Hacker Keren Elazari rates 12 hacking scenes in movies and tv for realism
- Keren Elazari is an internationally recognized security analyst, researcher, author, and speaker.
- She analyses movies such as "Ocean's Eight" (2018) and "The Social Network" (2010) for realism.
- Other hacking scenes Elazari rates include "Skyfall" (2012), and "Hackers" (1995).
Keren Elazari was the first Israeli woman to give a TED talk at the official TED Conference with her presentation "Hackers: the internet's immune system." She is the founder of the security-community event BSidesTLV, and a senior researcher at the Interdisciplinary Cyber Research Center at Tel Aviv University.
She is also the founder of Leading Cyber Ladies, a professional global network for women in cybersecurity. The group aims to create a safe environment for women to develop public speaking and presentation skills, through meetups and talks. They also promote greater diversity and representation within the online security community.
Following is a transcript of the video.
- The probe used multiple SQL injections, but I've yet to find any compromised files.
Elazari: This is terrible! When I first saw this show, I shut down my TV that very second.
Hi, I'm Keren Elazari, a security researcher, author, and friendly hacker. I've been in the cybersecurity space for more than 25 years. I'm the founder of Israel's largest hacker community, BSidesTLV, and the Leading Cyber Ladies. Today, we're gonna take a look at some cool hacking clips from film and television and discuss, how real is it?
"Skyfall" (2012)
Elazari: Yikes! I wouldn't do that. That is bad, bad OPSEC. Bad operational security. The computer might actually be physically booby-trapped. If I had the computer like that, I was bringing it in for investigation, I might even x-ray it before I did anything with it. When we bring in a device for a digital forensics investigation, we usually open it up in a lab environment, not in the middle of our agency office. It's his omega site. I don't know the term "omega site." I think that's just added Hollywood jargon to make it look scary.
Q: Most encrypted level he has.
It wouldn't be a level. It might be a file or, you know, a segment of the hard drive. There's no levels. It doesn't look like this.
There's definitely no 3D, you know, moving animations of what the file is doing.
Q: Looks like obfuscated code to conceal its true purpose.
- OK, that bit is real. Yes, you could obfuscate your code, and malware authors often do this.
Q: He's using a polymorphic engine to mutate the code. Whenever I try to gain access, it changes.
Elazari: We have seen polymorphic code, specifically with malware. So, now we finally see a hex version of the code. Hex stands for hexadecimal. Now, hexadecimal means 16. You typically can see only 16 characters. 0 till 9, A to F. You won't see G. You won't see R. You won't see O. You can do a lot of things with code, and it can be beautiful, but it's not gonna look like a map. It's not gonna have these, you know, curly lines. This is something completely different.
I think this is maybe three out of 10, and I'm just giving them some points for, you know, putting in some actual, real-world terms, like malware, polymorphism, and code obfuscation, but that's pretty much where the realism ends, unfortunately, Mr. Bond.
Rating: 3/10
"Mr. Robot" S3E1 (2017)
Darlene: They're in the middle of the final round of the qualifier for a CTF.
Elazari: So, Elliot and Darlene are visiting a hacker space that is currently hosting a CTF. A CTF is a capture-the-flag competition, and this is a type of hacker game. It might be about decrypting a really unique piece of code or something like that. So, in this scene, they're in the qualifying rounds for DEF CON, and DEF CON is a real-world hacking conference. It's the world's largest hacking conference. There's even hackathons and CTFs that take place in Italian farms. Although the one they're at right now is extra-underground. I've been to CTFs at convention centers, university campuses.
Elliot: They let you save and load your game, restoring all the mines you found and all the shells you cleared. That's the weakness.
Elazari: What Elliot is doing could be even considered quite rude, having somebody shoulder-surf you like that. Yes, it does happen. However, for Elliot to, you know, within one second understand what's going on that screen, get all the context of that code, and then tell them how to win that challenge, I mean, I understand the show, of course, sets him up to be of above-average intelligence, but he would have to be like a supercomputer.
Elliot: The game trusts whatever data you give it to recreate the board. Poison the data. You can make it run whatever code you want.
Elazari: It sounds like the hackers need to reverse engineer or to take apart a Minesweeper-style game. This sounds quite realistic. It's actually based on the real-world CTF challenge from 2012. So I think it's really cool the show went to the trouble of getting a real-world hacking challenge.
[crowd cheering]
A CTF room can get loud, it can get sweaty, it can get smelly. It can be electric.
Elliot: All I have to do is hack the registrar and change the name server configs.
Elazari: What he's doing right now is very realistic, and it would have taken him a lot longer than it did. One does not hack a registrar in two seconds. Elliot needs to get in touch with the backdoor that they planted inside E Corp in the past season. In order to do that, he's utilizing the fact that backdoor, which is basically a computer software, has a hard-coded C2 domain. C2 in this context means command and control. And it's oftentimes where hackers or malicious criminals create a piece of code that's going to run inside an organizational network, but in order to be in a position to communicate with the backdoor, Elliot first needs to take over the domain. And the next thing he does, and we see him do it, is issue the command "shred." Shred is a Unix command to not just delete files, but also rewrite them so that the files would be much more difficult to recover, even with specialized forensic software.
I'm gonna rate this scene at nine out of 10. I'm only deducting the one point just because of how fast everything happened and how quickly those hackers let Elliot jump into their CTF game.
Rating: 9/10
"Ocean's Eight" (2018)
Elazari: Well, we can tell she's a hacker. She's got all those stickers on her laptop. Nine Ball, Rihanna, is using open-source intelligence, which is a fancy term for the internet. This is what's called a spear-phishing attack. She's not just going on a phishing expedition; she is spear phishing. She's targeting this particular individual with an email with a topic, something that he's really passionate about.
There are definitely attacks out there that would give an attacker control of your webcam, and they could even turn on your webcam and you wouldn't know that it's on. But it typically takes a little bit more time and a tiny little bit more interaction on the side of the victim. They would maybe run an application, install something. It will take a little bit extra.
These types of physical boxes that would allow you to unlock any passwords don't really exist for computer passwords. Many of you have a phone that if you put in the four-digit PIN or a seven-digit PIN and you get it wrong, the phone will get wiped after five or 10 wrong attempts. So those physical boxes in the real world, used mostly by law enforcement, would bypass that using all kinds of different tricks, but they would require physical access to be connected with a cable to their target device, to the phone. It makes sense that they require an additional password just to get access to that particular software. That's cool. That makes sense. However, this looks like a 12-character password, and it's got not just numbers, but also upper case, lower case, and special characters. For a password of that length, it would have about 94 to the power of 12 different possible combinations. That's a number so big that I can't even spell it out. You'd have to use the whole screen just to write it down, right here. There is no way an electronic box could crack that. And if Nine Ball has a box like that, it's more valuable than whatever it is they're gonna steal from The Metropolitan Museum.
I would probably say the first part, about the spear phishing, is extremely realistic, but then it kind of loses the realness. So I'm gonna average it at seven out of 10.
Rating: 7/10
"The Matrix Reloaded"
Elazari: I think it was the turning point, where Hollywood started showing realistic hacking. So, what we're seeing here is that Trinity is using Nmap, which is a legit network scanning and mapping tool that hackers use all the time. We also see her using something called SSH Nuke. So, SSH Nuke refers to "secure shell." And SSH Nuke is, according to the movie, basically an attack against the SSH service, where she's taking advantage of a specific vulnerability. And it's even telling us it's attempting to exploit SSH version one, CRC 32. So, this was a real-world vulnerability in SSH that was only discovered maybe about a month before this film went to set. So as somebody was working on the screenwrite, as they were in preproduction, this vulnerability in that piece of code was discovered, and they already featured it in the movie, which I think is extremely timely, extremely accurate.
The only tiny element here that isn't that realistic is that she is resetting the password. If she successfully exploits that vulnerability, the exploit would give her root privileges. She wouldn't necessarily have to reset the password.
There is no way she could hack like that and not make a ton of typos. All the hackers know you need fingerless gloves to type fast.
I'm gonna rate this scene at 9.5 out of 10. And I'm taking away half a point just because of the gloves, girl.
Rating: 9.5/10
"The Girl With The Dragon Tattoo" (2011)
[keypad beeping]
[door buzzing]
Elazari: So, Lisbeth here is doing the groundwork. She is casing her target. What she's doing is basically hanging out and catching, hearing the code as it's being touched in the keypad. And it sounded like one, two, one, two, which looks like what she's pressing. So, in the real world, it's not that difficult to understand what the different digits sound like if you train your ear to it.
She's not gonna mess around with it. She's not gonna plug her computer and be seen doing all kinds of nefarious things. She's gonna take photos, get out of there, and then analyze those photos to see exactly what the hardware setup is, what the router is, what the type of communication setup is in that apartment building. And then she procures a specific device from one of her fellow hackers. I think that's very realistic. Looks like a, you know, a hacker space. Looks like a lot of places I've visited, definitely.
The device itself, it's hard to say exactly what it is. We see that it's a Nokia. This might be in reference to something called the Nokia N900, which used to be known in hacker circles as the pwn phone. And it was a phone that was used primarily for wireless-network hacking. However, it didn't look exactly like this, so this might be a specialized device. It might be a tablet that's got both a cellular connection and a network interface.
It might be something similar to this. The device she's using in the movie is a little bit dramatized. It's a device that you can plug into the ethernet. That's where you put in the network connection. And it also has room for a SIM card. So, you put in a SIM card, it's got a cellular uplink, and you plug it into the wall. It's actually designed to look like an air freshener. And if I was doing a security assessment, I would sneak in, just like Lisbeth does, I would plug this into the electricity, into the network, and then I would use this other connection to, basically, from my remote hacker hideout, to plug in, call up this bad boy, and run some network assessments, see what I can sniff, see what I can capture on that network.
So, based on what we just saw, I'm gonna give it 10 out of 10. It's a very realistic scene.
Rating: 10/10
"The Social Network" (2010)
Mark: Billy Olson's sitting here and had the idea of putting some of the pictures next to pictures of farm animals and have people vote on who's hotter.
Elazari: So, apparently Mark Zuckerberg indeed live blogged everything that's going on in this scene, when he created his Facemash. So everything that he's writing I'm gonna assume the screenwriters grabbed from his actual blogs.
Mark: A number to represent each person's hotness like they do on hotornot.com.
Elazari: A website called Am I Hot or Not was around. It was very popular.
Mark: Unfortunately, Harvard doesn't keep a public centralized facebook, so I'm going to have to get all the images from the individual houses that people are in.
Elazari: So, he has to tweak his script or has to tweak his process to match the specific houses, which is very realistic. Even today, academic institutions' internal webpages are a spaghetti of different types of code bases and servers.
Mark: They require a username/password.
Elazari: For one of the houses, he is required to provide a username and password. And the movie shows us for a split second that he's got the mzuckerberg login, but then we see he logs in with another username, called bolson. This is a hack. This is a moment where he uses somebody else's access. And that would be, you know, probably against the Computer Fraud and Abuse Act. Certainly against the Harvard rules of engagement.
Mark: Dunster is intense. Gonna be difficult. I'll come back later.
Elazari: This is very realistic. If there's one that poses an additional layer or additional challenge, we won't spend too much time on it. We will circle back and get back to it. And this is also what the criminals do. They go for the low-hanging fruits. They go for the easier targets first, and only later or if they're trying to achieve a very specific goal, they would go for the target that's even marginally harder. You want to have that additional layer of effort for the bad guys to get in.
Mark: To break out Emacs and modify that Perl script.
Elazari: And the movie represents it as if it all took place over one drunken evening, where in the real world it took him at least a couple of nights. He was obviously very capable with what he was doing, but these are no zero-day exploits. These are not novel, innovative attacks that we've never seen before. Basically, he is automating the process of grabbing images from web servers. So, something quite simple. I would give it nine out of 10. I think the only unrealistic elements here is basically the fast-forward that they did to make everything happen within one dramatic evening.
Rating: 9/10
"The Fate of the Furious" (2017)
Cipher: Hack them all.
[keyboard clicking]
[engine starting]
Elazari: This hack is actually based on a real-world hack that was demonstrated about a year before this movie came out. So, back in 2015, Charlie Miller and Chris Valasek demonstrated that they can remotely hack a 2014 Jeep Cherokee using the infotainment system.
[tires screeching]
I don't think it would have been realistic in 2016. It might not even be realistic today for a hacker to be able to get into a lot of different makes and models of cars. Even the best automotive-security researchers would struggle with remotely turning on the ignition for a car that doesn't already have a feature like that built in. However, in the future, we are gonna see cars that are much more connected than ever before. This could be a very scary, realistic scenario.
They are using, I guess, unlimited computing power to coordinate the movements of all of these vehicles. If you think about it, even if you have remote control of a vehicle's steering, you would still need to have a satellite view of where all the cars were going and to somehow coordinate all of them to make them all go the same direction or where you want them to hit.
So let's go for seven out of 10. I'm taking away points for how easy everything is. Cipher already has everything set up, all she has to do is click on a tablet.
Rating: 7/10
"Wargames" (1983)
Elazari: I have definitely done that in the past. So, looking for a note, looking for a piece of paper that's gonna have the password for the system that you want to access. People write down their passwords, but even further than that, people recycle their passwords. I just have to go to some of the many databases of leaked passwords, and I can easily find that you had five or six different accounts where you used the same password, so I'm gonna bet that you're gonna use that same password or a very close variation of it for a lot of your other online services. And hackers do this all the time. It's called credential stuffing, and we're just going to stuff them and try and see if any account, any system lets us log in.
It's super easy for hackers to look over your social-media posts, or maybe even when you're on a Zoom call, and you've got that Post-it with a password just behind you there. So you want to enable things like two-factor or multifactor authentication. And sometimes that additional layer of security could also be biometrics.
Good scene. Gets 10 out of 10 for accuracy. I've done it myself.
Rating: 10/10
"Star Trek: Discovery" S2E8 (2019)
Airiam, how we are doing on that data core audit?
Airiam: The probe used multiple SQL injections, but I've yet to find any compromised files. This is terrible! This is horrendous. So, I gotta tell you, when I first saw this show, I shut down my TV that very second.
To think that a space probe in the future, in space somewhere, would use something like an SQL injection to attack a Federation spaceship. So, SQL injections are something that hackers use nowadays. You're banking on the fact that the SQL server is going to run whatever you input. And this is ironic because SQL was first created in the 1960s or 1970s, so maybe the writers of the show are basically telling us that we're stuck with SQL for the foreseeable future.
I give it one out of 10.
Rating: 1/10
So, they log on to our boxes, and our boxes log on to the real WiFi? Between everyone's device --
Elazari: The scenario that's described in the scene is very realistic, and they're using a real-world device, a WiFi Pineapple made by Hak5. What I got over here is the WiFi Pineapple Nano, which is a much smaller version of the routers that they used in the show. And it's designed to be very sleek, so you could walk around with something like this in your backpack, and nobody would be the wiser. So any phones or computers walking around the vicinity of a device like this would be logging on to this instead of the legitimate access point that they think they are logged on to. And they wouldn't be able to tell the difference.
So we show them a fake landing page and force everyone to download a doctored version of the Hooli-Con app.
Elazari: The second part of the hack is also realistic. They're using their control of the WiFi to point people to a website they control made up to look like the Hooli Conference website.
I would rate this at 10 out of 10.
Rating: 10/10
"Jason Bourne" (2016)
Elazari: I highly doubt that the CIA would have servers that would be accessible over the internet. While she's on that server, all the files are organized really neatly in cool folders with all of the covert projects' names. Now, this may seem unrealistic, but actually, a year after this film came out, we actually saw something called Vault 7, which was featured by WikiLeaks, which was an actual leak from the CIA. And they did have a lot of their covert operations, including their hacking tools, organized in files and folders like that.
It doesn't look like any security-monitoring tool that I know. However, what's probably happening here is that Nicky is using a backdoor that somebody has already set up from inside the CIA. So, basically, Nicky's computer is sending packets to specific ports on the CIA's computer, and after a specific sequence, so a packet's sent, let's say, to port 7,000, port 8,000, port 9,000, the CIA's computer accepts that as a secret handshake and opens up a connection from inside the CIA to Nicky's computer. This is a realistic capability.
Agent: Where's that trace --
Agent: Unknown user.
Elazari: Again, they're using a basic capability. Traceroute is something that even your Windows computer could do, any Unix computer could do, but the CIA has that added extra stuff they put in there that's gonna correlate it not just to a physical location somewhere in the world, but also to the accurate GPS coordinates.
Agent: Sakov's hacking camp.
Elazari: So, it's remarkable the CIA instantly knows that location, they know it's a hacker space, they know all the hackers in the world, and they know where they live. Kill the power to the building. You know, this is not a capability that an intelligence agency is gonna flaunt, if they have such a capability, to remotely kill the power to a specific building. When hackers hacked the electricity system in Kiev in the Ukraine in 2015, and then again in 2017, they took down the power for chunks of the city, and it took them months to set up that hack. I don't know if this is something that could be realistically done in such a targeted manner, to one house in particular.
We see IP addresses that are simply impossible. For example, an IP address that begins with 300. So, IP addresses are made up of four octets, four segments. Each octet has three digits. The digits, of course, could be zero. So it could be anything from zero to 255. Anytime in the movies you see an IP address that starts with -- you know, that's, like, 257, it's bogus. It doesn't exist in the real world.
[computer beeping]
If I'm hacking, I will probably have some tools that are gonna alert me if my computer is being scanned or tracked, but it would not look like this.
I'm gonna give it a six out of 10 rating. They did include some very realistic things, but bogus IP addresses, that's not gonna fly.
Rating: 6/10
"Hackers" (1995)
Elazari: OK, so "Hackers" is my ultimate, all-time-favorite hacker movie. It's the reason I chose to become a hacker in the first place. This is what it looks like when somebody is analyzing a piece of code. An entire night goes by. A montage passes us by. He needs all that time, and he's got friends, and they're, you know, eating cold pizza, drinking warm energy drinks. That's the hacker menu I grew up on.
Dade: This is every financial transaction Ellingson conducts, yeah?
Elazari: Now we actually see hexadecimal on the left, and to the right, the ASCII characters, or the financial transactions that the hex code would actually represent in the Ellingson Corporation's computer systems. So this is fairly realistic. The antagonist is using the Da Vinci virus. They basically created a very disruptive virus that's threatening to capsize the Ellingson Mineral Corporation's oil tankers if it's not paid a million dollars. Mind you, this is the first case of ransomware that Hollywood has ever depicted, before ransomware became a thing in the real world. Nowadays, we have a lot of attacks like this, where criminals take over your computer system and request a payment in order to decrypt the files and give you back access to your systems. So while it wasn't accurate back when the film took place, in the '90s, I think it really predicted the future.
I would love to give this 10 out of 10. I'm gonna take away two points, a couple of points, just because we don't actually see any of the software code.
Stop recycling your passwords! It's not a good kind of recycling. Don't do it. In fact, I got a T-shirt somewhere that says, "Hackers don't break in. We log in." And that's fairly accurate.