Cyber Security

Is Mr Robot a good representation of real-life hacking and hacking culture?

QA Cybersecurity trainer James Aguilan looks at several scenarios featured in the hit US TV series Mr Robot – and how they may represent real-life hacking.

Mr Robot is an American thriller drama TV series that depicts hacking culture. Elliot, cybersecurity engineer and hacker, is recruited by an anarchist to join a hacktivist group called "fsociety". The group aims to destroy all debt records by encrypting the financial data of the largest corporation in the world.

This blog post focuses on several scenarios and how they may represent real-life hacking.

Scenario 1: Eavesdropping on a coffee shop public WIFI (man-in-the-middle attack)

In the beginning, Elliot confronts a man who owns a coffee shop. He confesses that he intercepted the WIFI network traffic. Knowing that most public WIFI networks are unencrypted, this is completely possible.

Anyone can join the network, and anyone who joins the network can eavesdrop using simple web traffic analysing tools such as Wireshark. Any communication that is not properly encrypted, including email or your browsing data, can be viewed by attackers.

To prevent falling victim to a man-in-the-middle attack, avoid using unsecured public WIFI networks. Additionally, if you must use public WIFI, use a VPN and make sure your traffic is encrypted by looking at the green lock in the upper URL bar.

Scenario 2: Elliot exposes child pornography site owner in the dark web (hijacking session or brute-forcing cookies)

Elliot gains access to e-mail, figures and pictures. He figures out that the owner runs a child porn website on the Tor network. Tor can be used to maintain anonymity on the internet. How exactly he hacks him is not shown, but he does say, “Whoever is in control of the Tor exit nodes, is also in control of the network.”

When you intercept traffic, you can launch an exploit against the Tor browser when JavaScript and plug-ins aren't disabled. The NSA FoxAcid programme tries to exploit Tor users. However, how Elliot gets control to the exit nodes (or how many exit nodes) are not mentioned.

That a single person could have controlled enough exit nodes to do this is a bit dubious. Assuming he did so possibly through unencrypted network traffic, or a way to get his SSL certificate accepted by users without raising suspicion, or via a known vulnerability such as brute-forcing cookies and hijacking the session of a logged-in user, intercepting information when controlling the exit nodes can take a very long time.

In addition, breaking TOR anonymity or sniffing TOR traffic in a targeted and systematic way requires advanced state actor capabilities and funding. Typically, it is very opportunistic, and mainly applies to applications that do not use SSL. This scenario is therefore quite impractical and unrealistic.

Scenario 3: Elliot hacks personal accounts (social engineering)

Elliot gets the password by using a custom script and using a combination of a wordlist and a brute force attack. This password is based on the character's favourite artists and the year she was born, but written backwards.

A lot of people have this type of information on social networks sites and reuse passwords. These types of attacks exist in real life and this scenario could be possible. Even with today’s advanced security solutions, hacking into personal accounts such as email, dating services, and social media is relatively easy.

The attack is usually based on brute force attempts to crack your password. This is unfortunately still effective, especially with ready-made, off-the-shelf tools that are available to anyone who wishes to launch such an attack. Choose strong passwords for your accounts, do not share the same password across accounts, and apply two-factor authentications when possible.

Scenario 4: E-Corp servers are attacked as a diversion to another attack on the servers (DDoS)

Needless to say, this is realistic. A Distributed-Denial-of-Service (DDoS) attack targets a business or important online resource and renders it unusable to the public by overwhelming it with traffic from multiple sources. This can affect daily business operations.

DDoS attacks at 3am and the fictional E Corp is down for one hour, resulting in a total revenue loss of approximately $13 million. In reality, DDoS attacks can cause severe revenue losses. The average DDoS attack costs a business roughly $40,000 per hour. This technique has been used in several past real-life security incidents, most notably the Sony PlayStation breach in which the account information of 77 million users was stolen under the cloak of a large-scale coordinated denial-of-service attack.

Network protection is not enough. You must also protect your data.

Scenario 5: Infected E Corp servers crash on boot-up (Rootkit)

Elliot recommends restarting the services that are not coming back up. After rebooting the services, there is a "destination unreachable" error for the servers' IP-addresses. Then a connection rejects because too many connection errors are shown.

A custom script is used for a port scan to uncover which users are logged in and Elliot determines hackers have broken into the server. Elliot says the attack is coming from IP-addresses from everywhere around the world and Elliot's boss suggests to use a load balancer to redirect traffic to counteract the DDoS attack. However, Elliot doesn't think that it is just a DDoS attack, but that there's a rootkit inside the server as well.

They redirect the traffic to another server and update some network settings. After that Elliot checks the running processes at the infected server and inspects some files – he uncovers a rootkit install. A rootkit is software that is made hard to detect and remove and can completely take over the system, and install, change or delete everything it wants to.

These rootkits run as part of the operating system itself with the highest privileges and can modify start-up code like Master Boot Record (MBR) and crash the server on every restart. Removal of kernel-mode rootkits often results in the reinstallation of the operating system. Therefore, it is advisable to back up your server data regularly.


Mr Robot is a great TV series and it offers some real-world advice on how to keep your data and systems secure. Overall, it provides a realistic depiction of what is possible. Mr Robot has been widely praised for its technical accuracy by numerous cybersecurity firms and bloggers who dissect and comment on the technology and the technical aspects of the show after every episode.

The only issue is how fast he hacks. The speed at which Eliot hacks isn't possible with standard computers, but it suits a typical TV episode, and the process is pretty realistic. Typically, a hacker would need to spend some serious time finding potential security issues that can be exploited. Social engineering takes time and brute force attacks take time. With somewhat complex passwords, it can take months to directly crack a password.

Cyber Security training from QA

QA have uniquely positioned themselves to help solve the cyber skills gap with our programmes from CyberFirst, Cyber Apprenticeship and Cyber Academies to Cyber Challenges, training and certifications, and consultancy for cybersecurity.

We offer end-to-end cyber security training and certifications, including Cyber Awareness, deep-dive cyber programmes and solutions, Cyber Investigations, Cyber Crisis Management, Proactive Security and Offensive Defence.

QA only employ world-leading cyber trainers who have the expertise to deliver bespoke cyber solutions, GCHQ-accredited courses and, proudly, the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.

QA also have state-of-the-art CyberLabs, where companies can simulate real-life cyber-attacks on their infrastructure, helping them to prevent and combat breaches without risking their own network.