For a show that’s built its reputation on technical accuracy, Mr. Robot’s season three finale did not disappoint. As usual, WatchGuard Technologies CTO Corey Nachreiner analyzed the hacking accuracy or “hackuracy” of the final episode in his weekly Mr. Robot Rewind series on GeekWire. We saw Elliot use several realistic hacking techniques to recover the encrypted keyloggers that his old Fsociety comrade Romero set up to record Fsociety building the 5/9 hack malware. Hidden in these keyloggers is everything Elliot needs to accomplish his season-long quest of reversing the immense damage caused by the 5/9 attack.
First Elliot runs several Python scripts to pull lists of lyrics to Romero’s favorite music. While the exact script he runs does not exist in real life, several very similar scripts do and the concept is solid. Why does he do this? Here’s an excerpt from Corey’s article that explains how this information can help Elliot crack Romero’s keyloggers:
“One way to speed up brute-forcing is a dictionary list. Rather than randomly incrementing characters, a brute force program will start by using a list of words from a dictionary you define. They can even use combinations of these words. However, Romero is probably also smarter than normal dictionary attacks, and would pick a longer password, or a passphrase, or something totally random.
This is where a custom dictionary might come in. Hackers that know a lot about their victim can cater their password dictionary to that specific victim. In this case, it appears Elliot is presuming that Romero’s password will involve music from his favorite artist. He downloaded these lyrics to use in a custom password dictionary.”
The following scenes showing Elliot executing his brute force attack are 99 percent accurate. Even with a dictionary list, a real brute force attack would take longer than the show depicted. But that’s a very small concern. Without a dictionary list, a brute force attack against a password with more than 10-12 characters is a huge stretch even with today’s technology. Well done to the Mr. Robot team for showing a realistic way around this issue!
Read the season three finale article on GeekWire and learn more about the risk posed by insider threats like Dom here on Secplicity. If you’re already developing an evil split personality from the realization that one of television’s best shows is over for another year, placate you alter-ego by reviewing the hackuracy of season three here.