Ang Cui: Behind the hacker monitor & Mr. Robot & # 39;



The average viewer probably does not spend much time browsing GitHub, the code repository popular with developers and security researchers.

This does not apply to the creators behind "Mr. Robot", the successful Amazon Prime series that is very popular with technicians because of its technical accuracy.

The show features Remi Malek as Elliot Alderson, a security researcher struggling with delusions and paranoid visions, and articulates his exploits as part of the (fictional) group society. hackers.

Read more: Here's why the US is terrified by a Chinese company controlling the 5G networks of the world

Kor Adana, a writer and researcher in the series, and its creator, Sam Esmail, incorporate real exploits and tributes to hacker culture, and are known to have thrown Easter eggs over the episodes to set Reddit on fire. .

"When these episodes are aired, I do not watch them, I watch Reddit and Twitter and see what people are saying," Kor Adana told Wired in 2016.

The attention to detail by Adana and Esmail meant 15 minutes of fame for a real world security expert and his company, whose feat was incorporated into the third round of Mr. Robot in 2017.

A warning: some light spoilers for the third set follow.

The hack

Elliot Alderson, the mean character of Mr. Robot.
United States

In the third series of "Mr. Robot", the main character Elliot Alderson – portrayed by the actor Rami Malek, who has just received an Oscar – is being watched by the FBI, who can see all that he done on his computer. It is not clear in the series how Alderson, himself a talented hacker, could have been compromised in this way.

But the file names and emails that appear briefly on the screen refer to "Monitor Darkly" – the name of a real-world exploit published by the Red Balloon security company in 2016.

Ang Cui, CEO of Red Balloon Security, focuses on security in embedded devices. Embedded devices are essentially anything that contains a small computer running its own dedicated software: MP3 players, dishwashers and even hospital equipment can be considered as embedded systems. The term does not really mean laptops or desktops.

In this case, Red Balloon has examined the PC screens, which contain processors to determine the pixels that you see on the screen.

"There is a small computer inside the monitor itself," Cui told Business Insider. "It's a general-purpose embedded computer. It runs on an operating system that few people on the planet know or know is inside it. It not only controls how the monitor displays pixels, it also sees every pixel shown. "

For a hacker who wants to scare a computer user, this is an easier way than usual to do it.

"If I wanted to come hack you, I could compromise your browser, I could go through the computer, the network and try to compromise billions of dollars in research and development that put the SSL lock on your banking site," he said. said Cui. . "Or, I can run code in the monitor and invert those pixels."

The result is that a hacker could manipulate the images on your monitor to give the impression that you did not have money in your bank account. In the extreme, piracy could wreak havoc in a nuclear power plant, as highly sensitive locations also rely on embedded systems.

"We had a demonstration where we changed the red light to green light for an industrial control system," Cui said.

This could trap a human being by asking him to disable basic equipment such as a centrifuge. "You would not need to disassemble a centrifuge, you could just ask a human to do it for you," he added.

Cui and his team found that no monitor was immune to the attack. They worked with screen makers such as Dell to solve the problem and published the exploit on GitHub where, presumably, it was spotted by the authors "Mr. Robot".

"There was nothing for a year, then hundreds of comments on our GitHub report [repository], "said Cui. In fact, they included the link to our GitHub in the series, a group of people found it and he highlighted the code and the presentation we made. "

In the perhaps typical "Mr. Robot" style, no one really told what happened to Red Balloon – they just found the result from all the comments and inbound links. "They never really told us," Cui said.

The editors did not facilitate the search for this Easter egg either. Here's an enterprising YouTuber looking for references in the series, then a bunch of steps to unlock a QR code leading to the Red Balloon GitHub repository:


Source link