infosec. Hopefully, the days of-types are long behind us.
Note: PwnieExpress enjoyed its Mr. Robot experience so much that the company is promoting the unexpected publicity bythrough a contest. Pwnie is also posting links to downloads that will let individuals turn their own Android devices into Pwn Phones.
Hear more from the PwnieExpress team about their big cameo (and from one of the writers responsible for last week’s episode, Lucy Teitler) on our latest Decrypted podcast. If you have feedback, show ideas, or even questions for future weeks, get in touch through the comments section, on iTunes, or via. Host Nathan Mattise will totally upvote your comments in exchange for iTunes ratings.