[Spoiler Alert] You should watch Mr. Robot episode 6 (Eps3.5_kill-process.inc) before reading this article. Otherwise, it will spoil many of the show's major hacks and technical details.
Welcome to the Mr. Robot Rewind series, where I dissect the hacks and technical details within the show, sharing what's accurate and what's not.
LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.
This week's episode was huge for fans of the series, as we finally saw the conclusion to the Stage 2 UPS hack, which was designed to destroy the building that housed all E Corp's financial paper records'¦ or so we thought.
This article will be shorter than most, as this latest chapter was much more focused on frenetic plot elements than new hacks. That said, the episode also illustrated Elliot's attempts to complete one major technical challenge, over and over again. Let's dig in.
Skimming Card Keys from Distracted Security Guards
Quick Recap. The Dark Army, along with Tyrell, Angela, and Mr. Robot, have colluded to (seemingly) deliver all E Corp's paper records to one building in New York. They planned to hijack the firmware of UPS battery backup systems, which might cause an explosive chemical reaction that would destroy the building and all the paper records stored within. As soon as Elliot learned of the plan and its potential human casualties, he actively worked against it. He digitally signed the E Corp's UPS firmware to try and make it impossible for the Dark Army to overwrite it. However, last week, Angela and the Dark Army stole E Corp's keys, which could allow them to upload the malicious firmware and complete the mission.
This week's episode primarily centers on Elliot trying to regain control of the UPS systems, now that he's fired from E Corp. He no longer has access to E Corp's main headquarters, but is working to get into their New York storage facility, where they house the paper records, and the UPS systems.
Last week, Elliot called in a fake bomb threat in an attempt to evacuate the building to prevent casualties. He arrives to find that the firemen are letting people in after they were unable to find any kind of traditional explosives on the premises. Without any other course of action, he gets into the line, hoping he can figure out a way past the ID turnstiles. Luckily, he notices a distracted guard with a keycard lanyard hanging from his waist.
While not quite social engineering, many hackers keep up with skills that allow them to beat physical security. As I've mentioned before, lock picking is a pretty common activity at hacker conferences. Though less common, some social engineers also find sleight of hand and pickpocketing useful as well. While you shouldn't expect every hacker to be a master pickpocket, it's believable that Elliot would risk this keycard theft with no other options in sight. Furthermore, Elliot smartly chose his victim. As we see later in the episode, he'll have to get into just about every area of this building, and a security guard is most likely to have that level of access.
With a privileged keycard in hand, Elliot passed his first hurdle and makes his way into the building to find a computer.
Battling Oneself for Control of UPS Firmware
After ducking a few guards, Elliot finds a quiet room where he can pull out his laptop and work. With access to the E Corp building, he can plug his laptop into the internal network and bypass most of the company's external security controls, such as firewalls and other network security services. He pops into a terminal window and gets to work. Here's what he types:
All of the commands we see here are accurate, and make sense. Let's go through them quickly:
- gag –verify update.bin.asc update.bin '“ This is the command to run GNU Privacy Guard (GPG) to verify the digital signatures of a file. Elliot wants to check to see if the files for the UPS firmware are signed correctly with E Corp's key. They are, but unfortunately this is the Dark Army's malicious firmware, signed with the newly stolen keys.
- shred '“uzn3 update* – We've seen Elliot use shred before. It's a secure delete command and in this case, he uses it to overwrite all the firmware files that start with the 'œupdate' name three times with zeros. This is an accurate way to destroy the Dark Army's malicious firmware files so they can't easily use them again.
- wget -q https://192.251.68.232/files/ups_640_patch.zip – This command basically downloads a file from a web server. Specifically, Elliot is grabbing his clean version of signed firmware to put back on the UPS system.
- Next, Elliot runs a zip command to decompress the firmware file he just downloaded. Then he extracts three files; the firmware file, the digital signature for the firmware, and a hash file. Elliot can use this hash file to check that his other files haven't been modified in any, and are the original ones he expects.
- Elliot runs the gpg command again, but this time to check his hash file, to make sure it retains his own digital signature. As an aside, the name of the key for this signature is actually an Easter egg that refers to a redditor who has solved some of Mr. Robot's hidden ARG puzzles in the past.
- sha256sum –check hashes.asc – Once he's sure that the hash file is intact, he runs sha256sum, which compares those hashes to the firmware files. This confirms that no one has modified or changed them. This whole sequence is pretty much just Elliot being paranoid, and checking to make sure Mr. Robot hasn't somehow trojanized the clean firmware files he plans to restore to the UPS systems.
- scp * upsadmin@192.251.68.229/upsfw'¦ – Finally, we see Elliot start, but not finish, the secure copy (scp) command. This would copy Elliot's signed firmware to the remote UPS