Skip to content
Naked Security Naked Security

Mr. Robot eps3.1undo.gz – the security review

We're looking at how Mr Robot's treatment of security stacked up in episode 2 of season 3

Welcome back to the Naked Security roundup of this week’s episode of Mr. Robot. Here’s last week’s episode recap if you missed it.

The vast majority of this week’s episode focused on psychological drama, but the major events of the episode were bookended by a bit of Elliot’s (or is it Mr. Robot?) hacking ingenuity. Let’s take a peek.


Elliot takes down the chain of command

As Elliot attempts to repair ECorp from the inside, we see him playing a part that’s familiar to many — the dreaded presentation to uninterested middle managers – while also going after managers that are in his way. All he needed was to get enough information about them to make a reasonable guess at their email passwords (given he works with them, their usernames are easily known), and he finds a treasure trove of blackmail-worthy information.

The first boss he sets the FBI on innocuously mentions his love of the band the Goo Goo Dolls, and Elliot correctly guesses that this boss used a slightly modified version of a Goo Goo Dolls album name (“aboynamedg00”) as a password. Easy enough. The next target in the food chain was even simpler, the personal hint about his favorite hobby wasn’t even needed, Elliot was able to see this manager typing in his spin cycling-related password (“tapitback”) with a simple ‘shoulder surf’ — hacker vernacular for peeking over somebody’s shoulder as they type a password.

This sequence was a nice reminder of two key points:

  1. “Hacking,” whether it is a technical or social hack, doesn’t always have to be complex, in fact often enough the simplest methods are quite effective. In Elliot’s case, all he had to do was pay attention and listen, or peek over someone’s shoulder, and he got enough information to infiltrate his managers’ email accounts. No fancy tools needed, just his eyes and ears.
  2. Both managers’ passwords are shamefully simple. Nobody likes typing complex passwords, but dictionary words? Personally identifiable information? Changing l3tters for numbers? Come on. They’re not even trying.

I’d like to summon the Game of Thrones “Shame” meme here, but it might be dangerous to cross the streams.

Elliot trusts his instincts

The event on the tail end of the episode shows Elliot realizing what Mr. Robot meant by “we’ve been compromised” in regards to Darlene. Elliot suspects that his sister may be acting against him somehow, but we (the viewer) aren’t sure what exactly he knows, or if he realizes the extent to which Darlene is informing on him to the FBI.

In a moment of clarity, Elliot reboots his machine, plugs in a USB drive with a fresh image of Kali Linux on it, and boots up a clean instance of the hacker-friendly operating system. He runs rkhunter, which is the tool Rootkit Hunter, an anti-rootkit scanner. This is our clue that Elliot is looking for something Darlene may have planted on his machine. RKHunter, however, shows that his machine is clean of any software-based backdoors or rootkits, and this is our first hint at what Darlene did.

The show switches a few times to the FBI’s view of what’s going on. There’s a Python script running that’s spitting out PNG screenshots of Elliot’s computer at frequent intervals, and they can see he’s running Kali and RKHunter. So this is our second hint — given he had just rebooted his machine, booted into an entirely different operating system and RKHunter showed the system as clear of any software that could be spying on him; however, the FBI still has a view into what he’s up to, so there has to be something hardware-based working against him.

The screenshots seem quite high-resolution and don’t look like they’re being generated via a camera pointed at his monitor, so we can surmise that something is pulling the images from his monitor directly. Indeed, if we think back to a bit earlier in the episode, when Darlene was staying over at Elliot’s place, we did see her fiddling with something (or perhaps installing) in the back of Elliot’s monitor while he was asleep.

The third hint follows immediately after RKHunter comes back clear. The FBI agent observing Elliot’s monitor says he pulls the URL from the email Elliot was sending to Tyrell, checked it and found that it didn’t contain anything interesting. Dom then makes her realization: “This email isn’t for Tyrell, it’s for us.” Indeed, it’s for the FBI and for us, the viewers. The URL Elliot sent was an obfuscated link to a repository on GitHub for a Dell monitor exploit proof-of-concept (PoC) that was presented at Defcon 24, called “A Monitor Darkly.

It’s Elliot’s own way of saying to the FBI: “I’m way ahead of you.”

The actual monitor exploit says it can allow an attacker to read pixels on the monitor, but the proof of concept for this exploit is for actually displaying images on the target monitor. The researchers who worked on this exploit did acknowledge that there’s potential for this kind of attack to be made more effective with additional hardware like a Funtenna (basically a hacked antenna being used for attack purposes).

What the show portrays certainly seems in the realm of possibility, if you take this PoC to a logical extreme, especially if you were to put the brainpower of covert agencies behind furthering development. We’ve seen Mr. Robot stretch concepts like this before for the sake of good television — remember the Pringles cantenna? — and arguably that’s what happened here as well.

…Or, perhaps the link is purposely close-but-not-correct to throw all of us off Elliot/Mr. Robot’s trail, as perhaps there was malicious code in the linked file and Elliot actually managed to successfully phish the FBI? I’d just as well believe this as a hardware hack.

What did you think of this week’s episode? Was Elliot’s link to the monitor hardware hack PoC an affirmation of the FBI’s tactic, or is this meant to throw us, the viewers, off?


Why did he not use wireshark on his network to find out if someone was spying on him?

The first password was not guessed because in one of the scenes he runs a command where the password comes out in plain text.


I would hope the device Darlene planted wasn’t transmitting on Elliot’s own network, that’d be such a basic mistake for her to make I’d find it kind of hard to believe.


Whilst the link in Elliot’s email takes us, the viewers, to a GitHub repository in real life, I’m wondering if the link in the programme itself was indeed used as a phishing technique by Elliot – packed with some form of malware, in order for Elliot to trace the location (IP address) of those spying on his computer (the FBI). It would have been masked as though it was being sent to Tyrell, to entice the FBI into clicking on it further. At that point, he would be able to trace that the email link was clicked on by either Tyrell, or whoever is spying on him.
This is especially since he turns up to Darlene’s apartment (‘safe house’) below the FBI’s after the guy working on the case confirmed he had already clicked on the link.
Happy for anyone to correct me here or expand further!


I’m hoping this is the case — it’d be fantastic if he managed to phish the FBI (though they didn’t make it that hard!)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!