This summer, USA Network premiered the series Mr. Robot, a drama/thriller that uses computer security and hacking as plot devices. Elliot Alderson, the protagonist, is a reclusive computer security professional who suffers from social anxiety disorder and delusions. When someone triggers his curiosity, he hacks their online accounts, from social media to bank accounts, in an effort to understand them and what they’re about.
When I first heard about Mr. Robot, I wondered whether I would be able to successfully suspend my disbelief. I braced myself for an outlandish, action-packed show about hacking—hoping it wouldn’t be anything like CBS’s Scorpion.
Computer hacking has a long history of being laughably represented on television and in movies, like when Jeff Goldblum connects his Apple PowerBook to an alien computer in Independence Day and is just magically able to write a virus for a (literally) alien operating system. I assume the aliens conveniently provided a USB port just in case any of the soon-to-be-destroyed humans had any pirated movies they wanted to share before our civilization was completely and utterly annihilated.
Pages could be written about the various hacking methods used in Mr. Robot and whether or not they’re realistic, but let’s discuss just one aspect: passwords. One of Elliot’s primary tools is password cracking, used to get into a wide range of account types, including dating websites and pharmacies. Without knowing a single thing about the target, there are some passwords that are depressingly common, which makes password cracking much easier than it really ought to be. Based on password lists acquired from publicly posted hacked data in 2014, the most common passwords include creative entries such as “123456,” “password,” “qwerty,” “baseball,” and “111111.”
As someone working in the information security industry, this is a painful reality for me when there are some simple changes normal people can make to protect their accounts, such as using a password manager to store complex passwords that are much more difficult to crack. If you use the same password across multiple websites because you just can’t remember hundreds of different passwords, password managers let you use unique, complex passwords for each website you use. Ok, I’ll step down off this soapbox and re-enter the world of Mr. Robot now.
In Episode 0, Elliot obtains more information about his target, Michael Hansen, which makes password cracking even easier, since, just like in real life, people often base their passwords on personal details. The time required to actually obtain a target’s password can vary, based on how securely the passwords were stored by the website being attacked. In the show, password cracking is depicted as taking a few minutes, which it definitely could if an attacker has powerful computer resources.
What’s more realistic for cracking a password is either hours, days, or effectively forever if your target is using a strong, unique password. The ease with which Elliot cracks passwords and is able to log in seems reasonable if you assume all of his targets in the show have weak passwords, which, given the list of most common passwords, seems possible.
As someone who works in information security every day, a lot of Elliot’s hacking felt all too convenient at times, but this is a fictional TV show meant to entertain an audience. If it were more realistic, it’d be roughly the same, except waiting hours upon hours to crack a password or break into a secure WiFi network. I’m no media expert, but that sounds like it would be outright awful to watch.
From a computer-security professional’s perspective, the team behind Mr. Robot has done a commendable job making the plot devices interesting without being totally unrealistic. They’ve also successfully used hacking to move the plot along at a very fast clip, while still taking the time to develop very dynamic and sympathetic characters. Just as in real life, these characters all fight internal battles, as well as the plot-based ones that keep the action moving.
There are dozens of examples of hacking in TV and movies done wrong besides those mentioned above, with a focus on absurd special effects and action instead of on building characters that people will tune in for week after week. Mr. Robot realistically explores technical topics while still remaining a compelling viewing experience.
And about all the lock-picking: Is it true hackers are obsessed with breaking into locks, as the show repeatedly portrays? Lock-picking is a common hobby in the hacker community, as locks are physical analogues to the technologies we build and/or attack. Indeed, lock-pick vendors can often be found accepting (untraceable) cash at information security conferences for tools and training devices, such as locks made of clear acrylic, so a user can see exactly what they’re doing inside the lock.
Finally, three opportunities for me to look stupid next summer, also known as my predictions for season two (mild spoiler alert):
—Tyrell returns for a three-episode arc and has simply gone off the deep end; he kills someone again and is generally a mediocre character.
—Biometrics (using fingerprints or eye scans to access secure entities) is used as an attack vector at least twice.
—The hacker types fail to mention two-factor authentication—the kind the company I work for, Duo Security, specializes in—despite it potentially being a show-stopping impediment whenever they’re breaking into accounts.