Episode 6 of Mr. Robot has come and gone and, as usual, it did not disappoint. Once again our hero, Elliot, has used his extraordinary intellect and hacking skills to awe and inspire us.
In this episode, Elliot is being blackmailed by the ruthless and unrelenting drug dealer, Vera, to hack him out of jail. He is holding Elliot’s new love interest, Shayla, hostage and has given Elliot until midnight to hack the jail’s computer system in order to release him.
Malicious Flash Drive
In his first attempt to hack the jail, Elliot has Darlene, his friend and nemesis from f/society “accidentally” drop infected flash drives outside the jail. The strategy here is that if someone inside the jail’s network picks one up and inserts it into their computer system, it will then inject malware and give Elliot a connection on the outside.
We might assume that this machine had the autorun feature enabled or more likely, Darlene had installed the malware on a flash drive that has been reprogrammed to emulate a USB keyboard. When the flash drive is installed on the system, the operating system then recognizes the flash drive as a USB keyboard, giving it access with the rights of the logged in user and then injects its malicious code into the operating system. So, this approach may have worked had Darlene re-encoded the malware with Veil-Evasion.
While Elliot is visiting Vera in jail, he brings his phone with him, on which he has installed a WiFi scanner app. With that scanner, he can see all the Wireless APs and sees that they are all secured with WPA2. Although he knows he can crack WPA2, he recognizes that the short time frame he is working with is inadequate to brute force WPA2.
In the process of scanning wireless hotspots and encryption technologies with his phone, Elliot sees a Bluetooth connection when a corrections officer’s car drive ups near him.
Hacking a Bluetooth Keyboard
Elliot’s strategy here is to spoof the cop car’s Bluetooth connection to his keyboard. If he can make the laptop believe that his keyboard (Elliot’s) is actually the cop’s keyboard, he can control the cop’s laptop and get inside the prison’s network. Once inside the network, he can upload malware to take control of the prison’s digitally controlled systems.
Step 1: Enable Bluetooth
Before Elliot can do anything, he needs to enable Bluetooth on his Linux hacking system by starting the bluetooth service:
kali > service bluetooth start
Next, he needs to activate the Bluetooth device:
kali > hciconfig hci0 up
Then he checks to see if it is actually working, as well as its properties, by typing:
kali > hciconfig hci0
Step 2: Scan for Bluetooth Devices
The first thing Elliot does in this hack is to scan for Bluetooth connections. If you look closely at Elliot’s screen, you can see that he is using hcitool, a built-in Bluetooth configuration tool in Kali Linux. Although this works, I have had better success withbtscanner, a built-in Bluetooth scanner with a rudimentary GUI. To use it, simple type:
kali > btscanner
Then select “i” to initiate an inquiry scan. You can see the results below:
Step 3: Spoof the MAC Address of the Keyboard
Now that Elliot has the name and MAC address of the cop’s keyboard, he will need to spoof it by cloning the cop’s keyboard with this info. Kali Linux has a tool designed to spoof Bluetooth devices called spooftooph.
We can use it to spoof the keyboard with a command similar to this:
kali > spooftooph -i hci0 -a A0:02:DC:11:4F:85 -n Car537
- -i designates the device, in this case hci0
- -a designates the MAC address we want to spoof
- -n designates the name of the device we want to spoof, in this case “Car537”
If we do it right, our Bluetooth device will spoof the MAC address and name of the cop’s computer-Bluetooth device.
To check to see whether we were successful, we can use hciconfig followed by the device and the switch “name” that will list the name of the device. Remember, this is our Bluetooth device that we are trying emulate with the cop car’s Bluetooth device. If we are successful, it will have the same MAC address and name of the cop’s Bluetooth device.
kali > hciconfig hci0 name
Step 4: Link Bluetooth Device to the Cop’s Laptop
Now, here is where reality and “Mr. Robot” storyline diverge. Mr. Robot’s hacking is very realistic, but even in this show, the director takes some literary license. That’s allowed—creative works should be not limited by reality.
For Eliot to now connect to the cop car’s laptop, he would need the link-key (this is a key to identify the previously-paired Bluetooth device) that was exchanged between the keyboard and the Bluetooth adapter on the laptop.
He could guess it (unlikely) or crack it, but it won’t be as fast as it appeared in the show. Another possibility is that when the system rebooted or the keyboard was disconnected, Elliot could connect to the laptop as it is a clone of the cop’s keyboard. In either case, it would take more time than Elliot had in this episode to hack the cop’s Bluetooth keyboard.
Step 5: Hack the Prison
In the final step, Elliot uses the cop’s hacked computer to upload malware via FTP that will give him control of the prison cell doors. Few people realize that prisons and other industrial systems, often referred to as SCADA, are very hackable.
The Stuxnet hack of Iran’s uranium enrichment facility was very similar to this. These industrial system have PLCs that are basically digital controllers. Presumably, this prison had PLCs controlling the prison cell doors (a very reasonable assumption) and Elliot’s malware infected them and gave him control, enabling him to open all the cells, releasing Vera and all the other prisoners.