How accurate are the Mr. Robot hacks?
Pretty accurate, thanks to people like James Plouffe, lead solutions architect at MobileIron, based in Mountain View, Calif. In addition to his day job at the enterprise mobility management vendor, Plouffe also serves as a technical consultant on Mr. Robot. In that role, he works with the show's writing team and producers to accurately depict information security and hacking -- often times drawing inspiration from real-life cyberattacks and exploits, such as Stagefright.
In part one of SearchSecurity's interview with Plouffe, he discussed MobileIron's recent report that shows enterprises aren't doing enough to protect themselves from mobile threats. In part two of the interview, he discusses Mr. Robot hacks and how the show achieves its level of detail and authenticity, as well as big-picture trends for mobile security. Here are excerpts of the interview with Plouffe. You can also listen to the full interview on the "Risk & Repeat" podcast.
There was a lot of talk there about mobile threats, mobile malware and hacks at Black Hat 2016. Looking back, do you think that at least helped the conversation and made it harder for enterprises to keep their head in the sand?
James Plouffe: I certainly hope so. And I think if Black Hat didn't help advance that, then, certainly, all the news we've seen just recently about Pegasus malware is going to draw a lot of attention for that. There are indications based on some of what [mobile security firm] Lookout has published that Pegasus has actually been in the wild for almost three years because there are sort of things referencing code that would've been in iOS 7. And, obviously, Pegasus is a specialty case and it has specific targets. But at $25,000 a crack, some people are worth that amount to attack. ...
The other thing that we've seen with all of these sorts of security issues over time, for better or worse, is they also get more democratic. They get more widely spread, more people are able to use them and it requires less technical sophistication [to use them]. So, hopefully, this is kind of a sit-up-and-take-notice moment that will help people sort of acknowledge that there's work to be done.
On the good-news side, are there any silver linings? What can we hang our hats on for mobile security?
Plouffe: I think the good news is that OS vendors are really starting to take this very seriously. So, when we look at the snapshot of our report in the preceding quarter, Apple and Google both dropped three security-patch updates in that time. And so, I think one of the great things that has happened is folks being very responsive to these threats; folks like Apple and Google are betting big on what these [OSes] mean for enterprises, and they need them to be secure. And so, they're taking the threats very seriously. And I think you're seeing a lot of other folks, like the Lookouts of the world, bringing extra value, looking for [security flaws and mobile threats]. We're positioning ourselves better to be able to address these things in a more timely fashion, and I think that's probably the big upside.
I would also say that, right now, we still can't point to a major enterprise breach that we can attribute directly to mobile. And so, hopefully, we'll keep that going. Eventually, we'll lose the cat-and-mouse game at some point, because you can't play 1.000 baseball. I think the other kind of interesting dynamic to some of the other breaches that are out there that you might attribute to mobile, like the celebrities' iCloud hack, it really came down to password reuse. It wasn't even necessarily the device getting compromised; it was just bad upkeep of your accounts. And we've seen that happen a lot. It happened with GoToMyPC, and we just saw it from Dropbox earlier this month.
You've talked a lot about mobile device management (MDM). Where do you see that going now with the move to enterprise mobility management (EMM)?
Plouffe: It's part and parcel of the same thing. We sort of look at broadening our scope at MobileIron. MDM is really about turning knobs on devices, and I think there are definitely certain problems you can address in that space. But when you look at EMM, you start to look at what sort of interesting things you can do with application management. That comes down to both the deployability and also securing the applications. MDM was the precursor to a lot of the problem that you were really trying to solve: It was an apps and data question from Day 1, but the only way you could deal with it was really by turning knobs on the device. Now, we're starting to get more granularity around what we can do with the applications with EMM.
You also work as a technical consultant on the television show Mr. Robot. How did you get involved with the show?
Plouffe: I'll skip right to the moral of the story, which is be nice to your interns, because they might work in Hollywood one day. One the guys who's a staff writer on the show, and who you've probably actually seen in some of the news lately, [is] Kor Adana. His official title on the show is staff writer and technology producer. I happened to bump into him actually in [Los Angeles International], and we'd always kept in touch since he'd been an intern. He had moved out to [Los Angeles] to kind of do his thing, but I hadn't seen him in a while. He said, 'Hey, I've got something going and would it be all right if I called you if it comes together?' And I said, 'Yeah, sure; you can always call me.' And so he did one day -- and he said, 'So, here's what I've got going, and by the way, you're on speakerphone with the writers' room [for Mr. Robot].' And I just thought, 'Well, that's a lot of pressure, but OK.'
And so, his particular passion and how he kind of got connected with Sam Esmail, the producer and creator of Mr. Robot, was that he always wanted to see technology depicted more realistically in television and movies, and that's an idea that Sam is very much on board with.
So, when they started mapping out the first season, they had a couple of tech consultants working on the show, of which I was one. And so, they would call to make sure that the things that they were putting into the show made sense to people who worked in technology and were more or less plausible.
The show's gotten a lot of great reviews, and it's been lauded particularly for its accuracy and the level of detail, starting with the first scene of the first episode, where the main character, Elliot Alderson, is talking about Tor and the coffee-shop owner running a secret website on the side. Were you surprised that that level of detail was actually in the show and that they more or less got it right?
Plouffe: I was, actually. And it's interesting that you bring up the pilot because that was actually written and shot well before my involvement with the show. And if you look at the show, there are a couple of flubs in there; I think there is an IP address that has five octets and an IP address that starts with a three, but they're minor little goofs. It's the sort of thing to the uninitiated that kind of sails right by. It's also not as glaring as some of the things that you see like in pick-your-favorite-hacking-movie, because most of them do it wrong.
James Plouffetechnical consultant for 'Mr. Robot'
Plouffe: So, I was surprised by that, and what I found interesting going into it is that they were very serious about it from Day 1. The writing staff didn't need encouragement to go down that path; they were shooting for authenticity right out of the gate. And so, when we would talk through different scenarios with them, and they'd say, 'Well, is that how it would really happen?' [Editor's note: It turns out some of Mr. Robot's hacks are based on real-life scenarios.]
But, at some point, you have to remind them that they're trying to tell a story, and that if you actually did the hacks in the real amount of time certain things would take, then it would be tediously boring and the show would be eight hours long. So, you'd have to say, 'You have jump cuts at your disposal, take advantage of those.' But they were always saying from very early on, 'We want to make sure that we get this right.'
I think one of the other interesting things that they do, and I don't know how much this gets discussed, is they make their computer effects practical. So, in a lot of shows when people are interacting with the screen, it's actually green screen, and they go in and animate after the fact. They actually have animators building the stuff, so the actors have to interact with the keyboard to make something happen, and they shoot that basically live, rather than doing the green screen after. I think is really interesting because I know it's got to be a pain in the neck for the actors and the staff. Working with Kor, he's called me up super late at night sometimes and said, 'You need to help me put this screenshot together, because we've got to shoot this scene tomorrow, and I have to tell Rami [Malick] how to do it.' And I know I'm not the only one he calls for those sorts of things. So, it's really interesting, but it's been very gratifying as well.
Going back to your point about getting enterprises to recognize what's going on [in part one], you must feel like Mr. Robot, in its own small part, is at least putting it out there that, 'Hey, this is happening, and there are information security threats and they need to be taken seriously. Look at what can happen when you don't take it seriously.'
Plouffe: Yes, I certainly hope that's the case. And when I compare it to kind of other shows in that vein – well, it's probably not fair to say that CSI: Cyber is exactly the same vein -- but when you look at shows like that, it feels like their representation of information technology and information security, in particular, can feel so disconnected from reality.
A co-worker of mine sent me a giphy from NCIS, where it's two people typing over the keyboard, and so four hands on one little keyboard -- because the faster they can type, the more likely they are to stop this threat or whatever. The liability with that is that doesn't even look realistic to a person who doesn't know any better. And so it just separates that whole conversation and makes people say, 'Ah, this stuff is just weird, wacky magic that only six nerds in the world can do.' And it's not. We've seen that information security has become sort of the new domain of organized crime, and so it's very important that we get on top of this stuff. And if Mr. Robot and its depiction helps that happen, then, certainly, I can feel good about that.
Last question: Would you say that, having worked on the show and worked for as long as you have the security field, that you are as paranoid, for lack of a better term, as Elliot Alderson?
Plouffe: I'm probably not quite as paranoid as him. And, sometimes, I wonder if I'm as paranoid as I should be. But I try to take a fundamentally optimistic view of the world. I realize that we all could be targets. But I don't reuse my passwords; I do change them with some degree of frequency, and I try to do sort of the basic security hygiene to be a safe citizen on the internet. But maybe I'm not paranoid enough [laughs].
It sounds like you're doing enough. And maybe Elliot's level of paranoia is unhealthy, given what we've seen on the show.
Plouffe: Yes, fair point.
Find out how enterprises can reduce risks of major password breaches
Read more on why enterprises should monitor dark web threats
Discover how KeyRaider iOS malware works and how it can be mitigated