Jim Holcomb is an Associate Security Consultant at Evolve Security. When he isn't colluding with our reptilian overlords, Jim enjoys developing applications and pentesting tools with Python. Questions? Email info@evolvesecurity.io.
The last time we checked in on Elliot and the gang we discussed Tor and took a deep dive into the Dark Net. Since then, we are well into Season Three of Mr. Robot and the hacks are better than ever. Much has occurred throughout the season with many Easter eggs hidden here and there, but there is one core hack that this season has revolved around: the hack of the Uninterruptible Power Supply (UPS).
Guest Author: Jim Holcomb, Evolve Security
The security (or lack thereof) of the Evil Corp’s UPS is so critical to this season’s plot that I feel it’s appropriate to take some time to understand what a UPS is, why it’s important, and how the Dark Army and Elliot are fighting for control of it.
(Spoilers ahead for Season 3 Episodes 1 – 5)
In our first installment of this series, we discussed how fsociety (with the help of the Dark Army) used a femtocell device to perform a Man In the Middle (MItM) attack against the FBI to steal their data (link here). What we didn’t talk about at the time was how the Dark Army had taken advantage of the hack in order to install a backdoor on Evil Corp’s internal network which would allow the Dark Army to later access Evil Corp’s UPS during Stage 2.
What is Stage 2 you ask? Stage 2 is Mr. Robot’s plan to complete his revolution by destroying all of Evil Corp’s physical records which consist of credit card records, loans, and other financial data. In the wake of the 5/9 attack from season 1, Evil Corp has been consolidating their physical records from across the country and depositing them in their New York facility. This is known as a central (single) point of failure. A central point of failure is an element of a system that if it fails, the entire system fails.
And for Mr. Robot, the New York facility, filled with all of Evil Corp’s records, is the perfect target to take down Evil Corp once and for all.
But how do you hack a building? So you may be thinking that Mr. Robot plans on attacking the building’s security system with some epic hack and stealing the records. Well, no. He’s going to blow it up…over the internet. This is where the network connected UPS comes in. Mr. Robot, in collusion with the Dark Army, plan on installing a malicious firmware update onto Evil Corp’s UPS system at their New York facility which will disable certain failsafe controls, allow the system to overheat, and destroy the building.
Before going forward, let’s talk about what a UPS is, why it’s used, and if this proposed attack is actually feasible. UPS devices are popular in datacenters, server rooms, or in any scenario where continuous power is desired. For example, some servers may want to gracefully power off as opposed to immediately shutting down in the case of power loss. A UPS would provide a good stop gap and allow the server to continue to function either until a backup generator has started or the machine has safely powered down. However, the use cases for UPS devices don’t stop at just servers and datacenters. You could have security systems or power intensive appliances that require a continued flow of electricity to avoid dangerous or unwanted scenarios.
Okay, but how can you “hack” a UPS? There are two core elements to explaining the feasibility of this type of hack. First, a UPS, as with many devices, has firmware. Firmware refers to code or programmable controls that operate at a very low level. For example, the UPS may not only need visibility into variations in electrical current flowing through the UPS but may also need to perform actions based on that information, such as notifying a centralized controller with an alert or doing other things such as throttling the current.
Elliot discovers Mr. Robot’s plan at the end of the second season. And while Elliot has no love for Evil Corp, he also has no love for blowing up buildings in the middle of New York. But how will he foil the Dark Army’s plans? Well, he has a multi-layered approach that will kick the Dark Army off of Evil Corp’s network and keep them from returning.
Because of Elliot’s involvement in installing the backdoor in Evil Corp’s network during the femtocell hack, he has some key information that will allow him to hijack the backdoor such as knowledge about the C2 server’s domain. What’s a C2 server? C2 stands for “Command & Control”. It typically refers to server that malware calls out to and gets orders from. Often, malware will query the C2 server at a set interval and ask the C2 server for new commands to run on a victim’s system. And while malware could reach out directly to the C2 server’s IP, in this case it actually uses a domain name. So when the malware wants to reach out to the server, it will first make a DNS request and in order to get the IP it should talk to. This means that whoever controls the domain name, controls the malware. This is known as a DNS attack where an attacker may attempt to take over the domain name (or attack other elements of the DNS system).
Luckily for Elliot, he knows the domain name. Therefore, instead of attacking the C2 server directly, he simply attacks the domain name provider (Domain Registrar), and points the C2 domain name to his IP. When the malware reaches out to the domain, it is directed to his server where he can issue commands. Thus, he successfully kicks the Dark Army off of Evil Corp’s network.
After kicking the Dark Army out of the network, Elliot still feels uneasy about the hack and is concerned that the Dark Army may find another way into the network. He petitions Angela to get him a job at Evil Corp so he can work on protecting the UPS system. Elliot spends his days redirecting Evil Corp’s records across the country in an attempt to mitigate their central point of failure. However, that is not all he does. He actually patches the UPS’s system and modifies the UPS’s firmware so that it only accepts updates that possess a valid Evil Corp digital signature.
Protecting firmware via digital signatures is actually considered a best practice in the security world. It is a fantastic way to protect your embedded devices. Any time you distribute code over the internet, there are inherent risks that the code can be tampered with in transit. For instance, an attacker could intercept the traffic and inject malicious code that would be delivered to the end user or device. Additionally, there are also risks that the code may be altered after delivery. When a package is installed, it may be prudent to check the digital signature before running or loading that package or code.
So how do digital signatures work? While I’d recommend referencing other sources to get a clearer explanation, I’ll provide some information about what a valid digital signature does. A valid digital signature will provide the user (or in this case the UPS system) with an increased sense of certainty that the data (a.k.a. the code) has not been changed and that it was sent by the owner of the private key (or in this case Evil Corp). In our scenario, Evil Corp could sign the update with their private key, and provide the UPS with the digital signature. The UPS device can then use Evil Corp’s public key to ensure that it was truly sent by Evil Corp before the UPS installs the update. In the world of Mr. Robot where no system or network is safe from hacks, this is not a bulletproof security measure as it becomes useless if Evil Corp’s private key is compromised by the Dark Army. The Dark Army could then use the private key to sign their own malicious update that the UPS would accept. Despite this, using a digital signature is a good security measure to have in place as long as the private key is securely stored and will definitely make the Dark Army work harder if they want to compromise the UPS system.
Throughout the rest of the season, Elliot and the Dark Army play a game of cat and mouse as both attempt to stay one step ahead of the other in their efforts to gain control of the UPS system. As we’ve only covered the first few episodes of Season Three, I won’t go into more detail about whether or not Elliot was successful in fending off the Dark Army’s attacks on Evil Corp’s UPS system.
The fight over Evil Corp’s UPS system mirrors some real-life trends in internet connected devices and appliances. In reality, many devices and appliances that you wouldn’t normally consider are connected to the internet or to an insufficiently proceeded internal network. And with the rise of the Internet of Things, the number of insecure devices vulnerable to exploitation increases every day. As today’s innovation is tomorrow’s relic of the past, we need to consider what we can do to protect ourselves. First, don’t connect anything to the internet unless you are prepared to keep it updated. Second, do your due diligence and ask hardware manufacturers how they release updates. Do they sign their updates? Do they even issue updates at all? At what interval? The headline about a hacked dishwasher burning down a family’s house is only a few years if not months away. Third, if you do have a device on a home network, make sure you have a firewall up and running that blocks incoming connections. Don’t rely on the device itself to deny incoming requests. Finally, don’t trust your toaster. It’s up to something.
Season Three of Mr. Robot has been phenomenal so far, and one of the things that has made it so great is its commitment to realism. Would hacking a UPS blow up a building? Probably not, but it would definitely cause some damage if done correctly. And that’s what makes Mr. Robot so fun to watch. We’re forced to consider these attacks and their viability in the real world.
Jim Holcomb is an Associate Security Consultant at Evolve Security. When he isn't colluding with our reptilian overlords, Jim enjoys developing applications and pentesting tools with Python. Questions? Email info@evolvesecurity.io.