Warning: This piece contains minor spoilers for the most recent episode of Mr. Robot (S2E9)
reader comments 1
Share this story
Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involves hiring ex-FBI employees as consultants or tracking down the duo behind the Full House theme, the series wants to ground its high-stakes story in a healthy dose of realism.
“The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow,” Kor Adana, staff writer and the show’s lead tech producer, told Ars recently. “The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality.”
In the series’ latest episode, hero-hacker Elliot Alderson launches an attack script called crackSIM from a real-world device—Pwnie Express’ PwnPhone—to allow him to eavesdrop on a cell phone call.
As superhuman as the attack seems, it’s yet another realistic portrayal from Adana and his team. Yes, this hack is technically possible.
It’s also possible for an attacker to eavesdrop on a cell phone call.
But this being a ~50 minute cable series, creative license does ultimately rear its head.
And unfortunately, the hack Elliot used wouldn’t work to do the eavesdropping as we understand infosec today.
Instead, the show (rightfully) took a few artistic liberties when demonstrating how such an attack would happen.
PwnieExpress / NBCUniversal
A Pwnie party
Ars got a bit of a preview of the attack from the folks at Pwnie Express.
As they discussed with us on this week’s Decrypted podcast (embedded below), the company was contacted by the producers of Mr. Robot to take part in the plot. Pwnie was able to take a small role in discussing what is and isn’t capable with the series staff during production, and ultimately the team was thrilled with the results. (After all, as the clip above shows, Elliot calls the phone the ultimate hacking device. Later in the episode, this attack earns him the title of “master” from a group of international hacker mercenaries called the Dark Army.)
We’ve gone hands on with the Pwn Phone in its previous incarnation and once even used a similar device on an NPR reporter (don’t worry, he agreed to it).
But since the Pwn Phone plays such a prominent role in this hack on this show, we wanted to talk with Pwnie’s vice president of marketing Dmitri Vlachos and director of product development (and former Air Force cyber operator) Yolanda Smith about this “crackSIM” attack.
Even if it’s been fictionalized, could someone pull off what Elliot was doing in the real world?
Enlarge / The original Pwn Phone, with its external Wi-Fi adaptor case jacked into its USB port, as we saw it in 2014.
CrackSIM is not included by default on the Pwn Phone, and that’s because it is a fake program scripted by Elliot within the show’s universe.
But Smith said there’s research that suggests the capability of crackSIM, which broke the encryption on the SIM card, is plausible. Research presented by Karsten Nohl of Security Research Labs at last year’s Black Hat demonstrated that if an attacker had physical access to a SIM card, a hard disk full of pre-computed potential keys, and full knowledge of what the response from a phone for an Over The Air (OTA) update message would be, it was possible to grab a single 56-bit DES encryption key from the SIM.
Even SIMs that use Triple DES encryption sometimes downgrade their key to just normal DES when the service they’re connected to requests it.
This is the sort of attack that is used in “Stingray” boxes, devices used by law enforcement to track cell phones and intercept their calls.
However, Elliot’s hack took only seconds.
And that is where, as Smith put it, the show took a bit of “dramatic license.” Elliot also appears to clone the SIM card to use it to intercept calls and listen in on his targets rather than intercepting the call Stingray style—a hack that would just give the attacker the ability to imitate the victim and take control of the hacked phone’s number rather than intercepting calls.
That’s precisely what happened earlier this year when someone took over Black Lives Matter activist DeRay McKesson’s phone number and got access to his Twitter account and other accounts through password resets authenticated from the hijacked number.
When asked how she would pull off the hack herself, Smith said that the most likely route would be to exploit a known weakness in the SS7 phone network routing protocol. An attacker could, using the victim’s phone number, essentially route all the calls to that number through a proxy, allowing “man-in-the-middle” monitoring of calls and SMS messages. (Black Hat, DEFCON, et al: If you’re listening, we’re ready for next year’s Mr. Robot panel.)
Another real world alternative would require proximity to the victim—using a femtocell to intercept the calls.
A hacked femtocell would allow direct monitoring of the call without having to crack the SIM, because the femtocell decrypts signals it receives to route them over the Internet.
Regardless of the series’ staff stretching the truth a tad, the fact that a cable television show is going through the trouble of featuring the Pwn Phone in the first place, and working with consultants and PwnieExpress to ensure the highest degree of realism possible speaks volumes about Mr. Robot and overall interest in modern day infosec. Hopefully, the days of CSI: Cyber-types are long behind us.
Note: PwnieExpress enjoyed its Mr. Robot experience so much that the company is promoting the unexpected publicity by offering a giveaway of a Pwn Phone through a contest. Pwnie is also posting links to downloads that will let individuals turn their own Android devices into Pwn Phones.
Hear more from the PwnieExpress team about their big cameo (and from one of the writers responsible for last week’s episode, Lucy Teitler) on our latest Decrypted podcast.
If you have feedback, show ideas, or even questions for future weeks, get in touch through the comments section, on iTunes, or via e-mail. Host Nathan Mattise will totally upvote your comments in exchange for iTunes ratings.
Direct Download URL (latest episode): Decrypted, Ep. 9: How do you write answers for Mr. Robot’s big questions?”
Listen or subscribe on Stitchr
Listen or subscribe on Soundcloud
Subscribe via RSS
Subscribe via the iTunes store
Also look for Decrypted in podcast listings of the Google Play Music store