Mr. Robot is a television show that is heavily influenced by exploiting people and technology in nefarious ways. The writers of the show used experts in the security field to create the attacks and scenarios to be as realistic as possible where the only incorrect factor is that the time of the attacks are sped up. The Hackable team took three of the Mr. Robot attacks and decided to recreate them in hopes of educating their listeners on the real threats they pose. Packetlabs was asked to assist in the recreation of the attacks. The episode, number 30, is titled “The Mr. Robot Spectacular”.
Below, we have taken the attacks that were completed on the Hackable podcast and related them to real events that occurred through-out history. These events either led to acts of terrorism, nation states installing malware on devices, or the exposure sensitive photos.
How to Hide Data in Audio Files
Hiding data within audio files is a form of steganography, where potentially sensitive information can be embedded into regular-looking files for the purpose of delivering secret messages, protecting data, and ultimately attempting to provide some form of security by obscurity. Steganography is an attractive attack mechanism because it’s discrete and with the proper tools, files such as images or audio clips with data encoded in them can be made to look or sound identical to the original. The files also tend not to attract a lot of attention, are able to bypass deep-packet inspection, and can carry malicious payloads that may lead to further exploitation.
The real threats of steganography are evident in the several allegations made about terrorist groups using steganography to covertly distribute information among one another and hide messages throughout the Internet and on particular web pages. Another incident that leveraged the benefits of steganography was the “Instegogram” attack that allowed users to upload command and control code for malware inside of Instagram photos and upload them onto the popular social media site.
There are a wide-variety of tools available that allow any individual to perform steganography as well as encryption, meaning that you have a file containing secret information that not only would be hard to detect in the first place, but difficult to recover if suspected of malicious content.
How to Spy on Anyone’s Smartphone Activity
The ability to spy on cellphones is becoming increasingly more popular by nation states. One way requires physical access to your device which is sometimes requested at airports or country borders. Tools such as FlexiSPY make it easy to deploy and control the victim’s devices without leaving any indications of compromise. However, in order to fully utilize the spy software, the iOS device needs to be jailbroken and the Android device needs to be rooted. To do so requires time and expertise that may raise some alarms on the victim. If the devices are already jailbroken and rooted, the spy software can do everything from listen to phone calls, log key strokes, and even download or upload files.
The other way involves social engineering by requesting that you install a specific application (such as WhatsApp) that they provide the link to. This may come in through SMS, email, or even a phone call. The WhatsApp will function exactly like the regular application would but would also have the spyware software to it. These social engineering campaigns would often attempt to target the victim’s family and close affiliates if the malicious software was not installed by the victim.
In order to protect yourself, wipe your device if it is ever taken by any law enforcement agency. While you may not think you’re important enough to spy on, you may have someone in your family that is.
How to Send a Spoofed SMS Text Message
Although many hacks that occur around the world require advanced technical skill, simply asking for a victim’s account credentials may be enough. For one of the most infamous data breaches this is what exactly happened. In 2014, explicit photos of celebrities were dumped online and spread quickly among online users all over the world. Although the exact details of the hack have not been released, it is believed that spoofed messages claiming to originate from the Apple iCloud service were sent to thousands of celebrities.
SMS spoofing involves sending text messages to victims from a phone number not owned by the attacker, or masquerading as a benign service requiring customer information. Quite often users are less cautious with text messaging compared to email read on a computer, despite both presenting the same opportunity for an attack. For example, a hacker can send a message with a malicious link pointing to a login page for a service commonly used by the victim. A well-crafted text message may convince the user to enter their credentials, allowing for the account to be taken over by the attacker. Advanced malware, such as the Pegasus spyware made by the NSO group, gain complete access on the victim’s phone when a malicious link sent through SMS is clicked on.
It is important to note that some mobile carriers do not allow SMS spoofing from numbers already taken. Despite this an attacker can use an available number or use a four-digit code (primarily coming from your phone carrier or emergency service), along with a well thought of message to socially engineer the victim.
From encrypting sensitive data within audio files, to installing spyware or executing malicious actions through a seemingly innocuous looking text message, hackers utilize a wide range of techniques well-illustrated in the Mr. Robot series. The incessant innovation native to the technology sector only drives hackers to come up with new method of attack, in conjunction with new methods of tricking users in handing over their sensitive data. Staying safe in this technological climate requires a life cycle of self-evaluation and thorough testing of your security posture.