SecureState Blog

Read SecureState's award winning blog.

Completely Fake or Based in Reality?


blackhat-poster
Released today, the movie Blackhat centers on several cyber-attacks perpetuated against a Chinese nuclear facility and the stock market, and the hunt for the perpetrator of the attacks by Chinese and American law enforcement agencies. As with many movies centering on hackers and cyber security, expectations for accuracy were fairly low among experts in the field. We at SecureState decided to watch the movie and note any of the ridiculous inaccuracies here. Be forewarned, there are some minor spoilers ahead.

Inaccuracies

Surprisingly, there weren’t many. Certainly nothing anywhere near as egregious asSwordfish. Some of the more glaring inaccuracies in Blackhat we noticed were:

The Yubikey

yubikey

Early in the movie, as the investigators are looking into a compromised data center, the security guard at the center shows them a small keychain device, explaining that the device scans his thumbprint to authorize his access to the center. One of the SecureState consultants watching the movie happened to have that exact same device in his pocket (though the one in the movie was painted white). This device, known as a Yubikey, is used to give access to a system, but by generating a one-time passcode, not by taking a thumbprint.

“autorun.inf”

When the investigators examined files utilized by the Yubikey, they found that the device executed an “autorun.inf” file when plugged into a computer. While the general idea (plugging in a USB device to run a piece of malicious code) is perfectly accurate, the actual file “autorun.inf” is of a type that hasn’t been used actively for years, and probably wouldn’t run on the computers in the data center.

“Route encrypted without an IP address”

One of the investigators in the movie says that the attacker is encrypting the route for the attack, leaving it with no IP address at all. Simply put, this is impossible. The IP address may be routed through any number of proxies, but it will never disappear entirely.

Impossible IP addresses

Several times throughout the movie, IP addresses are shown on screen which are actually impossible. That being said, it’s not difficult to imagine this is similar to how movies have used 555- phone numbers for years to avoid real numbers being used.

C++ comments in gibberish code

At one specific point in the movie, several investigators are looking over the code for some malware. The code looks blatantly like it has not been decrypted, but hidden with this are clearly written out comments in plain English following a //. The double slash is a commenting method for C++ code, which the code on the screen was not at all.

Misidentified IP address

Probably the most obvious error in the movie. One person points to a hostname and says that it is the IP address of the attacker’s host server. That one is pretty blatantly wrong.

As you can see, most of these inaccuracies are not particularly major, and unlike many movies concerning cybercrime, these inaccuracies were not anything that drastically affected the plot.

Accuracies

In fact, most of the movie actually was fairly accurate about the methods and techniques used to perpetuate cybercrimes. Some of the more interesting accurate moments in the movie included:

Publicly available malware

In many attacks, the attacker will use a piece of publicly available code, modified in specific ways for that attack. The attack in Blackhat is originally perpetrated using a piece of malware written by the protagonist of the movie, then modified by the attacker.

Remote Access Tool

The attack in the movie uses a Remote Access Tool, or a RAT, to get onto a system and download a payload, which is the malware that actually performs the attack. This is commonly how real world attacks occur, wherein a small piece of software works as the RAT to download the actual malware that attacks the target.

Social engineering techniques

At several points in the movie, the investigators use social engineering techniques to gain access to restricted systems. The first instance of this involves convincing someone with access to the restricted system to download a .pdf file, which then installs a keylogger on the system. While the person who does this is a bit goofy (one would think higher ups in the NSA would know not to download suspicious files from emails), the actual technical aspect of it is entirely accurate, and a common method for gaining access. Similarly, a later social engineering attempt involves getting a person to print a file from a USB device, which is another common attack method used in the real world.

Strong passwords

Though the NSA employee falls for an easy social engineering attack, the actual password he uses is shown to be entirely strong, using multiple special characters and increased length.

Overall Conclusion: Fantasy or Reality?

Though the plot of Blackhat takes some typical Hollywood thriller jumps, from a technical standpoint, the movie is fairly accurate. As noted, most of the inaccuracies contained in the movie were very small and specific, and in large part, the movie reflected accurate technologies and techniques used in cyber security.