Around The Space-19.jpg

Hacking IRL: What Mr. Robot Teaches Us About the Dark Web

In Part 2 of the Hacking IRL series, Jim Holcomb - Associate Security Consultant at Evolve Security Academy - clears up terms we've all heard but may not have completely understand, such as the Deep Web, Dark Web, and even The Internet. Minor Mr. Robot spoilers ahead!

mrrobot-468589-edited.jpg

Guest Author: Jim Holcomb, Evolve Security Academy

Continuing from last week with our journey to demystify some of the more elusive concepts embedded in our favorite show Mr. Robot, this week we’re laying out some needed ground work for understanding some of the tools and tactics Elliot and other nefarious characters in the show use to stay anonymous on the internet.

We’ll cover numerous episodes throughout season one and two so prepare for minor spoilers.

 Throughout the series, we hear casual references to a protocol called “Tor” as well as allusions to the more suspicious sounding “Dark Web”. While by name alone they may either seem esoteric or simply made up, they are both very real and are actually quite robust environments that attract the well-intentioned as well as the malevolent alike. So what is the Dark Web and how does it relate to Tor? Moreover, how accurately is the use of said services portrayed in Mr. Robot? Well, first, we need to clarify some terminology. 

The phrase Dark Web is often misunderstood to be synonymous with “Deep Web”. So before discussing Tor, let’s set some boundaries and determine what differentials the Clear Net (“Normal” Internet), The Deep Web, and The Dark Web. These terms vary from person to person (ie Dark Net vs Dark Web), and are generally considered to be unofficial.

 
  • The Internet

The Internet basically describes the network that contains all publicly routable devices. That is not to say that you can view everything on The Internet. You may need a username and password or special routing protocol to view certain locations. The most common protocol used on the internet is HTTP/HTTPs which typically describes your normal web traffic. The Clear Net, Deep Web, and Dark Web are all technically on the internet. So what wouldn’t be considered part of the internet? A distributed system of directly connected nodes, often called a mesh network, operated on a local level (like a neighborhood) that isn’t routable through the Internet would not be considered part of The Internet. 

  • The Clear Net

The Clear Net refers to Internet traffic that is not part of the Dark Web. It would, however, include the Deep Web. The term Clear Net sometimes is restricted to only include unencrypted traffic. However, with the prevalence of SSL/TLS (the ‘s’ in HTTPs), it would also be suitable to describe general internet traffic.

  • The Deep Web

The Deep Web is often the most misunderstood portion of the internet. In the news, its use is often portrayed as bad natured or malignant. But in fact, you use the Deep Web every day. The Deep Web can be loosely defined as any part of the internet that is not "indexed" or easily searchable. Think of anything that won't come up in a google search. While chase.com is searchable, your particular account page on chase.com is not. So any account you have that requires a login form to access is technically considered part of the deep web. Not so scary now, is it?

  •  The Dark Web

The Internet deserves to be prefixed with the article “The” because it is so large. In reality, it’s just a network like your home Wifi router. The same is true for the Dark Web. Your Wifi Network (called a LAN or Local Area Network), could technically be considered a Dark Web depending on the protocols required to access it. Any VPN (Virtual Private Network) that you connect to, could also function as a Dark Web. But what’s “TheDark Web? "The" Dark Web is the network that is only accessible through Tor. To go even deeper, Dark Web sites, called Hidden Services, can have their own authentication and login forms and therefore add another layer to our internet cake.

So we’ve solidified some general terms about the Dark Web as well as cleared up some misconceptions surrounding what it actually refers to. However, there is one final question that requires an answer before we can check back with Elliot and the gang. What is Tor?

  •  Tor

Tor, or The Onion Router, is an anonymization protocol that allows users to communicate over encrypted networks where both the client (the browser) and the server (the website) have zero knowledge of who the other is. Typically, over a normal connection, both the client and server would need to know each other’s IPs. When you go to google, it knows your IP (the IP that Comcast/AT&T assign to your home). And you know google's IP. Your computer asks where "google.com" is located and then sends the actual URL request to that IP. While there are other services that hide a user’s IP from the server, such as proxy or VPN, these often require a trusted third party like a VPN provider. Tor provides a decentralized and trustless solution where a user would not have to trust a proxy provider or VPN provider and instead would just have to trust the integrity of the protocol’s implementation (the code/software).

 How Does Tor Work

Tor is not like the encryption applications such as GPG, Signal, or WeChat where two people can communicate securely. It has a high level of anonymity. But to achieve this, it requires a network of users to run. These users run Tor nodes which other users can use to send their traffic through. To be specific, it requires at least three nodes to work (though it requires many more to actually achieve anonymity). However, simply proxying traffic through three nodes will not provide anonymity as an attacker could compromise any of the nodes and work their way back to the original user. 

What Tor does is adds three layers of encryption where traffic between each node is encrypted with a different key. So the user and the first (or “Entry”) node have their own key, the user and second (or “Middle”) node have their own key, and the user and third (or “Exit”) node have their own key. As the traffic is sent, it is subsequently decrypted by each node so that by the time it reaches the final node, it is unencrypted (unless otherwise encrypted by a different protocol like HTTPs).
 

 

Finally, each node has no knowledge of any non-connected node. So the “Exit” node has no knowledge of the “Entry” node and is only aware of the “Middle” node and the destination.

Is Tor Secure? That is a good question.

Villains Beware! But what about Mr. Robot? In the very first scene of the series, we see Elliot confront “Ron”, a coffee shop owner. Unfortunately, for Ron, fortunately for the world, Elliot discloses that he discovered that Ron is running a Dark Web website that serves photos of abused children to 40,000 users who connect through the Tor network. 

../../../../Downloads/ezgif.com-video-to-gif.gif

 

With our knowledge of Tor and the Dark Web, we can view this scene with a greater understanding of what Elliot is actually saying. So let’s dissect what Elliot actually did to take down Ron.

 

Elliot says “I started intercepting all the traffic on your network. That’s when I noticed something strange.” What exactly does Elliot mean? First, we know that Elliott was sniffing traffic on Ron’s local network. This can be done in many different ways. For this to work as Elliot described, the traffic from Ron’s Tor website would have to be sent through the local network where Elliot has positioned himself. But does this make sense? For now, let’s assume that Elliot could only view encrypted Tor traffic leaving the Coffee Shop. If this is the case, Elliot is not exactly saying he could read the traffic itself. He is just saying that based on the traffics general profile, he can tell that the traffic is Tor traffic. This is very close to reality as Tor traffic is insanely easy to recognize. A third party on the network such as an Internet Service Provider (Comcast, AT&T) or, in this case, Elliot, can instantly recognize the traffic as Tor traffic even though they can’t read the actually data being sent. 

 

Elliot provides one final clue as to what approach he took to hack Ron by mentioning that he was “in control of the exit nodes”. Now Ron is running the website, therefore his coffee shop is the destination. From what we know about exit nodes, the data between the exit node and the destination is not encrypted. If Elliot was between the exit node and the destination, he would not even need to compromise the exit node.

Therefore, this scene unfortunately does not make much sense. There are many scenarios where this sort of situation could take place and Elliot would need to compromise an exit node in order to deanonymize Ron’s traffic; however, the show does not provide us with enough information for us to paint a clear picture of what actually happened.

  • The Use Case

In Mr. Robot and in popular culture in general, Tor and the Darknet are often villainized as criminal tools that no upstanding citizen would associate themselves with. And while there certainly is a thriving dark market economy that deal in illicit activities and goods, there are also many good use cases for the average internet user to user Tor. For instance, in some areas of the world, Tor is a vital tool for resisting injustice. In countries whose governments require internet service providers to monitor and log traffic, Tor remains one of the few options for securing your privacy. And not just privacy against government. If an ISP were required by law to log and monitor traffic, wouldn’t it make it a juicy target for malicious actors who want to steal that data? And due to their cooperative nature with government institutions, if an ISP were ever compromised, would it be made public? Would you know that your entire internet history is available on the dark market or is sitting in the database of some nation state? Tor is just one tool that can help you stay safe from these sorts of situations.

  • The Final Verdict

Mr. Robot doesn’t always get it 100% right. But they are truly unique in their ambitions to do so. And despite this ability the reconcile some inconsistencies with Elliot’s story at Ron’s coffee shop, if Ron had been a user of the Darknet site and not the server (destination), Elliot’s attack could have theoretically been possible as he is describing a real attack on the Tor network. Because Tor is decentralized, anyone could run a Tor exit node. It would actually be surprising if certain three letter agencies were not running exit nodes for the simple purpose of performing an exit node attack where the maintainer of the node can read the unencrypted traffic being sent through the network. In doing so, the attacker could potentially deanonymize the Tor user if the user sent any personal information through the network unencrypted. For instance, if they logged into an account and submitted their email. For this reason, it is necessary to use HTTPs or an additional layer of encryption when using the Tor network.

Miss Part One? Check out Hacking IRL: What Mr. Robot Teaches Us About Cybersecurity.

Interesting Links:

https://motherboard.vice.com/en_us/article/mgbdwv/badonion-honeypot-malicious-tor-exit-nodes

https://www.torproject.org/https://www.youtube.com/watch?v=QRYzre4bf7I

Jim Holcomb is an Associate Security Consultant at Evolve Security. When he isn't colluding with our reptilian overlords, Jim enjoys developing applications and pentesting tools with Python. Questions? Email info@evolvesecurity.io

Topics: Insights

Read the 1871 Blog for news about the Chicago technology and entrepreneurship community, as well as helpful tips, guides, and insights into the startup and investment world.

Subscribe to Email Updates

Recent Posts

1871 On Instagram