Hackers Dissect 'Mr. Robot' Season 4 Episode 9: ‘Conflict’
(Source: vice.com)

clicks | 6 months ago | Google AI sentiment -0.20 | comments: discuss | tags: cryptocurrency

Article preview (bot search)

(Original link: vice.com)

Snap Image: USA
Episode 9 of Mr. Robot’s final season was not only amazing plot-wise but also happily filled with hacks. We discussed [SPOILERS, obvs] IMSI catchers, Raspberry Pis, PGP, phishing telcos and stealing cryptocurrency. (The chat transcript has been edited for brevity, clarity, and chronology.)
This week’s team of experts includes: Em Best : a former hacker and current journalist and transparency advocate with a specialty in counterintelligence and national security. Trammell Hudson : a security researcher who likes to take things apart. Micah Lee : a technologist with a focus on operational security, source protection, privacy and cryptography, as well as Director of Information Security at The Intercept . Freddy Martinez : a technologist and public records expert. He serves as a Director for the Chicago-based Lucy Parsons Labs. Yael Grauer (moderator): an investigative tech reporter covering online privacy and security, digital freedom, mass surveillance and hacking.
IMSI Catchers
Yael: I thought it was clever of Darlene and Elliot/Mr. Robot to use IMSI catchers.
Micah: I've never had a chance to play with one for real, But they're also referred to as "cell site simulators" because they simulate cell phone towers. Your phone tries to connect to the tower with the strongest signal, so in order to do a man-in-the-middle attack against cell phones, you just need to broadcast a stronger signal than the nearest cell phone tower and nearby phones will connect to your IMSI catcher instead. Then, you forward the traffic to the real cell phone tower, so the phones will still work, but you can spy on/modify all the traffic in the meantime
Yael : I’ve written about them before, but it was about law enforcement use of them for surveillance. They can’t intercept Signal messages, right? So if Deus Group just read a Freedom of the Press Foundation guide , Darlene and Elliot's plot would be foiled.
Em : It will intercept the Signal data, but messages are encrypted until they reach the recipient’s device, so it's not enough to just intercept it.
Micah: Their plot wouldn't have been foiled because Cyprus National Bank still sends two-factor authentication codes (2FA) over unencrypted SMS. I thought it was a nice touch how much Raspberry Pis were represented. In the first scene, in the hotel, the camera panned across some Raspberry Pis, and Darlene was logged in to a Raspberry Pi during the garage door hack. Image: USA
Freddy: The Raspberry Pi 3 uses USB 3.0, which is fast enough to run a homemade IMSI Catcher.
Em: Homemade antennas are fun. =)
Yael: Oh, did they make their own?
Freddy: You can make your own. I think those are limeSDRs .
Price’s Last Stand
Yael: We had Price in yet another hostage situation.
Em: Yeah, he handled it very well. The traditional ways of getting out of a hostage situation weren't going to work there, but he did several important things for the situation he was in:
1. He kept calm. This is the most important thing. If he had panicked he'd have been killed a lot sooner.
2. He kept Whiterose off balance. His teasing and taunting was beautiful to watch, especially the "wind in his hair" bit.
3. He didn’t give up any important info to accomplish number 2.
4. He provoked Whiterose when they were both visible outside. Walking away after saying what he said almost guaranteed not only that he'd be shot there but that Whiterose would do it—in public.
Yael: My favorite taunts were, “it’s bad management when your best employees either walk off the job or blow their brains out,” and “all this over a little pipsqueak in a hoodie.” I think Price kind of didn't care if he died after Angela died.
Em: I think he didn't care if he died but he wanted to get Whiterose first. Once he handed off the drive (which he did right before going to the meeting), he had accepted his fate.
Freddy: You can't control people who have nothing to lose.
Em: Or to gain.
Micah: I like how Mr. Robot explained why he was there in the hotel room, instead of Elliot, by saying, "Life throws you an error code like that, you don't have the luxury of a fucking pop-up explanation."
The Bank Heist
Yael: Okay, so let’s talk about the hack. They said they needed to correlate phone numbers with bank account numbers to initiate the money transfers.
Em: They needed that for the script so they'd know which 2FA code to use for which request. Otherwise they'd have to brute-force it for each account, and that'd likely trigger a safety measure.
Micah: So Elliot and Darlene seem to have a SQL database from the bank, and their database includes account numbers, first name, last name, and hashed phone numbers. They needed to use the IMSI catcher (and the cell phone tower hack) to learn everyone's phone numbers, so they could hash them and then lookup the hashes in the bank database until they had phone numbers for all 100 accounts
Em: That's pretty realistic, FWIW. An equivalent of that was one of the first things we pulled from Phineas Fisher’s h...