[Spoiler Alert] This article may spoil some of the surprises from Mr. Robot episode eight. If you haven’t watched it yet, you should. That way you can come back to this awesome article to learn how much tech the episode gets right.

My brain hurt a little after watching the last episode of Mr. Robot, and that’s a good thing.

LATEST IN A SERIES: Corey Nachreiner, CTO at Seattle-based WatchGuard Technologies, is reviewing episodes of Mr. Robot on GeekWire. The show airs on USA Network on Wednesdays at 10 p.m. Join the conversation on Twitter using #MrRobotRewind, and follow Corey @SecAdept.

Tyrell is in on it with Fsociety!?! WTH!

How can Tyrell’s wife be so intriguing and dreamy, and yet horribly terrifying at the same time?

“Luke, I’m your father” (which means Leia is your sister).

Is Elliot’s father real, or a figment of his imagination?

Every week, I’m dissecting Mr. Robot episodes to tell you how technically accurate the show’s hacks are. Episode 8 was especially intense, with some great narratives that answered questions and created new ones. This show knows how to deliver a well-planned twist. I don’t think I can cover the hacks without at least getting a few narrative thoughts off my chest:

Phew… with that done, let’s move on to the tech. This week, I’ll cover each hack, share what it gets right, what it gets wrong, and provide an overall accuracy grade.

Darlene’s safe cracking

The win: Lock picking, combination breaking and safe cracking are intimately tied to hacking, so the idea that a computer hacker is also familiar with safe cracking is quite plausible. Furthermore, Darlene ultimately cracks this safe by guessing the PIN. Some may have missed this, but she sees the victim’s MBA was awarded June 7, 2007 and guesses the pin is 6707. Unfortunately, humans have very predictable password habits, so this scene accurately illustrates an important password security lesson.

The fail: The idea that a hacker can guess your password on the first try from something they immediately see is just such a cliché Hollywood trope. In reality, it would probably take multiple tries before Darlene could crack the safe. Since watching someone spend hours trying different combinations would be boring, I can overlook this “shortcut.”

Grade: B-

The multiple climate control system hack

The win: In a previous article, I talked about how sneaking a device (in this case a Raspberry Pi) into an organization to gain illicit remote access to an HVAC system was technically plausible. However, E-corp has since copied all their backups from the single Steel Mountain facility, to four others. Fsociety now needs a way to hijack all five HVAC systems when they only control one. Earlier in this episode we see Elliot looking at an “Airdream Advanced Metering” webpage, which suggests he’s researching Advanced Metering Infrastructure (AMI). It’s true that there are solutions that allow you to manage and monitor many remote energy, climate control, or smart building systems from one central solution. An Fsociety member basically says he can’t believe Steel Mountain has all their facilities HVAC systems connected. So this is a plausible solution to their multi-site problem.

The fail: AMI has more to do with the Smart Grid and energy systems than it does with HVAC or climate control. So the whole Airdream Advanced Metering reference doesn’t really match the climate control theme, IMHO. Also, most disaster recovery and business continuity practices suggest that you have different offsite backup sites. E-corp seems savvy enough to use different backup providers, or to insist they use segmented systems. This multi-site issue got solved a little to conveniently for my taste.

Grade: C+

Gideon’s Honeypot update to Tyrell

The win: Honeypots exist, and they really do provide good decoys for attacks. In a nutshell, a honeypot is system that masquerades as a real server of some sort, in hopes that attackers might interact with the fake server rather than a real one. If you see someone interacting with the fake server, you know you have an attacker in your midst. Security researchers often use them to monitor how attacks work, in order to create protections against them.

The fail: Gideon’s description of honeypots isn’t quite right, stating they ensure attackers can’t cause any damage. Honeypots can act as decoys, but they don’t protect against damage. They only act as lures in hopes attackers connect to the wrong system. In this case, my guess is that Allsafe just replaced their real server with a virtual one that they had more monitoring on. I’m not sure I would call this a honeypot. Nonetheless, Fsociety planted their trojan on a real server, and they’ll need that server back to carry out their attack.

Grade: B

Tyrell’s command line exploration

The win: After talking to Gideon, Tyrell SSH’s to CS30 server (which is apparently now a honeypot) starts exploring the file system at a command line. His Linux commands are all pretty accurate; SSHing into the server, using Find with parameters, listing different directories with ls, and using vi to read files. He also notices the fake “fdinfo” directory called “fd1nfo,” and finds the fsociety file.

The fail: None really. Tyrell’s Linux skills are legit.

Grade: A

Wh1ter0se’s faraday cage

The win: In the episode, Elliot finally gets a face-to-face meeting with the infamous Wh1ter0se (BD Wong), leader of the Dark Army. It turns out that the entire Allsafe infection was actually just a long-term play to get Elliot’s attention. Before they finally meet, Elliot has to jump through a bunch of hoops designed to protect Wh1ter0se. For instance, Elliot notices that the meeting is taking place in a faraday cage, which is a space designed to block all electrical emissions. Paranoid security folks understand there are all kinds of ways digital signals can leak data (read about Van Eck Phreaking). It’s quite believable that a threat actor like Wh1ter0se would be paranoid enough to take such extreme precautions.

The fail: None that I found.

Grade: A

Elliot’s two-factor token hack

The win: Elliot needs to remove the honeypot, and reinstate the original CS30 server. To do so, he needs to hack Gideon’s system and masquerade as his boss. However, Gideon uses his phone for a second token of authentication, so Elliot needs temporary access to the phone to get that token. Elliot had to get Gideon to leave his phone unattended, distract Gideon while the phone is down and use it to get a second token. In reality, a security company like Allsafe would use two-factor authentication to improve security. Also, the show’s portrayal of this authentication process, including the limited time to use a token, is accurate.

The fail: There were many problems with the scene. Elliot’s scheme to send 100 large MMS files to Gideon’s phone to drain the battery is flawed. While it’s plausible that playing or processing large multimedia files could drain your mobile battery quicker, it wouldn’t have that impact in minutes or seconds. Also, while there are tools to SMS or MMS bomb mobile phones, these tools literally cause hundreds of text messages to pop up. Realistically, Gideon would notice that and get suspicious. Next, once Gideon puts down his phone, Fsociety distracts the entire office with a largely unexplained “Smart TV” hack. Though it’s true that there are many SmartTV vulnerabilities, I don’t think they are so trivial that Fsociety could force a video and lock the remote as easily as they did. Additional explanation on this hack would’ve been nice to validate it.

Grade: C-

Technical takeaways

So that covers the major hacks from this episode. There were also many other interesting and accurate technical points, such as:

Realistic references to real-world security products like certain brand firewalls.

Elliot using a virtual machine to open his CDR files, which is good OpSec.

Elliot’s reference to “reverse engineering malware.”

One big takeaway this week is two-factor authentication (2FA). While 2FA played only a minor role in this this episode, and Elliot even defeats it in the end, I still believe 2FA is one of the most effective, yet under-utilized security controls out there for businesses. If you haven’t implemented 2FA yet, you should consider it.

Well, that’s it this week. Join me in the comments to share your thoughts, and I’ll see you next week.